Using Constrained Delegation with ASP.NET
We've got an upcoming internal “readiness” day here in Chicago on Friday. The general subject is a focus on security and I've been tapped to present something.
I'm really intrigued by Keith Brown's article, Exploring S4U Kerberos Extensions in Windows Server 2003, which is all about how to use constrained delegation in Windows Server 2003. What this article doesn't outline is where and when you'd use this nitfy feature. I'm currently setting up a couple of Virtual PC instances to test out some of these sceanrios:
- Using the CLR's declarative security model based upon a WindowsPrinciple
- Using Authorization Manager
- Impersonating to Enterprise Services / COM+ and using role-based authorization for performing business logic
- Impersonating from Enterprise Services / COM+ to SQL Server for audit logging purposes
Granted, some of these sceanrios do not mesh well with well known performance and scalabilty guidance. i.e., impersonating to SQL Server means you loose connection pooling - a huge scalability hit. However, it would mean easier auditing/logging and less work on the developer to build this into their application.
Once I have the scenarios running, I'll post the results.