Login/Register
Steps to enable double-hop delegation in IIS7 windows 2008
Asked Answered
Solved asp.netiis-7delegation
O

2

3

my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication.

I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here:

http://msdn.microsoft.com/en-us/library/ff647404.aspx

Using code like this:

using System.Security.Principal;

// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
  // Now impersonating
  // Access resources using the identity of the authenticated user
  var request = WebRequest.Create("http://intranet/secureapp");
  request.Credentials = CredentialCache.DefaultCredentials;
  var response = request.GetResponse();
  using (var streamReader = new StreamReader(response.GetResponseStream()))
  {
      Response.Write(streamReader.ReadToEnd());
  }
}
// Prevent exceptions from propagating
catch
{
}
finally
{
  // Revert impersonation
  if (ctx != null)
    ctx.Undo();
}
// Back to running under the default ASP.NET process identity

But, unfortunately, I always get a 401 unauthorized error.

Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?

Oiler answered 2/12, 2010 at 11:53 Comment(0)
S
3

There are several steps to configuring Kerberos/Delegation with Windows.

First, you need to configure ASP.NET to use delegation. I assume you have this configured in your web.config.

Then you need to configure the ASP.NET Service Account for delegation. Sometimes you have to create an SPN.

Then enable delegation for the IIS server AND the account in Active Directory.

Step by step instructions are provided here: http://msdn.microsoft.com/en-us/library/ms998355.aspx Follow Steps 1-3.

Sarcastic answered 2/12, 2010 at 15:7 Comment(0)
B
-1

http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx

http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/

IIS to SQL Server kerberos auth issues

Bond answered 22/7, 2014 at 9:50 Comment(1)
Links to external resources are encouraged, but please add context around the link so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline.Homophony

© 2022 - 2024 — McMap. All rights reserved.