Reputation: 5430
Impersonation and Delegation within a MVC 3 application on IIS 7.5
Given the follow scenario:
- Windows 2008 R2 x64 web server with IIS 7.5, Server 1
- Windows 2003 R2 x64 file server, Server 2
- MVC 3 application with Windows authentication and impersonation (authenticated user)
- Configured Server 1 as
'Trusted computer for delegation'in Active directory - Internet Explorer 8
Within the application the user has the possibility to upload a file. This uploaded file has to be saved on Server 2. In the code we create the UNC path to this Server 2 and save it there.
public ActionResult Upload(HttpPostedFileBase file)
{
var savedDirectory = "\\Path\To\Server2";
if (Directory.Exists(savedDirectory))
{
file.SaveAs(savedFileName);
}
else
{
Directory.CreateDirectory(savedDirectory);
file.SaveAs(savedFileName);
}
return RedirectToAction("Action", "Controller", new { id = 1 });
}
We installed the application on Server 1 and test it locally on Server 1, everything went fine. Files are uploaded to Server 2 no issues there.
When we test the same scenario from a client desktop we get an error saying that there is not enough permissions to save the file on Server 2.
A wireshark session shows us Server 1 did not impersonate, because the authenticated user on Server 2 was empty/anonymous.
Impersonation as Specific User instead of Authenticated User
We did not get the impersonation working so we created a service account and configured the application to impersonate with this Specific User instead of the Authenticated User. The service account is a domain account and has permissions on the folder on Server 2.
When we try to upload, the service account has no permissions on the local folder where we upload the file from.
Delegation
We learned, via Impersonation in asp.net mvc, that we need to trust Server 1 for delegation.
After we trusted Server 1 for delegation: still no permissions to save the file on Server 2. We tried this both with impersonation as Authenticated User en Specific user
- Impersonation as
Authenticated Userwith delegation not working: not enough permissions on Server 2 - Impersonation as
Specific Usernot working: not enough permissions on the Local folder
Do we miss something here? Do we need extra steps for delegation?
Upvotes: 2
Views: 2940
Answers (2)
Reputation: 826
I encountered this error today and here are the steps I did to fix the problem:
- Make sure that ASP.NET Impersonation is enabled for your site. Go to your site in IIS Manager and under features double click on Authentication then enable ASP.NET Impersonation
- Use Integrated mode for your app pool
Edit your application's web.config file to specify the settings below:
<system.webServer> <validation validateIntegratedModeConfiguration="false" /> <modules runAllManagedModulesForAllRequests="true" /> </system.webServer>
Upvotes: 0
Reputation: 5430
We fixed this problem by:
- Configuring delegation on the domain for Server 1
- And adding
Kerberos providerto the Application within IIS (right click on Windows Authentication)
Upvotes: 1
Related Questions
- Impersonation in ASP.NET MVC
- Impersonation and Delegation
- Identity Impersonation with ASP.NET 4 MVC not working as expected
- Impersonation issue with ASP.NET MVC
- SharePoint 2013 / IIS 7.5 Impersonation/Delegation/Double Hop
- Impersonation, Active Directory, and "user does not have authority to xxxx" issues
- ASP.NET impersonation problem (part 2)
- ASP.NET impersonation problem
- Impersonation in ASP.NET MVC
- Impersonation and Delegation in ASP.NET