SSO with Windows Authentication across multiple REST-APIs? (Kerberos Double hop)

Question

I have the following scenario: (Client/Browser) => (Web Service/Web API) => (SharePoint REST-Api). Basically what I want to achive is to have the middle application (WebService/Web API) to act as a facade infront of the SharePoint-REST-API to ease the development for anybody that needs to communicate with our SharePoint-application. (Basically we wrap a few SharePoint-request-calls into one single call in the Web API/Facade).

Now the problem is that I also want to be able to send the logged in Windows user (AD-user) from the Client to the Web Service, and then the web service should act on behalf of that Windows user and perform whatever actions needed in the SharePoint REST-API (this is to make sure that permissions to files and so on are actually set based on the authenticated user).

What we have tried so far is setting uo the Web Service on one server, and SharePoint on a different server.. and then we have tried to setup authentication using Kerberos and delegation, but we could not get this working. Based on the information I have provided, do you guys think that a "double hop" like this would work if we manage to get Kerberos setup properly?

Another thought that hit me is that maybe we dont have to host the Web Service and the SharePoint applications in two different servers, but we could actually host them both on the same server within one single IIS-server with two sites. Would this still require Kerberos to be setup with a double hop? Or does a "hop" only count once the ticket actually leaves one server to another.. cause in the case described here, the request from the Web Service to the SharePoint-REST-API would never leave the actual server, but it might cross domains (as in web-domains.. not AD-domains). Could this work, instead of having to hassle with Kerberos double hop, SPNs and what not..?

Answer 1

when you use integrated authentication, anonymous is disabled at that time and impersonate is enabled.so security settings will not allow your site to access resources on any network servers.

When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'. When IIS tries to access a network device, that would be the double or second hop which is not allowed. iis will not pass those credential to the next network device.

if you use anonymous enable and impersonate off this issue will not occur.

to configure Kerberos Authentication in iis you could follow the below steps:

1)open iis manager and select site.

2)select the authentication feature from the middle pane.

3)enable windows authentication and disable anonymous.

4)With Windows Authentication, click on the Providers from the Action pane.

5)set the provider in below manner:

Negotiate

NTLM

save the changes.

6)go back and select the configuration editor.

from section dropdown select system.webServer/security/authentication/windowsAuthentication.

“useAppPoolCredentials” set to true.

"useKernelMode" to "True" and save the settings.

7)restart the iis.

8)Configure SPNs

open the command prompt as administrator and run below command to check the machine name:

hostname

When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.

setspn -a HOST/${FQDN_HOST} ${MACHINE_NAME}
setspn -a http/${FQDN_HOST} ${MACHINE_NAME}

9)after doing that set application pool identity to the custom account and set the username and password.

You could refer this below article for more detailed information:

https://weblogs.asp.net/owscott/iis-windows-authentication-and-the-double-hop-issue

https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html

https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Setting-up-Kerberos-Authentication-for-a-Website-in-IIS/ba-p/324644