Hi all. I am hoping to get some information on security best practices for an ASP.Net web application accessing a remote reporting server. Recently there was an issue with the app using Impersonate = True. From my understanding, the user credentials will pass to IIS and if NTLM authentication is used there is a one hop limit. This limit causes ASP.Net to use the default local account to access the remote server (access denied). My question is, is it a bad practice to create a low level service account in AD to use for IIS that has low level permissions to the reporting server?