Menu
I am developing an intranet site using C# and ASP.NET MVC. I have SQL Server on one machine and IIS running on a separate machine. I would like a user to visit the intranet site and without prompting the user internet explorer sends the users windows credentials to IIS and these are then passed to sql server meaning sql server can see the user accessing the database.
I am aware of the Kerberos double hop issue and it is this I am trying to get around. At present I can get IE to pass the windows credentials to IIS and authenticate fine. I just cannot get IIS to pass on those credentials to SQL Server and instead the request currently runs under the app pool identity which is set to a domain service account "htu\srv-htu-iis".
My setup is as follows:
Web.Config
<system.web> <authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization> <identity impersonate="true" /> </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false" /> </system.webServer> Connection String
connection string="data source=hturesbsqlp01;initial catalog=R2_Dev;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework"" IIS Authentication Settings
Anonymous Authentication = Disabled ASP.NET Impersonation = Enabled Forms Authentication = Disabled Windows Authentication = Enabled IIS App Pool Settings
Managed Pipeline = Integrated Identity = htu\srv-htu-iis (domain service account) Active Directory Settings
The domain service account htu\srv-htu-iis has had a service principal name set which associates our site with the account.
Active directory has
Allow Delagation to any service SQL Server is running under its own SQL Domain Service account.
Tests
I ran the following code tests:
System.Web.HttpContext.Current.User.Identity.Name this correctly return the windows credentials of the user accessing the site
System.Security.Principal.WindowsIdentity.GetCurrent().Name return the domain service account "htu\srv-htu-iis" which is what the app pool identity is running under.
Can anyone provide direction as to where I might be going wrong?
269
ASP.NET Impersonation AuthenticationOpen IIS Manager and navigate to the level you want to manage. In Features View, double-click Authentication. On the Authentication page, select ASP.NET Impersonation. In the Actions pane, click Enable to use ASP.NET Impersonation authentication with the default settings.
In the application's Web. config file, set the impersonate attribute in the identity element to true. Set the NTFS access control list (ACL) for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group and any required system accounts.
Authentication. Negotiate NuGet package can be used with Kestrel to support Windows Authentication using Negotiate and Kerberos on Windows, Linux, and macOS. Credentials can be persisted across requests on a connection.
Well to anyone visiting this question in the future. I resolved this by restarting the IIS Service...doh! Seems my settings were fine just need a full restart of the service!
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
