tags:

views:

75

answers:

2
+2  Q: 

Solution to avoid double-hop from client > web service > SQL Server

My project invoves a user connecting from client to web service, and then web service to SQL Server. The web services and SQL Server are on separate machines. Because of security requirements, we cannot used mixed mode in SQL Server, only Windows authentication.

We are experiencing the "double-hop" issue between web service and SQL Server. We are using NTLM authentication and do not want to configure Kerberos because of the overhead and learning curve. We also don't want to have the web service and SQL Server on the same machine.

From what I understand, all of our requirements make this scenario impossible to resolve. However, a developer came up with this suggestion:

1) Send the windows username and password from the client to the web service under SSL encryption

2) Somehow convert the windows username and password into a security token that could be authenticated by SQL Server

To make an analogy, it sounds like we would be doing a RUNAS in the C# code when connecting to SQL Server. There would be no authentication for the web service, only through SQL Server.

My questions:

1) Is the proposed solution possible?

2) If so, how would it be done?

3) Any web resources to help me understand how it could be done?

A: 

This couldn't be done. Think about it, if applications could simply generate security tokens in this manner, what good would it be? You'll need Kerberos to overcome this issue.

Edit: Also the runas analogy doesn't apply in the case of a client attempting to authenticate into two systems successively, since runas only requires a single hop, even when you switch the user.

Pierreten  2010-06-25 00:39:59
Thanks for the answer. But here is a link that suggests it's possible: http://www.eggheadcafe.com/software/aspnet/31180511/role-based-connections-us.aspxAlthough it's also possible I misunderstood the info in the link. I posed the question here because I was looking for more details.
8kb  2010-06-25 00:46:12
Got it. Why not add the account that serves as the identity for the application pool running the web service as a SQL user?
Pierreten  2010-06-25 00:50:25
If you need to distinguish between users, your web service will be able to do so; you can control security from that level effectively.
Pierreten  2010-06-25 00:52:06
It probably sounds ridiculous, but the reason we are not authenticationg only on the web service level is because of a government security requirement that states all activity in the database must be attributable to a single user. We proposed a situation where the application layer logs all user activity, or we even pass the username to the stored procedures and log it in SQL Server, but that was nixed by our IA department.
8kb  2010-06-25 00:56:37
In that case, you'll have to go the painful and possibly expensive route of setting up Kerboros (but considering this is a government entity you're dealing with, they wouldn't have any concerns regarding cost, would they ;)
Pierreten  2010-06-25 02:04:29
+1  A: 

No, this is not possible. The client process does not have access to the user password, and hence it cannot send it to the web service tier. The client would have to explicitly ask the user for its password. If the client process has the password and is willing to send it to the web service then, in theory, the WebService can create a token for that user/password (using LogonUser) and then connect to the SQL Server using that token. This so called solution is so riddled with multiple security problems that is not worth discussing. If your team insist on it, make a web service that does that, ask a team member to connect to it, and once you got hold of his credentials (he will send your service his password, remember?) connect to the exchange server and send a mail to the CEO with the text 'Fire me, I'm an Idiot'. Or change his direct deposit bank and account in HR. Use your imagination... I hope now is a bit clearer why going down the path you propose is a very bad idea.

Just use Kerberos.

BTW, if you need to authenticate to the back end due to government regulation, then bear in mind that authentication and audit always come with a 'non-repudiation' requirement, and sending the password to the web-service so it authenticates on your blatantly contradicts that requirement, since the web-service can do any operation it wants masquerading as the user. This is what Kerberos delegation is constrained delegation.

Remus Rusanu  2010-06-25 01:27:22
Thanks for responding. I have referenced your articles on queues and service broker on multiple occasions. The idea is that, yes, the username and password would be sent from the client to the web service under encrypted SSL. Only the webservice would have the information and would create the token to access SQL Server. I'm not sure how this is a security risk unless you mean that our programmers could write code to possibly hijack the information. Still, I would rely on your experience over mine, so I'm going assume you're right. I'll take this info back to IA (it was actually their idea...)
8kb  2010-06-25 03:49:41
There are two reasons why this is a bad idea: 1) the user has to explicitly pass in his password in the client, ie. the client does *not* simply flow on the authentication from the user Windows session login. And 2) lack of constraints in the web service: once the user is impersonated, the web service can do *anything*. With Kerberos the impersonated context delegation is *constrained*, it can only connect to specific resources, controlled from the AD and from the SPN registration process.
Remus Rusanu  2010-06-25 04:53:40
"unless you mean that our programmers could write code to possibly hijack the information" that is one very viable possibility. Just think about various scenarios when the users of the web service could be some *very* important users, like company executives. The stakes could be very high. But even if you have complete trust in your programmers, you still have the problem of a service compromise, an attacker gaining control of the web service could gain control/knowledge of all service users passwords.
Remus Rusanu  2010-06-25 05:02:59
The further your explanation goes into detail, the more I can see how bad an idea this is. Especially considering the data we are working with must be protected even from the users themselves. Thanks for your time.
8kb  2010-06-25 05:12:34

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?