IIS ASP.Net windows authentication doesn’t work

authenticationiis-7

I have an intranet web application.

Even though I've set "Windows Authentication = Enabled" (and all other Authentications are disabled), when the application tries to access resources, it is treated as though it is run by the same user that runs the Application Pool's process.

Is there a problem here, or do I not understand correctly how Windows Authentication works?
If I did get it wrong, is there another way to make the application run as the client user?

Best Answer

Remote resources? If using Kerberos, there are a few caveats to get that working correctly. For an IIS computer to impersonate a user when accessing remote resources, it needs to generate a delegation-level token for the user.

If the application pool is running under a custom identity (it usually is in these scenarios), the account needs to have the ability perform unconstrained delegation. On the account Delegation tab in Active Directory Users and Computers, select "Trust this user for delegation to any service (Kerberos only)".

If you don't see the Delegation tab, it means an SPN has not been assigned to the account. That needs to be corrected first using the setspn.exe command.

The IIS identity account needs to have the "Act as part of the operating system" privilege (SetTCB privilege) on the IIS server(s).

Download the Delegation Configuration tool and add that as an application on the web site. It lets you browse to the application url and generate a report that determines if delegation is configured correctly.

It's also very easy for the code to check the token type to determine if it is a delegation token or not, and log that information to a file.

Summary (Kerberos Protocol Transition and Constrained Delegation)
http://technet.microsoft.com/en-us/library/cc772683%28v=ws.10%29.aspx

How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647404.aspx

DelegConfig download
https://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

http://channel9.msdn.com/posts/Troubleshooting-Kerberos-Delegation-Using-DelegConfig

Related Solutions

Windows – Pass through Windows authentication on a .NET app – is read access required for website folder

Any code running in the application pool will run using that identity and not the authenticated user's, but the IIS server will use the passed through authentication to verify that the user actually has access to the files served from the directory and to set ownership on new files created by that user.

Any back-end database access through e.g. .net code would happen under the app pool though.

IIS7: Allow users to identify themselves with either “Windows Authentication” or “Basic Authentication” on the same file

In IIS (website props):

Uncheck "Anonymous access"
check "Integrated Windows authentication" and "Basic authentication"

Make sure that in web.config you have:

<identity impersonate="true"/>
<authentication mode="Windows" />

The default is set to:

<authentication mode="None" />

If "Someone calls webservice" is not on the same machine,
then you will need to configure computer for trusted delegation in AD in order windows authentication to work.

On client's IE
menu Tools--> Internet Options --> Advanced --> under Security check "Integrated Windows Authentication"

Best Answer

Related Solutions

Windows – Pass through Windows authentication on a .NET app – is read access required for website folder

IIS7: Allow users to identify themselves with either “Windows Authentication” or “Basic Authentication” on the same file

Related Topic