I have a web app running on Server A that calls a WCF service (K2 Workflow) on Server B that requires impersonation/delegation to run as the calling user. If I run the web app from Server A, the app works great. If I run the app from my local PC in debug, it also works great. If I hit the app from a browser on my PC to Server A, I get the following error:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Ntlm,Negotiate'. System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).
I use the following code to run the service:
SvcWorklist.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
SvcWorklist.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
I feel like I've done everything, here is a list of what I've tried:
- Setup a SPN (including port) with by Server A App pool domain user to Server B
(NETBIOS and FQDN)
- Set the same domain user as the app pool user on Server A and B
- Ensure the app pool user is allowed to delegate in Active directory
- Ensure both servers are allowed to delegate in AD
- Set authentication to windows and impersonate=true in web.config on Server A
- Ensured Thread.CurrentPrincipal.Identity.Name has my user ID
- Ensured IIS is set for windows and impersonation
- Tried restricting the IIS configuration on server A and B to only Ntlm and/or Negotiate
Any help or ideas are truly appreciated.
