Impersonation and Delegation with ASP.NET 2.0 on 2 Servers

  • Thread starter Thread starter Patrick
  • Start date Start date
P

Patrick

Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -> properties -> delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services



But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick
 
Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/> it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/> for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?


//David
http
 
Hi David

i checked my settings again. And everything is as you described. But the
funny thing is, that it works now. Is it possible that ADS needs some time
to propagate the delegation of that server?

Regards
 
Back
Top