Constrained Delegation works if App Pool is Local System but not if Network Service in IIS 7

delegationwindows-server-2008

I have an issue with Constrained Delegation and IIS 7 on Windows Server 2008.

We have a web application which uses impersonation to access a SQL Report Server. This has worked fine with IIS 6 with both Trusted for Delegation and Constrained Delegation. However we have run into an issue with IIS 7.

What I have been able to get it down to is this, On IIS 7, with the Application Pool running as NetworkService, and Constrained delegation configured, we get an HTTP 401 Unauthorised error from Report Server, with the Application Pool running as Local System the Impersonation works fine.

I have tested in both Classic and Integrated Pipeline.
Code from a very simple test page that simulates this issue is below. Running the same test page from an IIS 6 server of Windows 2003 works fine.
Any ideas of security policy, IIS configuration or even server features and roles that might effect this?

Please note I have checked Kerberos is working fine, and the constrained delegation configuration is correct.

private void testImpersonation()
{
  string url = "http://testsvr7/reportserver/";

  System.Security.Principal.WindowsIdentity user =
    (System.Security.Principal.WindowsIdentity)Context.User.Identity;
  System.Security.Principal.WindowsImpersonationContext WICTX = null;

  StringBuilder results = new StringBuilder();

  try
  {
     if (user != null)
     {
        WICTX = user.Impersonate();
        results.AppendFormat("<br />Impersonating, user: {0}",   
             System.Security.Principal.WindowsIdentity.GetCurrent().Name);

        System.Net.HttpWebRequest myHttpWebRequest =
             (HttpWebRequest)WebRequest.Create(url);

        // Assign the credentials of the user being impersonated.
        myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials;

        System.Net.HttpWebResponse myHttpWebResponse =
             (HttpWebResponse)myHttpWebRequest.GetResponse();

        results.AppendFormat("<br />Authentication successful - {0}, {1}",
             url, CredentialCache.DefaultCredentials);
     }
  }
  catch (Exception ex)
  {
     results.AppendFormat("<br />Exception: {0}", ex.Message);
  }
  finally
  {
     if (WICTX != null)
     WICTX.Undo();
  }
  Response.Write(results.ToString());

Best Answer

I believe I have found the resolution - if I set the useAppPoolCredentials property of system.webServer/security/authentication/windowsAuthentication to "true" then the AppPool with NetworkService works fine with the Constrained Delegation.

Tested on both Windows Server 2008 and 2008 R2.

I am unsure why this is, and I did find it very hard to get really clear documentation on what this setting does and how it may effect this situation. You can set this value through the Configuration Editor in IIS Manager for IIS on 2008 R2.
Or use the following command (only way I found to do it for 2008 (not R2)):

%windir%\system32\inetsrv\appcmd set config "Default Web Site/MyApplication" /section:system.webServer/security/authentication/windowsAuthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

Related Solutions

How to Assign Permissions to ApplicationPoolIdentity Account

Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.

IIS APPPOOL\{app pool name}

Note: Per comments below, there are two things to be aware of:

Enter the string directly into the "Select User or Group" and not in the search field.
In a domain environment you need to set the Location to your local computer first.

Reference to Microsoft Docs article: Application Pool Identities > Securing Resources

Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:

icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)

Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.

However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.

This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.

Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.

Iis – Kerberos constrained delegation not working

I would enable Kerberos logging on the IIS machine. This surfaces a lot of helpful information, including SPN's and related errors. Takes effect without a restart on Windows Server 2008.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"LogLevel"=dword:00000001

NetMon may also show SPN's.

Are the IIS and SQL servers in the same AD Domain?

Best Answer

Related Solutions

How to Assign Permissions to ApplicationPoolIdentity Account

Iis – Kerberos constrained delegation not working

Related Topic