Skip to content

Double-hop: ASP.Net developers beware

January 23, 2007

The following is a repost from my old SharePoint blog: http://vspug.com/kwanl/2007/01/23/double-hop-asp-net-developers-beware/

I’ve been doing web development on ASP.Net for some time now (3 years) and have only really recently run into this issue of a “double-hop”. A double-hop occurs when you are using Windows Integrated Authentication and make a call that needs credentials on another server.

The first hop is between the client and the first server which is most likely IIS. If you have a web application (or web part) on that first IIS server that needs to call web service on another server that needs credentials, unless you configure kerberos for constrained delegation, it will fail.

The problem is that your credentials can’t be passed on the the second server because with Windows Authentication your password is never sent to the first server (only a hash of it is).

I ran into this problem while working on a Reporting Services 2005 (SSRS) web part which calls the SSRS web services. There are several solutions I’ve read about:

1. Use basic authentication (with SSL of course)
2. Use kerberos with constrained configuration (haven’t had success with this)
3. Get rid of the double hop by having the client connect to the second server directly using client-side code (JavaScript, HTML, etc).

This issue has been tricky to deal with because we originally didn’t plan for it. The current solution is to do #3 which means quite a bit more JavaScript than we were expecting.

Related articles/posts:
Bryant Like’s Blog: Web Parts and Web Services
Kerberos Constrained Delegation

Advertisements

From → .Net, Web Development

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: