7

I'm trying to enable passthrough or impersonation authentication inside an ASP.NET website that uses the TFS2010 API.

I've got this working correctly with Cassini, however with IIS 7.5 (Windows 7) something is going wrong.

I found this blog post on the subject, and tried the following:

private static void Test()
{
    TfsTeamProjectCollection baseUserTpcConnection = 
            new TfsTeamProjectCollection(new Uri(Settings.TfsServer));
    
    // Fails as 'baseUserTpcConnection' isn't authenticated
    IIdentityManagementService ims = 
            baseUserTpcConnection.GetService<IIdentityManagementService>();
    
    // Read out the identity of the user we want to impersonate
    TeamFoundationIdentity identity = ims.ReadIdentity(
            IdentitySearchFactor.AccountName, 
            HttpContext.Current.User.Identity.Name,
            MembershipQuery.None, 
            ReadIdentityOptions.None);

    TfsTeamProjectCollection impersonatedTpcConnection = new 
            TfsTeamProjectCollection(new Uri(Settings.TfsServer), 
            identity.Descriptor);
}

When I use Cassini nothing is needed besides

collection = new TfsTeamProjectCollection(new Uri(server));

I have enabled the web.config settings (and have the Windows Auth module installed):

<authentication mode="Windows"/>
<identity impersonate="true" />

Is there something obvious that I've missed out?

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Chris S
  • 64,770
  • 52
  • 221
  • 239

2 Answers2

8

Solution 1

This is the delegation method. As Paul points out it's a single setting in your active directory:

  1. Find the IIS server in the computers node of the "Active Directory users and Computers" console.

  2. Click on the delegation tab, and select the second option: AD

  3. Create a 'Cache' directory in your IIS root folder

  4. Add the following to your web.config:

<appSettings>
<add key="WorkItemTrackingCacheRoot" value="C:\path-to-web-root\Cache\"/>
</appSettings>

  1. Make sure your web.config contains:

<system.web>
<identity impersonate="true" />
</system.web>

  1. Turn on Windows authentication and impersatonation and disable everything else in IIS authentication:

IIS

Solution 2

Another solution to avoid the steps above is to simply run your application under the TFS:8080 site, as a new application. The hop issue is then removed as you are running in the same context as the web service that your app is calling.

  • Create a new app pool, use network identity.
  • Make sure your application has anonymous authentication turned off
  • Make sure it has windows authentication turned on.
  • Add <identity impersonate="true" /> to the web config.
Community
  • 1
  • 1
Chris S
  • 64,770
  • 52
  • 221
  • 239
5

I wonder if you're hitting the old Double-Hop issue here?

Paul Nearney
  • 6,965
  • 2
  • 30
  • 37
  • 1
    Most likely the double-hop thing. – Robaticus Oct 25 '10 at 12:28
  • 1
    I am, but the new APIs in 2010 are meant to get around this (the Test method) – Chris S Oct 25 '10 at 12:51
  • 1
    There's no "getting around" the double hop issue unless you deploy Kerberos. Your solution works in Cassini because the Web Dev Server is running as "you" whereas IIS is running as a service account. – Jim Lamb Oct 25 '10 at 19:25
  • You get my vote but I'm being pedantic and saying this is the reason rather than the solution :) From reading that article configuring kerberos delegation wouldn't be a trivial task just for my app. – Chris S Oct 26 '10 at 00:15
  • 2
    Going from memory (and it was a couple of years ago) - I think its just a setting against the server in AD (Trust for Delegation?) - assuming your network is already running Kerberos - and if not, why not ;o) – Paul Nearney Oct 26 '10 at 16:34