2

I'm a bit consused by Identity Impersonation in IIS7.5

In the good old days you could just put in the web.config and call it good. Directories could then be locked down to a specific user, and then IIS would be able to access resources, such as Sql Server stored procedures, that that user had permissions to.

With the new integrated pipleline, this no longer works. I could switch to "classic" pipeline, but that will only work for so long so I want to do things the preferred "modern" way.

I definitely want to keep two tiers of security. The anonymous side of the site will have access to the SPROCs needed to display anonymous data, and the admin portion will have additional access. Without identity impersonation, how can this be done?

John Hoge
  • 619
  • 3
  • 7
  • 14

2 Answers2

0

Great question! I didn't know this was different in IIS 7.5 until I read your post. (I would upvote you but I don't have enough points).

I found a good post from someone who works on the core IIS team. Perhaps this will help you a little bit.

http://forums.iis.net/t/1147713.aspx

Jeremy
  • 121
  • 1
0

Impersonation still works, but to get to sql server (the second hop) you have to use "delegation". The most important part of getting delegation to work is that you have to use kerberos. It is one thing to have it installed and enabled, it is another to make sure that it is actually used. Googling "two hop" and "delegation" gets you lots of "how to" information, some better than others. This one has nice pictures

I recommend testing in IE first.

Once you have it working in ie, move on to chrome where the servers that IIS needs to connect to have to be white listed. The most important key to set is "AuthNegotiateDelegateWhitelist"

This is a post on how to do that

Ted Cohen
  • 136
  • 3