Microsoft KB Archive/185175

= INFO: Problems From Losing Client Identity Checking =

Article ID: 185175

Article Last Modified on 6/12/2001

-

APPLIES TO


 * Microsoft Transaction Services 2.0

-



This article was previously published under Q185175



SUMMARY
From a design perspective, you can put user authorization checking anywhere. In fact, you can put it everywhere. Impersonation leads to just that. Consider a three-tier application of clients, middle-tier, and databases. Putting authorization everywhere is extremely hard to design and manage.

If you want to make three-tier applications easier to design, you have to ask whether you can authorize locally rather than globally and still maintain security. The answer is yes. If you control your servers and not your clients, authorization must happen on the server. You authorize users when they enter the middle-tier. Then you authorize the middle-tier applications at the database. This model works regardless of whether you control both the middle-tier and the databases, or just one. It is important to note that this authorization model is much easier to design and manage, and is a natural fit with the three-tier model. The server applications authorize users at entry to the middle-tier. The database-tier authorizes server applications. Because user authorization only occurs on entry to the middle tier, n-tier applications are feasible to design and manage as well. This model makes sense because you dramatically reduce authorization complexity at each tier. Besides being easier to design and manage, the model is also more efficient. For example, if 1,000 users access a database, there are 1,000 unique identities present, and 1,000 connections are necessary. However, if those 1,000 users access 10 server applications that access the database, only 10 unique identities are present. With some intelligent management of connections, far fewer connections are required, resulting in greater efficiency. Microsoft Transaction Server has intelligent management of database connections built- in, which allows components running in Microsoft Transaction Server to take advantage of it transparently.

Keywords: kbinfo kbfaq KB185175

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.