Asp.net delegation

Question

I am making a .Net Web API that gets data by calling an SQL server. The user is authenticated via Windows Authentication (Kerberos). I would like the user credentials to be passed to the SQL server via delegation, but the SQL server sees an anonymous user.

This is what I have done:

IIS application: Windows Authentication and asp.net impersonation enabled. Anonymous and forms authentication disabled. Enable kernel mode authentication is checked. Providers: Negotiate, Kerberos. Use app pool credentials: True.
Application pool: Managed pipeline mode: Classic. Identity: Network service.
In AD, the computer the web server runs on is set to "Trust this computer for delegation to any specific service (Kerberos only)"
The connection string to the SQL server contains Integrated Security=SSPI;
Edit: In my web.config I have

 <system.web>
    <authentication mode="Windows" />
    <identity impersonate="true" />
  </system.web>

and

<security>
  <authentication>
    <windowsAuthentication enabled="true">
      <providers>
        <clear />
        <add value="Negotiate" />
        <add value="Kerberos" />
      </providers>
      <extendedProtection tokenChecking="None" />
    </windowsAuthentication>
   <anonymousAuthentication enabled="false" />
  </authentication>
</security>

The generic HOST spn is set for the machine.

From the browser I access the web application via http://machinename.domain.net.

I would expect in this setup that my IIS application is run under the machine account?

When I catch a request in the debugger on the web server, I can see that WindowsIdentity.GetCurrent().Name is the account of the user browsing the web application and WindowsIdentity.GetCurrent().AuthenticationType is set to "Kerberos". So that should be good.

However WindowsIdentity.GetCurrent().ImpersonationLevel is only set to "Impersonate". I would have expected it to be set to "Delegate"?

When I make a request to the SQL server, I get "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" so obviously the user credentials are not passed to the SQL server.

I hope someone can see what I am doing wrong. I really need a push in the right direction.

We have a web server running IIS 8.x via Windows Server 12 and our DCs are on Server 2008 R2. Also, our intranet web applications are accessed via http://appname.domain2.com (while our domain is actually domain1). Thus, the setup is not quite the same as the one mentioned in this post. Here are the other steps we took to get delegation to work: — Rick V, Aug 18 '16 at 13:48
appname.domain2.com needed to be added to the intranet zone and the HTTP and HOST SPNs of appname.domain2.com needed to be set for the web server machine. Additionally, in AD we allowed the web server machine to delegate specifically for the MSSQLSvc, which was accessed via the service account under which SQL Server is run. Finally, the section listed above for the web.config was not utilized although we created the same configuration via IIS management on the web server. — Rick V, Aug 18 '16 at 13:59

score 2 · Answer 1 · edited May 23 '17 at 10:28

2

For future reference if someone runs into the same issue: The issue was that we tried from Chrome. It works in IE, but on Chrome the registry change mentioned in this post was needed: Kerberos delegation doesn't work in chrome

edited May 23 '17 at 10:28

Community

1
1

answered Oct 28 '15 at 13:25

Rune Simonsen

61
4

On Firefox, the changes needed for delegation are mentioned in this post: https://developer.mozilla.org/en-US/docs/Mozill/Integrated_authentication – Rick V Aug 18 '16 at 13:44

Nope · Answer 2 · 2015-10-12T16:56:52.937

0

You should be able to set the Authentication to ASP.NET Impersonation within IIS. You will probably be required to set the following in your web.config file too, as part of < system.web> section.

    <identity impersonate="true" />

This may be required in the < system.webServer> section to, although not always recommended due to security concerns.

<validation validateIntegratedModeConfiguration="false" />

edited Oct 12 '15 at 16:56

answered Oct 12 '15 at 16:49

Nope

3
6

I have in my web.config, sorry I forgot to add that in my first post. I dont think I need as I run the site in classic mode. As I understand it I only need this if I run in integrated mode? Should I do that? – Rune Simonsen Oct 13 '15 at 07:16
In order to use pass-thru authentication, you will need both impersonation and windows auth. There is a security feature that does not allow pass-thru unless you turn off the validation as above. Search for pass-thru authentication and you will find similar answers. – Nope Oct 13 '15 at 15:13
Thanks for your comment. I tried adding but unfortunately it gives exactly the same result, no matter if I run the app pool in integrated or classic mode. – Rune Simonsen Oct 14 '15 at 07:08
Ok. I did a little research on Kernel mode and thought this link might help you look at a few things. Sorry the above didn't work for you. I have used this configuration on several web apps using IIS7, and it has worked every time, so I am guessing that there is another issue. http://blogs.msdn.com/b/amol/archive/2010/10/29/understanding-kernel-mode-authentication-in-iis-7.aspx – Nope Oct 14 '15 at 13:19

Asp.net delegation

2 Answers2

Linked