Impersonate and IIS6 driving me nuts

  • Thread starter Thread starter Bjoern Wolfgardt
  • Start date Start date
B

Bjoern Wolfgardt

Hi NG,

I have written some Apps in ASP.NET that access a SQL Server on another
machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>. My
Problem is that I now had to install one app on a Windows 2003 Server. I
tried to run my app but I allways get the error that anonymous access is not
allowed.

So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool. I
changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to the
local group (IIS_WPG). After that I was prompted to enter my credentials if
I access the website. But my creds are not accepted.

I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user that
accesses the website.

thx in advance
Bjoern
 
your scenario will not work with ii5 or iis6.0. a search of this newsgroup
will give you lots of answers.

the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the one
hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network resouce.

your only option is basic (which gives iis a primary token), or digest which
supports delegation. digest requires AD and delegation to be enabled
(default is off).


-- bruce (sqlwork.com)
 
Do you need authentication for the whole website or just one of two specific
operations?
 
Thx,

I thought this is one of the key features of Kerberos (which integrated
authentication will use). And a look at AD Users and Computers on the
delegation tab will show that it requires Kerberos.

Do you have any good articles about this ???

cu
Bjoern
 
Sorry it's me again.

I found this (taken from IIS6 resource kit - Managing a Secure IIS 6.0
Solution):
Constrained delegation is particularly useful in scenarios in which a site
that requires authentication - a site that does not allow anonymous access -
contains content that is housed on a remote UNC file server. With
constrained delegation, you can enable Integrated Windows authentication,
which can use NTLM authentication or send credentials across the network as
a Kerberos token. For more information about Integrated Windows
authentication, see "Integrated Windows Authentication" earlier in this
chapter.
If you do not use constrained delegation but you enable Integrated Windows
authentication, the token that the Web server obtains from the security
infrastructure of Windows does not have sufficient permissions to access
another computer, such as your file server. However, with constrained
delegation and Integrated Windows authentication, the token received by the
Web server from the security infrastructure of Windows is a Kerberos-based
token with permission to access other computers, including the file server.
Essentially, constrained delegation allows an NTLM-based token to be
upgraded to a Kerberos-based token.

Do I missunderstand this? This is what I want todo...

cu
Bjoern
 
Digest is the micorosft name for Kerberos, and only works with AD users.
also delegation is turned off by default.

-- bruce (sqlwork.com)
 
Back
Top