Microsoft Office Tutorials and References
In Depth Information
Because the operating system performs this delegation of credentials between two machines at a low
level, the database server can trust that the request was indeed initiated by someone logged in with the
credentials of the user. This is called a one-hop topology , because the credentials need to hop over the
network once between the client machine and the database machine.
The credentials that the database server uses to determine permissions are called integrated credentials.
Some databases (such as Microsoft SQL Server) also support database credentials. The username and
password are passed on the connection string, and the database uses them to determine permissions.
Multiple Hops
In most Excel Services topologies, there is more than one hop between the client machine and the
database machine. Figure 5-7 shows the two-hop and three-hop topologies .
The main issue with delegating the user’s credentials in multiple hops is that those credentials may pass
through one or more applications with malicious or security issues. As opposed to the one-hop topology,
the operating system does not ensure that the end user who is logged in and the application in the
middle are using the credentials appropriately.
Excel Services solves this problem with the following:
One-machine topology
Kerberos-constrained delegation
Client machine:
User is logged in.
Middle Tier
Middle tier machine:
User request is sent with
the user’s credentials.
Back end machine:
User’s credentials
are not delegated.
Figure 5-7
Search JabSto ::

Custom Search