Three-Tier | ASP.NET | Internal Zone Flow of Identity
In a three-tier, ASP.NETcommerce deployment in the internal zone (business user zone), there are two scenarios for the flow of identity:
A Business User Using a Web Browser
A Business User Using a Silverlight Rich Internet Application (RIA), such as the Commerce Server Business Administration Ribbon
For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.
The following diagram shows the flow of these identities and the conceptual configuration of a three-tier, ASP.NET commerce deployment in the internal zone. Note the following conceptual details:
For the Web application authentication, use a Windows-based identity to make a request to the Web application or routing service.
Once the Web application or routing service calls the operation service, the Principal Creator ensures that only a ClaimsIdentity is used with the operation service.
A Windows identity, as opposed to a ClaimsIdentity, is always used between the routing service and the operation service.
You must configure your application pool, routing service e, operation service, and corporate business user identities as illustrated in the following ASP.NET flow of identity diagram.
.gif "Hh567845.c68aa363-c8e7-4458-ba85-4003abdc0ec0(en-us,CS.95).gif")
A Business User using a Web Browser
Flow one depicts the flow of identity for an authenticated business user who browses the ASP.NET Web application using a browser.
In this scenario, the business user browses the site using his or her Windows identity (Corp\BizUser). Since the ASP.NET Web application is a trusted sub-system, the ASP.NET Web application, using a Windows identity (App\CsAppUser), acts on behalf of the business user and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from Authorization Manager (AzMan). This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from SQL Server based on the request being processed. This identity has permission in SQL Server to access all data required by the ASP.NET site.
A Business User using a Silverlight Rich Internet Application (RIA)
Flow two depicts the flow of identity for an authenticated business user using a Silverlight rich Internet application (RIA).
Note
In this scenario, you require Kerberos to support delegation of Windows identities across two server boundaries through a routing service in a three-tier ASP.NET deployment. See Considerations for Using Kerberos in a Three-Tier Commerce Deployment Topology.
In this scenario, the business user browses the site using his or her Windows identity (Corp\BizUser).The Silverlight RIA calls the routing service using a Windows Communication Foundation (WCF) request. The routing service is configured to impersonate all callers, so the routing service forwards the request of the business user to the operation service using the identity of the business user (Corp\BizUser).
The operation service requires a ClaimsIdentity, so the Principal Creator converts the Corp\BizUser Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. The business user can only perform operations for which he or she has authorization. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
See Also
Other Resources
Understanding Claims-Based Identity