Steps to enable double-hop delegation in IIS7 windows 2008

asp.net iis-7 delegation
17,859

There are several steps to configuring Kerberos/Delegation with Windows.

First, you need to configure ASP.NET to use delegation. I assume you have this configured in your web.config.

Then you need to configure the ASP.NET Service Account for delegation. Sometimes you have to create an SPN.

Then enable delegation for the IIS server AND the account in Active Directory.

Step by step instructions are provided here: http://msdn.microsoft.com/en-us/library/ms998355.aspx Follow Steps 1-3.

Share:
17,859
Kram
Author by

Kram

Updated on June 05, 2022

Comments

  • Kram
    Kram about 2 years

    my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication.

    I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here:

    http://msdn.microsoft.com/en-us/library/ff647404.aspx

    Using code like this:

    using System.Security.Principal;

// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
  // Now impersonating
  // Access resources using the identity of the authenticated user
  var request = WebRequest.Create("http://intranet/secureapp");
  request.Credentials = CredentialCache.DefaultCredentials;
  var response = request.GetResponse();
  using (var streamReader = new StreamReader(response.GetResponseStream()))
  {
      Response.Write(streamReader.ReadToEnd());
  }
}
// Prevent exceptions from propagating
catch
{
}
finally
{
  // Revert impersonation
  if (ctx != null)
    ctx.Undo();
}
// Back to running under the default ASP.NET process identity

    But, unfortunately, I always get a 401 unauthorized error.

    Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ASP.Net web application trying to use Impersonation and Delegation to connect to SQL Server
Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
Where can I find Web Sharing in Microsoft Windows Server 2008 R2?
IIS7 Custom Error URL Redirects Not Working with non-physical files
How to host an ASP.NET Web Applications site on IIS 7
How would an HttpModule for Custom Authentication interact with Windows Authentication?
Is Application_Start of Global.asax is called by iis on wcf application when the iis is the host ?
Windows Server 2008 R2 + IIS 7.5 + ASP.NET 4.0 = HTTP Error 500.0
Mismatched Address of SSL certificate
Tracking Website's Page Visitors and Statistic at IIS level