I want to use the logged in users' credential to run the application, since I have third party apps run in my asp.net website.
I enabled windows authentication, asp.net impersonation in IIS7. It can tell who is logged in. But it does not run asp.net application in logged in users' account.
What resource are you trying to access as the end-user? If it's a local resource, then impersonation is sufficient. If it's a remote resource then you will need to configure delegation (which you can think of like impersonation but on the network).
Is it possible to delegate to the server machine? So I run Network Service in app pool in IIS, and use this server as trusted delegation. Then I do not need an addional domain account.
If yes, after I have setup all the delegation. What else I need to do before I can use the delegation? No requirement for Asp.Net config?
Is it possible to delegate to the server machine? So I run Network Service in app pool in IIS, and use this server as trusted delegation. Then I do not need an addional domain account.
Yes, that would work, but now any other app running in the Network Service app pool can do delegation. Configuring a custom account contorls which applications can perform delegation. Delegation is a powerful and potentially dangerous thing :)
finn.du
If yes, after I have setup all the delegation. What else I need to do before I can use the delegation? No requirement for Asp.Net config?
There is a setting in web.config you can set to impersonate, but that's not the best way. Rather, it's better to do the impersonation in code only for the places you need it. Here's a sample:
public void DoWorkWithClientCreds()
{
// grab client identity
WindowsIdentity id =
(WindowsIdentity)Context.User.Identity;
// impersonation is automatically undone by
// WindowsImpersonationContext.Dispose
using (WindowsImpersonationContext wic = id.Impersonate())
{
using (SqlConnection con = new SqlConnection(
"data source=BackEnd...;Integrated Security=SSPI"))
{
// access remote sql server
// client identity flows off the box
}
}
}
I just started setting up everything for the delegation. When I tried to set the properties of the machine which I want to delegate to, I chose "trust this computer for delegation to specific services only", then I need to choose a service to delegate to.
However, I found out most people need to delegate to the sql service, but I do not know which service I need to delegate to. My Asp.Net is going to run an application, and I need that application to be run in delegated user's account.
The constrained delegation allows you to control what is allwoed to delegate to. You're saying you don't know what remote service the code will be trying to access? If you don't know then you could configure unconstrained delegation but that's a lot more
open for potential security risks.
finn.du
Member
11 Points
14 Posts
Windows authentication, ASP.net impersonation
Jul 20, 2012 08:43 PM|LINK
I want to use the logged in users' credential to run the application, since I have third party apps run in my asp.net website.
I enabled windows authentication, asp.net impersonation in IIS7. It can tell who is logged in. But it does not run asp.net application in logged in users' account.
What's the problem here?
Please Help me.
Thanks very much.
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: Windows authentication, ASP.net impersonation
Jul 20, 2012 08:50 PM|LINK
What resource are you trying to access as the end-user? If it's a local resource, then impersonation is sufficient. If it's a remote resource then you will need to configure delegation (which you can think of like impersonation but on the network).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
finn.du
Member
11 Points
14 Posts
Re: Windows authentication, ASP.net impersonation
Jul 20, 2012 08:59 PM|LINK
Thanks for your reply.
The third party app helps me connect to remote servers and manage remote resources.
So that needs the logged in users' credential to connect to remote server.
ASP.Net delegation can solve this problem?
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: Windows authentication, ASP.net impersonation
Jul 20, 2012 09:22 PM|LINK
Kerberos delegation is what you need to configure. There are three pieces:
1) You need to configure the app pool for your application in IIS to run as a dedicated domain account.
2) That domain account needs to have a SPN configured for it.
3) That domain account needs to be configured in AD to be trusted for constrained delegation to the remote server you need to authenticate with.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
finn.du
Member
11 Points
14 Posts
Re: Windows authentication, ASP.net impersonation
Jul 20, 2012 11:50 PM|LINK
Thanks again for your reply.
Is it possible to delegate to the server machine? So I run Network Service in app pool in IIS, and use this server as trusted delegation. Then I do not need an addional domain account.
If yes, after I have setup all the delegation. What else I need to do before I can use the delegation? No requirement for Asp.Net config?
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: Windows authentication, ASP.net impersonation
Jul 21, 2012 12:47 AM|LINK
Yes, that would work, but now any other app running in the Network Service app pool can do delegation. Configuring a custom account contorls which applications can perform delegation. Delegation is a powerful and potentially dangerous thing :)
There is a setting in web.config you can set to impersonate, but that's not the best way. Rather, it's better to do the impersonation in code only for the places you need it. Here's a sample:
public void DoWorkWithClientCreds() { // grab client identity WindowsIdentity id = (WindowsIdentity)Context.User.Identity; // impersonation is automatically undone by // WindowsImpersonationContext.Dispose using (WindowsImpersonationContext wic = id.Impersonate()) { using (SqlConnection con = new SqlConnection( "data source=BackEnd...;Integrated Security=SSPI")) { // access remote sql server // client identity flows off the box } } }DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
finn.du
Member
11 Points
14 Posts
Re: Windows authentication, ASP.net impersonation
Jul 22, 2012 12:34 AM|LINK
Thanks so much.
I'll try that solution next week.
finn.du
Member
11 Points
14 Posts
Re: Windows authentication, ASP.net impersonation
Aug 01, 2012 08:52 PM|LINK
Hi BrockAllen,
I just started setting up everything for the delegation. When I tried to set the properties of the machine which I want to delegate to, I chose "trust this computer for delegation to specific services only", then I need to choose a service to delegate to. However, I found out most people need to delegate to the sql service, but I do not know which service I need to delegate to. My Asp.Net is going to run an application, and I need that application to be run in delegated user's account.
So it should be iisadmin service?
thanks for your help
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: Windows authentication, ASP.net impersonation
Aug 02, 2012 03:10 PM|LINK
The constrained delegation allows you to control what is allwoed to delegate to. You're saying you don't know what remote service the code will be trying to access? If you don't know then you could configure unconstrained delegation but that's a lot more open for potential security risks.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/