The issue of delegation of permissions over a network is one of the most confusing issues people run into, it seems. I don't think I've been to a project that involves web pages or services in some form that didn't run into it - people simply expect permissions to flow naturally between different network nodes. It's logical. It's intuitive. However, it doesn't work.

I've blogged about this and the Double-Hop problem before, but for neatness' sake and because I found myself explaining it three times today, I'll reiterate here, linking to various resources so I have somewhere to point people when they ask.

1) Larry Osterman explains about network delegation and its limitations.
2) MSDN Article on troubleshooting authentication and double-hop issues.
3) A blog entry of mine on using RevertToSelf() to bypass the double-hop problem.
4) Scott Allen's Roadmap to Delegation has links on how to set up Kerberos delegation.
5) If you have a username and password to authenticate with, you can use LogonUser to acquire a primary logon token that can be delegated, or use DuplicateTokenEx to turn an impersonation token to a Primary token. Here is some C# code, if you prefer.

Hope this helps clarify matters.
And remember - it's not a link blog if I also link to my own entries. :)

2 Comments

• weblogs.asp.net said Monday, April 4, 2011 9:25:50 PM

  405635.. Outstanding :)

• weblogs.asp.net said Saturday, April 30, 2011 1:26:01 PM

  405635.. Outstanding :)