Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to delegate Windows Authentication session when running an app on IIS 8?

I have an intranet application written with c# on the top of ASP.Net MVC 5 Framework. My app is configured to authenticate users via "Windows Authentication" method. This app is running on IIS 8.

My app uses a third party SDK to interact with another program I have running on the same domain. This third party app allows the user to login using Windows Authentication also via the provided SDK.

Problem

However the server where the SDK is communication with is always returning "Invalid user name/password is invalid".

After deep troubleshooting, I found out that IIS is not returning the correct username. Instead of returning the "Authenticated User" it is returning the user that is running the pool app. So, to fix this problem, I change the app settings to the following

  • I disabled "Anonymous Authentication"
  • I enabled "Windows Authentication"
  • I enabled "ASP.NET Impersonation" while the "ASP.NET Impersonation" settings are set to "Authenticated user". Note: that this require "Classic" managed pipeline not "Integrated" for some reason.
  • I change the AppPool managed pipeline setting to "Classic" v4
  • Changed the user that is running the AppPool to "Network Service" instead of "ApplicationPoolId"
  • Then kept the Authentication Providers list to "Negotiate" and "NTLM"
  • Finally, I kept the "Kernal-mode authentication" enabled.

So the above settings returned the correct username, but is it not delegating the password to the SDK. I guess because of the communication hob, IIS is protecting the logged in user and it is not allowing me to delegate the password to another service/SDK.

So then I tried to change my setup to the following

  • I change the AppPool managed pipeline setting to "Integrated" v4.0
  • Changed the user that is running the AppPool to "Network Service"
  • I disabled "Anonymous Authentication"
  • I enabled "Windows Authentication"
  • I disabled "ASP.NET Impersonation"
  • The Authentication Providers list "Negotiate:Kerberos", "Negotiate" and "NTLM"
  • I disabled "Kernal-mode authentication" as it won't work with "Kerberos" provider.

So the above prevented me from logging into my MVC app altogether, It just keeps on prompting me for my credential over and over.

To fix that, I located my web-server name in my domain controller, and I went to the "Delegation" tab and changed it to "Trust this user for delegation to any service (Kerberos only)"

No this setup, allowed me to login into my MVC app. But this time, it is not delegating neither the username or the password to the SDK. In fact, the username that I get is the PoolApp username not the authenticated user.

To cover all of my bases, I change the user that is AppPool to an actual user that has windows authentication access into the Server where the SDK is connecting to. Sure enough that worked just fine and I am able to connect to the second service. However, it is always delegating the username/password that is running the AppPool to the SDK instead of delegating the connected/authenticated username/password.

In conclusion, IIS is not delegating the username/password to the SDK for some reason. How can I get IIS to delegate the connected user session/credential to another service?

It is also possible that the the delegation is failing because the users are using "NTLM" authentication instead of Kerberos, yet the server will only delegate when Kerberos authentication only" If this is the case, how can I force the user to use "Kerberos" authentication instead of "NTLM?

like image 361
Junior Avatar asked Nov 03 '17 16:11

Junior


2 Answers

Have you tried to enable impersonation in your web.config?

<configuration>
    <system.web>
        <identity impersonate="true" />
    </system.web>
</configuration>

If this doesn't work than you might need to enable delegation for this machine in your ActiveDirectory. See here: https://stackoverflow.com/a/1405666/5069465

like image 50
fboers Avatar answered Oct 19 '22 00:10

fboers


To set priority of specific authentication provider you could move up or down one in list of authentication providers. Open Authentication feature of your web application in IIS Manager and select Windows Authentication item. On Action pane click on Providers... action. The list of providers will be opened, you could add specific provider and move one to up.

Autentification providers

But I don't shure that it will help you. You could run third party programs using by build-in IUSR or application pool identity or special user account (see Kev post for details). Use authorization filters for MVC controller that calls these programs to restrict access.

The @fboers post suggests me the following idea: you could try to use Impersonation Authentication for your issue. Open Authentication feature and enable to use ASP.NET Impersonation authentication, then click Edit in the Actions pane and select Authenticated user option. In this case the IIS server should run applications under specified security context.

like image 36
Alexander Avatar answered Oct 19 '22 02:10

Alexander