Reputation: 61
Asp.net delegation
I am making a .Net Web API that gets data by calling an SQL server. The user is authenticated via Windows Authentication (Kerberos). I would like the user credentials to be passed to the SQL server via delegation, but the SQL server sees an anonymous user.
This is what I have done:
IIS application: Windows Authentication and asp.net impersonation enabled. Anonymous and forms authentication disabled. Enable kernel mode authentication is checked. Providers: Negotiate, Kerberos. Use app pool credentials: True.
Application pool: Managed pipeline mode: Classic. Identity: Network service.
In AD, the computer the web server runs on is set to "Trust this computer for delegation to any specific service (Kerberos only)"
The connection string to the SQL server contains Integrated Security=SSPI;
Edit: In my web.config I have
<system.web> <authentication mode="Windows" /> <identity impersonate="true" /> </system.web>
and
<security> <authentication> <windowsAuthentication enabled="true"> <providers> <clear /> <add value="Negotiate" /> <add value="Kerberos" /> </providers> <extendedProtection tokenChecking="None" /> </windowsAuthentication> <anonymousAuthentication enabled="false" /> </authentication> </security>
- The generic HOST spn is set for the machine.
From the browser I access the web application via http://machinename.domain.net.
I would expect in this setup that my IIS application is run under the machine account?
When I catch a request in the debugger on the web server, I can see that WindowsIdentity.GetCurrent().Name is the account of the user browsing the web application and WindowsIdentity.GetCurrent().AuthenticationType is set to "Kerberos". So that should be good.
However WindowsIdentity.GetCurrent().ImpersonationLevel is only set to "Impersonate". I would have expected it to be set to "Delegate"?
When I make a request to the SQL server, I get "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" so obviously the user credentials are not passed to the SQL server.
I hope someone can see what I am doing wrong. I really need a push in the right direction.
Upvotes: 4
Views: 976
Answers (2)
Reputation: 61
For future reference if someone runs into the same issue: The issue was that we tried from Chrome. It works in IE, but on Chrome the registry change mentioned in this post was needed: Kerberos delegation doesn't work in chrome
Upvotes: 2
Reputation: 3
You should be able to set the Authentication to ASP.NET Impersonation within IIS. You will probably be required to set the following in your web.config file too, as part of < system.web> section.
<identity impersonate="true" />
This may be required in the < system.webServer> section to, although not always recommended due to security concerns.
<validation validateIntegratedModeConfiguration="false" />
Upvotes: 0
Related Questions
- How do I configure IIS so that the user's domain credentials are used when connecting to SQL server?
- Kerberos Double Hop
- Implementing ASP.Net impersonation/delegation to connect to remote SQL Server from ASP.Net server not working
- asp.net via kerberos integrated windows authentication to sql server
- ASP.Net web application trying to use Impersonation and Delegation to connect to SQL Server
- Set up Kerberos Authentication with Delegation on IIS 7 w/ Windows Server 2008
- Kerberos between IIS and SQLServer
- kerberos in asp.net
- Kerberos authentication for delegation in IIS 7.0
- Kerberos Delegation for Clients Ouside the Firewall