Impersonation and Delegation

Question

I am using impersonation is used to access file on UNC share as below.

  var ctx = ((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
  string level = WindowsIdentity.GetCurrent().ImpersonationLevel);

On two Windows 2003 servers using IIS6, I am getting different impersonation levels: Delegation on one server and Impersonation on the other server.

This causes issues where I am unable to access the UNC share on the server with 'Impersonation' level.

What could be causing this difference? I searched through machine.config and IIS settings for the app pool, site and virtual directories - but aren't able to find the cause of this problem.

Answer 1

It sounds like one of the computer is trusted for delegation by your Active Directory, but the other is not. If the app pool identity is Network Service, make sure the Computer Account is marked "Trusted for Delegation" in AD.

You may need to ask your AD admin to force a replication and then log out/in to your workstation to refresh your Kerberos ticket cache.

Answer 2

For one of our applications where we did Impersonate() we found that we had to modify the local security policy for the application pool owner and add that account to the following policies/groups:

1. Act as part of the operating system privilege.
2. Impersonate a client after authentication.

On the server(s), run Start > All Programs > Administration Tools > Local Security Policy then navigate to Local Security Policies > User Rights Assignment and look for the two policies above.

Answer 3

If your testing with localhost as webserver and its working but when deployed you receive errors you could be running into the double-hop issue....outlined in this blog post