Windows authentication between services in the same domain without Kerberos delegation
Question
We have two intranet applications both hosted on the same domain, both hosted on IIS, both using Windows Authentication but hosted on DIFFERENT windows 2008 servers.
My goal is to have ASP.net web application A call the service B. I also want A to pass the logged-in user's authentication information to B.
One thing, I want to avoid Kerberos delegation, because of the hassle of setting it up and also the security concerns.
Can you please recommend me ways to achieve my goal?
1 answers
solution1
1 ACCPTED 2019-01-24 16:59:51
I'm not sure how you think you can securely authenticate B from A without doing delegation.
If you're not concerned about doing this securely you can just pass the username in the request and impersonate on the far side.
Alternatively you can stuff the authenticated information into a token (JWT, SAML, etc.), sign it with a shared secret, and include it with the request. Then server B can validate it using the shared secret and impersonate as necessary. This does mean you need to make sure both servers know the secret, and figure out how to generate the token.
Delegation is the smart way to go here though. You don't have to figure out impersonation or build out a way to mint and validate tokens. It's primarily configuration driven.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.