double hop big picture: IE browser--->Web Front End----->SQL (0r any 0ther server)
The double hop issue is all about passing window security token, so if you use SQL connection string, you don't have this annonying problem; or if
your ASP Web uses trusted subsystem (instead of impersonation which is configured in the web.config: < identity impersonate="“true”/ >). In the case of trusted system, it is the web application pool account who hops (only 1) to another server.
One of my colleagues responded this by asking, "why sharepoint doesn't have double hop issue when its WFE connects to its SQL database?"
Well this is the question I don't know the answer to. We all know kerberos is not required for sharepoint, impersonate is the default setting in sharepoint web.config, and window authentication in SQL is default too. so I go to google, no found a direct answer though, the closest one is:
< identity impersonate = “true” username=”Domain\UserName” password=”pword” / > can fix the problem.
I went back to my sharepiont web.config, of course, I didn't see it. But it does shed light. If impersonation in web.config can fix this problem, then impersonation in code should have done the same thing. In Sharepoint, RunWithElevatedPrivilege is designed for network calls: this little guy impersonates Application Pool Account, and this account always has SQL access.
I hope this bold assertion can trigger some interests on how sharepoint intra-farm communication work and someone can either confirm or correct it.
About Me
- Yang Li
- I am a SharePoint consultant, specializing on sharepoint security, farm architecture, search integration and customization. During spare time, I play basketball,while waiting for Heat to regain NBA Title, Redskins to win NFC East again, and Gamecocks to be convered in National TVs. Spending too much time on Captial BeltWay I only enjoy listening Leona Lewis. With my two wonderful kids, We have lots of fun together!
