IIS7 Impersonation doesn't work to access TFS repository

Question

I'm trying to build an ASP.NET page that adds a work item in TFS.

I have enabled impersonation and Windows authentication:

<authentication mode="Windows" />
<identity impersonate="true" password="" userName="" />
<customErrors mode="Off" /> 

In the page, I access TFS and try to add a work item:

TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
WorkItemStore store = prjCollection.GetService<WorkItemStore>();
...

However, it only works when I select SpecificUser in ASP.NET Impersonation and store the credentials. It doesn't work when the Authenticated user is selected.

I've checked that the SpecificUser is the same as the Authenticated one, but I get permission errors in the latter case (which indicates that the impersonation doesn't work correctly).

TF30063: You are not authorized to access XXX. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at     Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.AsyncWebRequest.ExecRequest(Object obj)
   --- End of inner exception stack trace ---
   at     Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ProcessHttpResponse(HttpWebResponse response, Stream responseStream, WebException webException, XmlReader& xmlResponseReader)
   at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ExecWebServiceRequest(HttpWebRequest request, XmlWriter requestXml, String methodName, HttpWebResponse& response)
   at Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions, ServiceTypeFilter[] serviceTypeFilters, Int32 lastChangeId)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect(ConnectOptions connectOptions)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.EnsureConnected(ConnectOptions optionsNeeded)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.get_InstanceId()
   at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal()
   at Microsoft.TeamFoundation.Client.TfsTeamProjectCollection.InitializeTeamFoundationObject(String fullName, Object instance)
   at Microsoft.TeamFoundation.Client.TfsConnection.CreateServiceInstance(Assembly assembly, String fullName)
   at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
   at Microsoft.TeamFoundation.Client.TfsConnection.GetService[T]()
   at ASP.index_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer)

The following variables look the same for both cases:

HttpContext.Current.Request.LogonUserIdentity.Name
HttpContext.Current.Request.IsAuthenticated
HttpContext.Current.User.Identity.Name
System.Environment.UserName
System.Security.Principal.WindowsIdentity.GetCurrent().Name

Any ideas?

EDIT:

Indeed, as John mentioned below, the issue is caused by Kerberos Delegation.

I've found the following article and accompanying tool very useful in explaining and mitigating this:

DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues

Answer 1

I think you may have a "double hop" problem.

Answer 2

Based on this article, it's worth a shot to add EnsureAuthenticated();

TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
prjCollection.EnsureAuthenticated();
WorkItemStore store = prjCollection.GetService<WorkItemStore>();

I haven't ever tried this, so I can only hope it 'll work.

Answer 3

Who is the app pool for the IIS app running as? By default, I think it's one of IIUSR accounts and not necessarily a domain account with credentials for the TFS server.