Network Architecture & Web Server

[BoulderBum]

I'm a developer doing a bit of research on how to simplify interaction with our network resources and I'm hoping some of you network guys can offer some advice.

The situation we're in is that we have a web application that serves as a secured view of several internal network resources like documents, data, etc. all of which really need to be accessible on our network because other internal systems/employees use them.

From a development perspective, it would greatly simplify our jobs in the short- and long-term to have a minimum-privilaged domain user we can impersonate to access the resources. We want to perform this impersonation without compromising the larger network, however, which is where the question comes in.

Is there a simple and cost effective way to configure our network to allow our web server to have minimum-privileged access to only those network resources we need access to on our domain?

MCP, MCTS - .NET Framework 2.0 Web Applications

 

[unclerico]

If your domain is at 2003 functional level you should look at either Protocol Transition or Constrained Delegation. If your domain is something other than 2003 functional level, you could use the less secure simple Delegation. Using the more secure Constrained Delegation, you define exactly what services your web application identity should be able to access. For example, if you want to interact with a remote file system, you could configure your application identity to only be able to interact with the cifs service on the remote system. I have configured a few .Net applications to work exactly this way. You should Google "Protocol Transition" or "Constrained Delegation" because you'll need to get an understanding of Kerberos vs NTLM authentication. If you need further assistance, I'd be glad to help.