Windows – How to configure delegation in an ASP.Net Core 2.0 app on windows with users authenticated via Azure AD

asp.netdelegationkerberossql serverwindows

The Setup:

I have a web app written in ASP.NET Core 2.0 that authenticates against Azure AD using OpenID Connect. It is running on a machine that is part of an Azure AD domain. The app does have an Application set up in Azure AD.

The problem:

We would like to use the Azure AD user account to connect to the SQL Server database, which resides on another (windows) machine. So far, I have been attempting to use impersonation to achieve this.

This seems to me to be an instance of the double-hop problem, but nothing I've tried has worked.


  • Users will be accessing the site over the internet, outside of the domain, so we can't rely on windows authentication directly
  • Authentication via OpenID Connect is working – I get the expected user information and claims
  • The claims identity does appear to correspond correctly with the domain user
  • I can impersonate a user by obtaining a WindowsIdentity using login credentials (using advapi32)

What I've tried:

  • Using S4UClient to obtain a WindowsIdentity – I can obtain the WindowsIdentity, but it does not delegate.
  • Setting SPNs for the web server and processes, including creating a service account that the site runs under.
    • Assigning Kerberos delegation to the machine
  • Creating a WindowsIdentity using the UPN claim – again, I get the WindowsIdentity but cannot connect to the SQL Server.
  • Running the site with the SYSTEM account (I know this is not advisable, but it doesn't seem to work anyway, so…)
  • Setting Kerberos constrained delegation to the sql server from the web server
  • Setting the website to use Windows authentication (with and without anonymous auth) and removed all providers except Negotiate.
  • Possibly other things, I will update if/as I think of them.

I'm about ready to start discussing other options with the database team, but having this work would simplify user management.

Any thoughts or suggestions?

Best Answer

It is possible, but there are a number of moving parts which all need to be in place for it to work. You can see my post for the things to check that they are all in place and some links to reference articles. It's written for core 1.1 running on net452, but I've since updated that app to core 2.0 on net462 and other than the setup.cs changes for authentication, everything still works.

Related Topic