Configuring Delegation
Delegation is a process by which a server (in this case IIS) can send the user's credentials to another back-end server (for example, to a back-end SQL Server or file server). This may be useful in situations in which the user's credentials should be checked against the access control list (ACL) maintained by the back-end server.
Configuring delegation can be difficult because what's required to be configured depends on what authentication mechanism the client is using. The following table summarizes the major implications:
| Authentication Mechanism | User Account Used by IIS | Delegation Configuration |
| Anonymous | IUSR for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. | machinename$ account used to access back-end services. |
| Basic | End user for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. | IIS has user's username and password in cleartext. Can log on directly as the end user for remote content. Enable Impersonation for ASP.NET to have .NET access back-end resources as the end user. |
| Digest, NTLM | End user for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. | IIS does not have user's password. Cannot access back-end resources (except as machinename$) unless protocol transition is configured. |
| Kerberos | End user for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. | Can access back-end content as end user if Kerberos ... |
Get Professional Microsoft IIS 8 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
