Reputation: 381
Facing Double Hop should we use Exchange Impersonation or Kerberos delegation
We have Sharepoint 2010 environment with AD windows authenticated users, we want to display user's unread inbox email count from exchange server 2007, but unfortunately we are facing double hop as i asked this question here, after doing a bit more research it seems we have only two solutions
1- Use Exchange Impersonation:
My Concern : Our user have highly classified information in their inbox, so with Exchange Impersonation can we programmers will become a security risk ? or is impersonation occurs for only currently logged in windows authenticated user.....to put it simply, Is Exchange impersonation secure enough for my case ?
2- Use Kerberos Delegation :
I know its the right way but we could not configure it, Can anyone help me by providing simple step by step guide for Kerberos delegation setup for my case, as we do every right but double hop still occurs.
Upvotes: 3
Views: 782
Answers (1)
Reputation: 4503
Delegation seems like the cleaner solution here. You'd need to get your Exchange admins to setup an Alternate Service Account (ASA) for Exchange to use so that you can use Kerb AuthN with it. From there, you'd need to configure the Sharepoint service accounts to delegate to the http/foo.domain.com SPN on the ASA.
Upvotes: 3
Related Questions
- Is my authentication issue related to a double hop issue?
- Setting up Kerberos 2 hop authentication between Web App and API
- Kerberos Double Hop
- ASP double hop request in kerberos delegation scenario
- How can I fix the Kerberos double-hop issue?
- EWS Managed API Double Hop
- Kerberos double hop issue with ASP.NET web application to sharepoint
- Exchange 2010 and Application Impersonation Issue
- Kerberos double-hop in ASP.NET 4.0 & SQL2008R2
- Impersonate with Delegation or More than one hop on Kerberos? Completely lost