DCSIMG
SOA, Kerberos, IIS, and Security Best Practices - אליק לוין

אליק לוין

עולמו של יועץ ממיקרוסופט

SOA, Kerberos, IIS, and Security Best Practices

With all these buzzwords no blog post is enough - it is about many heavy books...

I'd like to point out couple of things I was dealing recently.

Web Services hosted by IIS is the most common technology today to implement distributed systems [call it SOA].

When hosting web services on ISS 6.0 it is best practices to give it its own process isolation provided by Application Pool.

It is best practice to give each process [Application Pool] its own security context - configured in Identity tab of Application Pool. Here is how.If there is the need for the Web Service to access network resources the account needs to be Domain account [there are though workaround for workgroups too - creating two identical local accounts on requesting and target machines]

It is best practice to use strongest platform authentication mechanism available [do not count client certs this time] - which is Kerberos.

To flow windows identity along the physical tiers one must use Kerberos utilizing Win2000/Win2003 delegation feature.

And here is the catch - when defining custom Domain accounts for Application Pool in IIS Kerberos fails and one needs to force it for NTLM authN.

So here is the dilemma:

1. If I need to flow the identity along the tiers then I need Kerberos. I need to run my App Pool under account that I can give spn [only one spn can be given to HTTP Service]:

Note   You can only have a single SPN associated with any HTTP service (DNS) name, which means you cannot create SPNs for different service accounts mapped to the same HTTP server unless they are on different ports. The SPN can include a port number.

That means I cannot get process isolation.

2. If I need process isolation and give each App Pool its own Domain account I need to downgrade to NTLM. Which is OK but everyone seems to like Kerberos :-).

In this case I cannot get delegation - windows identity flow across tiers.

Cheers

פורסם: Dec 05 2006, 01:05 PM by alikl | with 8 comment(s)
תגים:,

תוכן התגובה

Sergei Gorlovetsky כתב/ה:

Hi Alik, Thanks for the great post! One thing is missing for me: Delegation problem in case when ASP.NET application calls WS layer on the same machine and the WS layer calls SQL Server that is running on another machine. In this case WS don't delegate the original caller cridentionals to SQL machine. I'd appreciate your opinion Thanks in advance
# December 7, 2006 7:22 AM

alikl כתב/ה:

Thanks for reading my brain dump :-)

Couple of questions:

1. Did you managed to accomplish delegation scenario with your environment ever?

2. Did you try accessing WS from the clinet machine? Does delegation work?

3. Did you try to run ASP.NET app on the clinet machine separating ASP.NET ui from WS tier?

4. Did you follow the "How-to" above for deleagtion?

5. Is it IIS5 [win2k] or iis6 [win2k3] - did you take differences into account - there are some.

6. Why accessing WS on the same machine at all? WS is a tehcnology for network object invokation/activation. In your scenario it is on the same machine.

# December 10, 2006 2:22 PM

Yossi T כתב/ה:

Hi Alik, Thanks for making this a public knowledge ;) BTW we are in production now with this solution and it seems to work rather well. As for number 6 in your response to Sergei, The reason doing a local call to WS is to decouple apps and start a SOA migration. The purpose is to prepare your application hosted together on a single machine to be able to scale up with no code change at all. For Sergei: Check the whole chain of impersonation and identity - IIS6 is making calls locally as Kerberos only, not NTLM. Also make sure you set Default Crenetials for all WS proxies.
# December 24, 2006 8:20 AM

alikl כתב/ה:

Yossi!

Happy to hear it works good in production!!

This post would not happen without you - THANKS!!

# December 24, 2006 9:22 AM

alik levin's כתב/ה:

I've previously blogged about SOA Security Inside Enterprise walls This time I had couple of pretty interesting

# January 29, 2007 8:54 AM

alik levin's כתב/ה:

reposted from here I've previously blogged about SOA Security Inside Enterprise walls This time I had

# May 30, 2007 3:47 PM

alik levin's כתב/ה:

I just finished building another security workshop that covers authentication and identity technologies

# May 31, 2007 10:10 PM

Vadim כתב/ה:

Regarding your post "SOA, Kerberos, IIS, and Security Best Practices" Look at this - can it really work? See the part "Duplicate SPN" http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
# July 15, 2007 12:01 PM