Security Integration Summary

In the previous topics in this section, we discussed the main parts of the Windows Server AppFabric security model and examined how AppFabric leverages Windows Security accounts and groups. AppFabric maps these Windows security principals into IIS and .NET Framework Security concepts, which in turn map to SQL Server Security by using login names and database roles. This topic briefly summarizes how the AppFabric security model integrates all of these supporting technologies to help provide a secure environment for your application.

AppFabric Conceptual Roles

Use these conceptual roles to logically allocate users and appropriate permission levels while designing your security architecture.

• Application Server Users. Application pool identities of the applications that run in AppFabric.

• Application Server Observers. People who can view properties and information of running applications.

• Application Server Administrators. People who can manage or control running applications and system services that help applications run.

Windows Security Principals

AppFabric conceptual roles map to Windows security groups. The IIS_IUSRS, LOCALHOST\AS_Administrators, and LOCALHOST\AS_Observers groups are created during IIS and AppFabric local installation only on the local computer.

• IIS_IUSRS group. IIS creates this existing Windows security group during its setup process, and populates it dynamically at run time. This group contains all the application pool identities in the AppFabric Application Server Users conceptual role. It has permission to persist data and emit tracking information. Any identity used for an application pool will be a member of the IIS_IUSRS group.

• LOCALHOST\AS_Administrators group. This local Windows security group is created on your behalf by the AppFabric setup. Its users map to the AppFabric Application Server Administrators conceptual role. Any user that needs to do AppFabric administrative duties needs to be in this group.

• LOCALHOST\AS_Observers group. This local Windows security group is created on your behalf by the AppFabric setup process. Any user assigned to this role will be granted the privileges described for the Application Server Observers conceptual role.

When using AppFabric across multiple computers in a domain environment, it is a best practice to create a domain group for each of the AppFabric conceptual roles to use on multiple AppFabric server computers within that domain. The users assigned to these groups are granted the privileges associated with each conceptual role, but at the domain scope level. After you create these domain Windows security groups, add domain user accounts to them based upon AppFabric access and functionality requirements. While you can name them whatever you want to, it makes sense to give them identifying names, such as the “DOMAIN\MyAppFabricAdmins” and “DOMAIN\MyAppFabricObservers” groups. In local AppFabric servers, these domain accounts are placed in the LOCALHOST\AS_Administrators group.

For more information about how AppFabric uses Windows security, see Windows Security.

IIS and .NET Framework Security

An application uses some parts of IIS security when configured to run in Mixed Transports mode. However in that mode, the application bases its security-related behavior more upon .NET Framework and WCF security than upon IIS security. If that same application is configured to run in ASP.NET compatibility mode, it more heavily leverages IIS authentication and ignores WCF security. This part of the AppFabric security model relates to authenticating both the client and the identity assigned to the application domain or process that hosts the application to access the SQL Server back-end data. For more information, see IIS and .NET Framework Security.

SQL Server Login Names and Database Roles

AppFabric conceptual roles map to SQL Server database security roles, which in turn map to Windows security groups as follows:

• AS_Administrators. Maps to the local LOCALHOST\AS_Administrators group account, whose users originate from the AppFabric Application Server Administrators conceptual group. The AS_Administrators login name is assigned to the SQL Server database roles that are needed to administer the persistence and monitoring stores.

• AS_Observers. Maps to the local LOCALHOST\AS_Observers group account, whose users originate from the AppFabric Application Server Observers conceptual group. The AS_Observers login name is assigned to the SQL Server database roles that are needed to observe (but not administer) the persistence and monitoring stores.

• IIS_IUSRS. Maps to the local BUILTIN\IIS_IUSRS group account, whose users originate from the AppFabric Application Server Users conceptual group. The IIS_IUSRS login name is assigned to the SQL Server database roles needed for any applications that run under this login account to access the persistence and monitoring stores at run time.

AppFabric conceptual roles map to SQL Server database roles in a permissions configuration that is similar to that of their corresponding login names. For example, the AS_Administrators login account has more access permissions than does the AS_Observers login account. For more information about the specific database roles and permissions that these login names are assigned, see the “SQL Server Logins” section of SQL Server Security.

Security Note
Third parties that provide non-SQL Server database storage implementations are required to map their security model to the AppFabric conceptual roles.