1

I am using Windows Server 2018, IIS 10 and my web application targets .Net Framework 4.5.1. My API, I built using .Net Core 2.1 and Visual Studio 2017. Both the website and the API use windows authentication.

I used this person's tutorial to try and setup Kerberos two hop authentication (https://blogs.msdn.microsoft.com/surajdixit/2018/02/07/kerberos-configuration-manager-for-internet-information-services-server/).

Steps I've taken and tried,

  1. Set the app pool to run under a custom domain account.

  2. Added an SPN to the domain account that points to the website DNS address in the domain

  3. Switched the app pool to classic mode

  4. Turned on Windows Authentication and Impersonation for the website.

  5. Had system admin grant the custom domain account delegation rights.

    The current problem I am facing, is now that I made all these modifications to the app pool and the website in IIS, when I try to connect to the website, it prompts for credentials, which shouldn't happen as it should authenticate me through my windows domain account, when I input the credentials, it just refreshes with the prompt for credentials again. When running locally everything works correctly and the HttpClient in my web application successfully calls out to the API.

    I have spent hours on this and would appreciate any help. I am out of ideas.

Ryan Wilson
  • 10,223
  • 2
  • 21
  • 40
  • Just to add to this, what I initially was trying was to use HttpClient and run it with a task async, read that this might cause issues with passing credentials, so switched to synchronis version using webclient, still getting 401 unauthorized. I also tried adding host names to the registry as suggested here (https://stackoverflow.com/questions/10308938/unable-to-authenticate-to-asp-net-web-api-service-with-httpclient/10311823#10311823). – Ryan Wilson Aug 03 '18 at 16:34
  • So, now I tried using webclient synchronously and setting the Credentials to hard coded user name and password for domain account which works locally, of course, but still getting 401 error once published to server. One last bit of info, the web site and the API are both hosted on the same server. – Ryan Wilson Aug 03 '18 at 16:35

1 Answers1

1

So after trying multiple walkthroughs and working with other developers, I found that the issue was both applications, the web app and the api, running on the same server. Once I moved the api to it's own dedicated server, I had no need for impersonation and was able to just load the user profile credentials from the app pool as it was running as a domain account. HttpClient and WebClient objects were both successful then at making requests to the api by setting UseDefaultCredentials = true.

If anyone ever has this issue, try hosting your api on a different server. I spent a few days thinking it was something I had done wrong in configuring things, and in the end, it was just where I was hosting the applications.

There may be a way to make this work successfully on the same server, but I was unable to make it work. Maybe someone else who is more experienced can add to this post to help show how to do this on the same server. Happy coding everyone.

Ryan Wilson
  • 10,223
  • 2
  • 21
  • 40