Reputation: 10800
Setting up Kerberos 2 hop authentication between Web App and API
I am using Windows Server 2018, IIS 10 and my web application targets .Net Framework 4.5.1. My API, I built using .Net Core 2.1 and Visual Studio 2017. Both the website and the API use windows authentication.
I used this person's tutorial to try and setup Kerberos two hop authentication (https://blogs.msdn.microsoft.com/surajdixit/2018/02/07/kerberos-configuration-manager-for-internet-information-services-server/).
Steps I've taken and tried,
Set the app pool to run under a custom domain account.
Added an SPN to the domain account that points to the website DNS address in the domain
Switched the app pool to classic mode
Turned on Windows Authentication and Impersonation for the website.
Had system admin grant the custom domain account delegation rights.
The current problem I am facing, is now that I made all these modifications to the app pool and the website in IIS, when I try to connect to the website, it prompts for credentials, which shouldn't happen as it should authenticate me through my windows domain account, when I input the credentials, it just refreshes with the prompt for credentials again. When running locally everything works correctly and the HttpClient in my web application successfully calls out to the API.
I have spent hours on this and would appreciate any help. I am out of ideas.
Upvotes: 1
Views: 1453
Answers (1)
Reputation: 10800
So after trying multiple walkthroughs and working with other developers, I found that the issue was both applications, the web app and the api, running on the same server. Once I moved the api to it's own dedicated server, I had no need for impersonation and was able to just load the user profile credentials from the app pool as it was running as a domain account. HttpClient and WebClient objects were both successful then at making requests to the api by setting UseDefaultCredentials = true.
If anyone ever has this issue, try hosting your api on a different server. I spent a few days thinking it was something I had done wrong in configuring things, and in the end, it was just where I was hosting the applications.
There may be a way to make this work successfully on the same server, but I was unable to make it work. Maybe someone else who is more experienced can add to this post to help show how to do this on the same server. Happy coding everyone.
Upvotes: 1
Related Questions
- SSO with Windows Authentication across multiple REST-APIs? (Kerberos Double hop)
- Kerberos Double Hop
- Authenticate with Kerberos in .NET Web API
- Implement Kerberos authentication using C# on IIS
- ASP double hop request in kerberos delegation scenario
- EWS Managed API Double Hop
- Kerberos double hop issue with ASP.NET web application to sharepoint
- Programmatic Impersonation Delegation For Remote Resources (Double-Hop)
- Set up Kerberos Authentication with Delegation on IIS 7 w/ Windows Server 2008
- Kerberos authentication for delegation in IIS 7.0