Sharepoint Single Sign-On, Impersonation and the Double-Hop Problem

How do you overcome the identity double hop problem?
Windows credentials can only make one “hop” between machines on a network. The first hop is from the user’s browser to the web server; from here, to get to another machine on your network, a second hop is required.
There are two ways to work around this problem: 1) establish a delegation relationship between the web server and the other network machine, and configure the AD domain to allow Kerberos Protocol Transition, or 2) use the Win32LogonUser API to switch to the user’s identity on the web server before making that single hop out to the other network machine.
Sharepoint Single Sign-On uses the second approach. The first approach is complex and probably akin to using a sledge hammer to crack a nut.
The great thing about the Sharepoint SSO service is that when creating Enterprise Application Definition’s, you can decide what credential fields are stored, so you can store, obviously, User names and Passwords, DB connection strings, Domain names and, well, other stuff you can put in a string.

So, as an example, a web part needs to collect information from a network machine to display in it’s UI to a user. You have two choices here, either the resource access needs to be done under the security context of the user (impersonation model), or, the resource access can be done under the security context of some ad-hoc user account (the trusted sub-system model).
In summary the webpart will retrieve security credentials from SSO, create an impersonation security context with those credentials using the LogonUser API, perform the resource access and then undo the impersonation.
We can overcome the double-hop problem using Sharepoint SSO while fulfilling both security models;
1. Trusted Sub-system Model
Create an SSO Enterprise Application Definition of type Group – all users will access network resources using the same credentials:
MbosDoDefSSODisplay Name:  Mbos ESB Domain Access
Username (Unmasked) = esbprocess
Password (Masked) = *****
Domain (Unmasked) = MIT
2. Impersonation Model

More Here



  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Online Training Java EE Online Training Java EE Online Training Java 8 online training Java 8 online training

    Java Online Training from India Java Online Training from India Core Java Training Online Core Java Training Online Java Training InstitutesJava Training Institutes