web page calls web service - security

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

Assume you have a web page hosted on a local server in your domain. You
have a .NET web service on a different server in the same domain. The web
page calls the web service using domain authentication. By default, does
the web page attempt to use the local ASPNET account used to run the web
page or the domain credentials of the user?

Thanks.

Mark
 
the default is anonymous. commonly you'd set the credential to the cache
default (in code). the default account will depend on web.config
settings and whether app pools are used.

if impersonate user is set, then the cache default is the user account
unless overridden in the web config.

if impersonate user not set its the app pool account or the asp.net
account if app pools are not used.

note: if you impersonate user, then you will have a secondary token
which can only be used for a web service on the same server. if you need
to access a different server, then you will need to switch to kerberos,
and enable credentials forwarding on the servers involved.

-- bruce (sqlwork.com)
 
Back
Top