Windows Authentication Impersonation - Second request gets wrong user identity

Question

I have the following architecture:

Client1(Browser-App) -> Server1 (WebAPI/IIS) -> Server2 (WebAPI/IIS)

I am using ASP.NET for my server-side applications/apis and the user should be authenticated via "windows integrated authentication".

As you can see there is a second hop from server1 to server2. NTML does not support the second hop if both WebAPIs are not on the same server. So I configured an AD domain to support "kerberos".

It works now with the second hop. My test-WebAPIs output the identity of the user like this:

server1: test.domain/user1
server2: test.domain/user1

But if I change the logged-in user on Client1 and execute the same request as "otherUser2", only the first hop gets the correct identity:

server1: test.domain/otherUser2
server2: test.domain/user1

On the second hop the old user of the first request is displayed. I tested multiple scenarios: Same behaviour if the following requests come from another client with another windows user...

It looks like the windows identity of the first request is cached on the server2... This is a big problem for me and I think this should not be possible... It's a big security hole if a request is executed in the wrong user context!

Is this a known problem? Did I do something wrong? Is there a solution or a better configuration?

On the first ASP.NET WebAPI I use impersonation like this:

WindowsIdentity identity = (WindowsIdentity)HttpContext.Current.User.Identity;

            using (var wic = identity.Impersonate())
            {
                try
                {
                    WebClient c = new WebClient
                    {
                        UseDefaultCredentials = true
                    };

I use the WebClient class of .NET.
Both IIS server have "Windows Authentication" with "Negotiation" and "NTML" configured.
Server1 is the DomainController, DNS and DHCP-Server (+IIS)
Server2 is only a normal server with IIS installed.
All computers are in the same domain.

I cannot explain me this behavior... It makes no sense to me. Why should the first incoming request's identity should be cached on 'server2'? If I restart the IIS and re-execute the requests with another windows identity, this is the "first working request" and the others get his identity on 'server2'.

info: servers are "windows server 2012 R2" and IIS has the version 8 — user437899, Mar 20 '17 at 08:47
its running under an user "impersonation" with delegation permission and assigned SPNs — user437899, Mar 22 '17 at 07:58

score 3 · Accepted Answer · answered Mar 30 '17 at 12:08

I found the solution/problem.

It was in fact a caching problem... The identity of the first user was cached. You can change this behavior with this "IIS settings":

authPersistNonNTLM
authPersistSingleRequest

Or your HTTP-Client at API1 can disable TCP-Connection caching:

Connection: close

instead of

Connection: keep-alive

But the actual problem in my scenario was fiddler (a HTTP proxy tool). I configured fiddler as proxy in the web.config at API1. This kept the connection open and the first identity was reused...

I hope I can help some others with this answer.

Windows Authentication Impersonation - Second request gets wrong user identity

1 Answers1