How can I get Chrome to delegate credentials without opening asp.net apps in IE first?

Question

I get the following error in Chrome browser (if I have NOT opened the app in IE first): : Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' and depending on the code used to get the username I might get this error: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred

I've narrowed down the issue to Chrome gets to the impersonation level of "Impersonation" whereas IE gets to the impersonation level of "Delegation". I wrote a simple app c#.net 4.5.2 called (VS 2017) browsercheck that queries SQL Server 2008 on one server (SERVER2) while web app is installed on another server (SERVER1) to mirror our production setup.

In IIS 7 I have Windows Authentication and Impersonation enabled, AppPool is v4.0 Classic with identity=NetworkService however in troubleshooting I have changed the identity to LocalSystem and ApplicationPoolIdentity with no change. I've set Load User Profile to true. I have also verified with my NA that AD by default has assigned Delegation for SERVER1 and SERVER2 to Trust this computer for delegation to any service (Kerberos only).

I've visited Graham Clark's post here which closely resembles mine except his is IIS AppPool is Integrated Pipleline Mode whereas mine is Classic His solution was to set Windows Authentication provider to "Negotiate:Kerberos, not NTLM" which I am not seeing where to set this in IIS7??? IIS sets this by default doesn't it?

I understand what the double hop issue is but it seems to me that that cannot be the issue because the apps work fine when viewed with IE 11 browser. Some apps also work in Chrome after I've authenticated them in IE11 first.

The issue is I need Chrome to authenticate them first (or any other browser) without the need to open them in IE first since we will be moving away from IE soon.

IIS Log

#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2019-05-14 15:58:17
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2019-05-14 15:58:17 10.100.10.00 GET /browsercheck - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 401 2 5 72
2019-05-14 15:58:17 10.100.10.00 GET /browsercheck - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 301 0 0 3
2019-05-14 15:58:20 10.100.10.00 GET /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 2349
2019-05-14 15:58:20 10.100.10.0 GET /BrowserCheck/bundles/MsAjaxJs v=VA_FXLaB5PurewZl92JsrSUQcDrqhwBct539oVLEeiY1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:20 10.100.10.00 GET /BrowserCheck/bundles/WebFormsJs v=N8tymL9KraMLGAMFuPycfH3pXe6uUlRXdhtYv8A_jUU1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:22 10.100.10.00 POST /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 108
2019-05-14 15:58:22 10.100.10.0 GET /BrowserCheck/bundles/MsAjaxJs v=VA_FXLaB5PurewZl92JsrSUQcDrqhwBct539oVLEeiY1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:22 10.100.10.00 GET /BrowserCheck/bundles/WebFormsJs v=N8tymL9KraMLGAMFuPycfH3pXe6uUlRXdhtYv8A_jUU1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:37 10.100.10.00 GET /browsercheck/ - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 401 2 5 0
2019-05-14 15:58:37 10.100.10.00 GET /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 500 0 0 76
2019-05-14 15:58:37 10.100.10.00 GET /favicon.ico - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 401 2 5 98
2019-05-14 15:58:37 10.100.10.00 GET /favicon.ico - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 404 0 2 3

Answer 1

First, do not forget to register Service Principal Names (SPN) for your AppPool account:

setspn -s HTTP/<servername>:<port> <domain>\<apppool_accountname>
setspn -s HTTP/<FQDN.servername>:<port> <domain>\<apppool_accountname>

E.g.

setspn -s HTTP/app-server:5555 org\apppoolserviceaccount
setspn -s HTTP/app-server.orgname.com:5555 org\apppoolserviceaccount

Then set useAppPoolCredentials to True in your web app settings:

And finally, add your <apppool_accountname> to Impersonate a client after authentication policy in Local Policies on the server:

His solution was to set Windows Authentication provider to "Negotiate:Kerberos, not NTLM" which I am not seeing where to set this in IIS7???

To add this provider select Windows Authentication and choose Providers... at the right:

Leave only one provider - "Negotiate:Kerberos".

The most important part - add your web-app server to the allowed list on your client machine with Google Chrome. Reg file for example:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
"AuthNegotiateDelegateAllowlist"="<server-name>,<server-name.FQDN>"
"AuthServerAllowlist"="<server-name>,<server-name.FQDN>"
"AuthSchemes"="basic,digest,negotiate"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthNegotiateDelegateAllowlist"="<server-name>,<server-name.FQDN>"
"AuthServerAllowlist"="<server-name>,<server-name.FQDN>"
"AuthSchemes"="basic,digest,negotiate"

Check them after under chrome://policy.

Read more about these policies:

• AuthNegotiateDelegateAllowlist
• AuthServerAllowlist
• AuthSchemes

I also highly recommend this Kerberos FAQ IIS (Internet Information Services) and Kerberos FAQ