Wednesday, September 28, 2011

Daily Question: How to address double hop issue in SharePoint?

Daily Question: How to address double hop issue in SharePoint?


Answers:
Solution 1: User Kerberos instead of NTLM.
Solution 2: Use secure store in sharepoint 2010.


About the Secure Store Service

The Secure Store Service is an authorization service that runs on an application server. The Secure Store Service provides a database that is used to store credentials. These credentials usually consist of a user identity and password, but can also contain other fields that you define. For example, SharePoint Server 2010 can use the secure store database to store and retrieve credentials for access to external data sources. The Secure Store Service provides support for storing multiple sets of credentials for multiple back-end systems.





Interesting read:
http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx

Doube Hop Issue:
Basically it is due to the way NTLM works, where authentication can't be passed on without the actual password. SharePoint doesn't normally have the logged in user's password for access resource on another server/domain ("second hop").
In IIS, when you need to access another resource off of the IIS server and certain fairly common situations occur, when using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.  This includes access to a UNC path directly from IIS or SQL Server using Windows authentication.
The reason is because of a 'double hop' that authentication is doing.  When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'.  When IIS tries to access a network device, that would be the double or second hop which is not allowed.  IIS cannot in turn pass on those credentials to the next network device, otherwise the developer or administrator could abuse your credentials and use them in ways that the site visitor didn't anticipate.

No comments:

Post a Comment