I'm out of ideas and would like to ask you for the opinion where to find the problem for some user accounts.
I have an web application which impersonate with user.
Application pool account have "Trust this user for delegation to any service", SPN is configured used
article like this
WebApp starts with code:
WindowsIdentity identity =WindowsIdentity.GetCurrent();# Logging user, domain and impersonation level into debug log file using SerilogAdapter
_logger.Information($"Bootstrapper: Identity - [{identity.Name}]; ImpersonationLevel: [{identity.ImpersonationLevel}]");
I'm expecting impersonationLevel "Delegation" in order
WebApp to work properly and for 90% of the users it's working as expected.
I already look at "adminCount", "Account is sensitive and cannot be delegated" and group membership (they are regular users and groups that they belonging to is about 80)
Computer is member of one of the child domains, AppPool account is in different child domain and users comes from 3rd child domain. Forest level is 2012, domain level 2012. there are cases where users with issue are in same OU with users with normal
behaviour
What I'm missing.... any ideas will be highly appreciated
None
0 Points
2 Posts
Some WebApp users are not delegated
Dec 13, 2019 06:15 AM|DimitarVasilevBG|LINK
Hi All,
I'm out of ideas and would like to ask you for the opinion where to find the problem for some user accounts.
I have an web application which impersonate with user.
Application pool account have "Trust this user for delegation to any service", SPN is configured used article like this
WebApp starts with code:
I'm expecting impersonationLevel "Delegation" in order WebApp to work properly and for 90% of the users it's working as expected.
I already look at "adminCount", "Account is sensitive and cannot be delegated" and group membership (they are regular users and groups that they belonging to is about 80)
Computer is member of one of the child domains, AppPool account is in different child domain and users comes from 3rd child domain. Forest level is 2012, domain level 2012. there are cases where users with issue are in same OU with users with normal behaviour
What I'm missing.... any ideas will be highly appreciated
Regards,
Dimitar
None
0 Points
2 Posts
Re: Some WebApp users are not delegated
Dec 16, 2019 11:35 AM|DimitarVasilevBG|LINK
Hi All,
Issue was found and it's related to Kerberos token
I set both parameters to their maximum values, explained in this article
Regards,
Dimitar