Delegating a impersonated account with ASP.NET

[morten.ostergaard]

Hello,

I'm developing a small file browsing service in ASP.NET and have some
problems. What I have done is this:

- An ASP.NET site configured with Windows authentication in Web.config
and in IIS
- Configured to use impersonation (actually only for the aspx pages
that does the file browsing service, but also tried it for the whole
site).
- Uses the file browsing services in System.IO

It works fine browsing files on the local machine - both through the
local file paths and UNC paths, and it seems to be using the
impersonated user for access rights. But as soon as I want to browse
files on other machines, it doesn't seem to delegate the user. I can
browse shares on other servers that are set with rights for "Everyone",
but not shares that the impersonated user has access to.

I have learned from posts on this newsgroup that both the user that is
being impersonated (the person that accesses the site) and the servers
involved should be configured to allow delegation, and I have done
that. The machine running IIS is a member server of a domain and the
server I'm trying to show shares from are the AD. The AD was already
set to "trust computer for delegation" in AD Users&Computers and I've
configured the other computer to do the same. The user is set to
"Account is trusted for delegation" - that is the user that accesses
the ASP.NET page. The ASPNET account is on the member server and it
doesn't have any setting for delegation. Btw. I'm running Windows 2000
on the servers and XP on the client.

Any ideas anyone? Are there othere places where delegation should be
switched on? And do I need to do reboots to get the changes in effect?
I have tried to reboot IIS...

Best regards - and happy new year!
Morten Ostergaard Nielsen

 

[Ken Schaefer]

a) Verify that Kerberos (and not NTLM) is being used for authentication.
Kerberos is natively delegatable, NTLM is not.

b) Are you accessing the IIS server by http://servername or
http://servername.domainname.com? or some CNAME alias? If the latter you
will probably need to create an SPN

c) Are you running the web app pool under a custom user account (i.e. not
Network Service, Localsystem or Local Service)? If so, you need to register
the SPN under the this user account, and not the machine account (the
machine account is where the SPN is registered by default when IIS is
installed). Use the SetSPN tool from the Windows 2000 Reskit Tools to do
this (you can download from the Microsoft website).

Those are the main things that I can see are missing from your description
below - maybe you've already done/checked these things - not sure from your
description though.

Cheers
Ken

: Hello,
:
: I'm developing a small file browsing service in ASP.NET and have some
: problems. What I have done is this:
:
: - An ASP.NET site configured with Windows authentication in Web.config
: and in IIS
: - Configured to use impersonation (actually only for the aspx pages
: that does the file browsing service, but also tried it for the whole
: site).
: - Uses the file browsing services in System.IO
:
: It works fine browsing files on the local machine - both through the
: local file paths and UNC paths, and it seems to be using the
: impersonated user for access rights. But as soon as I want to browse
: files on other machines, it doesn't seem to delegate the user. I can
: browse shares on other servers that are set with rights for "Everyone",
: but not shares that the impersonated user has access to.
:
: I have learned from posts on this newsgroup that both the user that is
: being impersonated (the person that accesses the site) and the servers
: involved should be configured to allow delegation, and I have done
: that. The machine running IIS is a member server of a domain and the
: server I'm trying to show shares from are the AD. The AD was already
: set to "trust computer for delegation" in AD Users&Computers and I've
: configured the other computer to do the same. The user is set to
: "Account is trusted for delegation" - that is the user that accesses
: the ASP.NET page. The ASPNET account is on the member server and it
: doesn't have any setting for delegation. Btw. I'm running Windows 2000
: on the servers and XP on the client.
:
: Any ideas anyone? Are there othere places where delegation should be
: switched on? And do I need to do reboots to get the changes in effect?
: I have tried to reboot IIS...
:
: Best regards - and happy new year!
: Morten Ostergaard Nielsen
:

 

[morten.ostergaard]

Hi Ken,

ad a) How do I check if I am running Kerberos? In IIS it is configured
with a tick in "Integrated Windows Authentication" only - no anonymous,
basic or digest authentication.

ad b) I've tried the URL as just the server name but also the FQN, but
I am not using any aliases.

ad c) I haven't changed anything regarding this, so I guess it runs in
the ASPNET account, or? Where can I see this?

Best regards
Morten

 

[morten.ostergaard]

Hi,

I just tried it again and now it works... Apparently the changes
regarding delegation needed the night to take effect - probably a
restart would have worked too?. So basicly all I had to do was to
enable delgation on the server that was running IIS and everything else
was standard configurations.

Best regards
Morten