Menu
I have a web application that calls an object of a referenced dll/api that calls a wcf service.
Machine 1 = where the wcf service resides
Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1
My code:
using (WindowsAuthenticationContext ctx = identity.Impersonate()){
//Call to the API goes here
}
When I access the website from Machine 2(IIS Server), It works. But when I access the website from another client machine, it gives me an error "The Request Token Could not be satisfied".
NOTE: The api is already final, and cannot modify it anymore.
Any help would be greatly appreciated.
Thanks
804
You cannot do NTLM and then Kerberos over multiple hops (servers). You need to use Kerberos to delegate windows authentication over all the hops.
You need to configure SPNS to enable kerberos to delegate authentication across machines.
To configure these, you will have to issue the following commands - assuming you have right to modify AD:
SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2
SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2
Where ADDomain\AppPoolCredential is the credential of the app pool - note you cannot use Network Service as the app pool credential to get Kerberos delegation to work. You need to use a domain account.
IN AD, you need to enable the following objects for allow Kerberos Delegation:
ADDomain\AppPoolCredential1
ADDomain\AppPoolCredential2
Machine1
Machine2
For more information, see here
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
