How do I overcome the double-hop problem when going from SharePoint 2010 BDC to WCF service to SQL Server
We have a SharePoint application that needs to retrieve external data from a WCF service, which in turn gets data from an SQL server (2005). SharePoint is authenticated over NTLM, and the credentials can be converted to claims on the SharePoint server.
The W开发者_开发技巧CF service connects to a database previously accessed by a web application (the web application is being migrated to SP+WCF). This database is permissioned so that it must be accessed with the identity of the end user, which is fine when it's client->web app->SQL Server, but fails when it's client->SharePoint->WCF Service->SQL Server.
I've read up a bit about impersonation and c2wts, which I think applies to this situation, but I'm not sure how it fits in. Should it be on the SharePoint server or the service server etc...?
How do I persist the identity of the end user through SharePoint and a WCF service to be able to access the SQL server?
You need to configure Kerberos authentication. And to tell you up front, it is a PITA.
Here are some links to get you started (I have followed them on SP2007, but it shouldn't be too much difference if you use SP2010):
http://blogs.objectsharp.com/cs/blogs/max/archive/2008/08/01/implementing-kerberos-in-sharepoint-running-on-windows-server-2008.aspx
http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx
One other solution to this problem would be the use of the Secure Store. That would let you either map single users to individually stored credentials for your bdc model or groups of users mapped to a single credential.
精彩评论