To Delegate Or Not To...

As part of my role at Microsoft, I sometimes assist customers in making design decisions with their applications. After understanding what the requirements are for the application, I seek relevant information or resources based on the requirements. Any relevant information I find, I will forward to the customer and outline the advantages and disadvantages of the options available.

One of the things I have been asked to assist on concern whether or not delegating the credentials of the end user to the backend resource in a multi-tier application is suitable. The following is a list of advantages and disadvantages that I think applies under most scenarios. Some of the items are quoted directly from MSDN articles and some are from Microsoft Consultants that I have worked with. I hope this will help you in making a decision as to whether or not Kerberos Delegation is appropriate security model for your application.

Delegation Model Advantages

The main advantages of the Delegation Model are the following:

  1. The resource is always accessed as the user. More specific security is enabled at a resource level rather than at the task level. Resource level security is also useful if the resource is accessed from outside the application (such as through a report generator).
  2. System level access auditing. Since all resources are accessed as the real user on all tiers of the system, you can enable system level access auditing on all tiers. This level of auditing can be very helpful when trying to meet new regulatory requirements for auditing and access reporting.

Delegation Model Disadvantages

  1. Performance.
    • No database connection pooling at the middle tier. This reduces scalability and performance.
  2. Security.
    • Misuse of delegation could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. .
    • Direct user access available to resources. In some cases users may be able to directly access back-end resources using their normal credentials without going through the preferred application. For example, a user might use a SQL client to run commands directly against the database tier instead of through a business application.
  3. Complexity
    • The turnaround time for resolving issues can be lengthy. Assuming there is no problem on the domain/network, there is a checklist of necessary settings to verify for each tier in the architecture as well as Active Directory.
    • Authorization may still need to be maintained on each of the middle tiers and introduce operational complexity.
    • Not all tiers support the impersonation model for every scenario. A typical example is the back-end service that is hosted on a mainframe or other non-Microsoft server that does not support Kerberos protocol authentication.

Useful Reference:

The following article describes two architectures that you may employ, Delegation Architecture versus Trusted Subsystem, and lists the advantages and disadvantages of each.
Developing Identity-Aware ASP.NET Applications