问题
I am making a .Net Web API that gets data by calling an SQL server. The user is authenticated via Windows Authentication (Kerberos). I would like the user credentials to be passed to the SQL server via delegation, but the SQL server sees an anonymous user.
This is what I have done:
IIS application: Windows Authentication and asp.net impersonation enabled. Anonymous and forms authentication disabled. Enable kernel mode authentication is checked. Providers: Negotiate, Kerberos. Use app pool credentials: True.
Application pool: Managed pipeline mode: Classic. Identity: Network service.
In AD, the computer the web server runs on is set to "Trust this computer for delegation to any specific service (Kerberos only)"
The connection string to the SQL server contains Integrated Security=SSPI;
Edit: In my web.config I have
<system.web> <authentication mode="Windows" /> <identity impersonate="true" /> </system.web>
and
<security> <authentication> <windowsAuthentication enabled="true"> <providers> <clear /> <add value="Negotiate" /> <add value="Kerberos" /> </providers> <extendedProtection tokenChecking="None" /> </windowsAuthentication> <anonymousAuthentication enabled="false" /> </authentication> </security>
- The generic HOST spn is set for the machine.
From the browser I access the web application via http://machinename.domain.net.
I would expect in this setup that my IIS application is run under the machine account?
When I catch a request in the debugger on the web server, I can see that WindowsIdentity.GetCurrent().Name is the account of the user browsing the web application and WindowsIdentity.GetCurrent().AuthenticationType is set to "Kerberos". So that should be good.
However WindowsIdentity.GetCurrent().ImpersonationLevel is only set to "Impersonate". I would have expected it to be set to "Delegate"?
When I make a request to the SQL server, I get "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" so obviously the user credentials are not passed to the SQL server.
I hope someone can see what I am doing wrong. I really need a push in the right direction.
回答1:
For future reference if someone runs into the same issue: The issue was that we tried from Chrome. It works in IE, but on Chrome the registry change mentioned in this post was needed: Kerberos delegation doesn't work in chrome
回答2:
You should be able to set the Authentication to ASP.NET Impersonation within IIS. You will probably be required to set the following in your web.config file too, as part of < system.web> section.
<identity impersonate="true" />
This may be required in the < system.webServer> section to, although not always recommended due to security concerns.
<validation validateIntegratedModeConfiguration="false" />
来源:https://stackoverflow.com/questions/33086165/asp-net-delegation