3

I am using HttpClient from an ASP.NET app to invoke a WebAPI based REST service. Both the REST service and the ASP.NET app are secured using Windows authentication using Kerberos. I need to impersonate the user so that the call into the REST service is made using the user's credentials and not the service account credentials.Since HttpClient creates a new Task for making async calls, it does not carry forward the security context of the user and instead uses the app pool's identity.

This has been well documented here and the suggestion to update the "legacyImpersonationPolicy" and the "alwaysFlowImpersonationPolicy" tags in the Aspnet.config file works but it is a machine wide change which I would like to avoid.

This article indicates that it is possible to set a per app pool aspnet.config file which is much more ideal but it doesn't seem to work. Has anyone been able to get this working?

Community
  • 1
  • 1
Abhijeet Patel
  • 6,562
  • 8
  • 50
  • 93

1 Answers1

0

Have you tried doing it in the aspnet config file that is in the .NET Framework folder? I've had to set it there to get it to work, for some reason it seems that IIS overrides your CLRConfigFile in some cases even when you configure it for a specific AppPool.

R007
  • 378
  • 4
  • 11