none
An Operation Error Occured RRS feed

  • Question

  • Hello All,

     

    I am trying to achieve delegation on ASP.NET website. The website calls AD libraries to extract AD attributes values.

     

    Below are the configuration I have done so far:  [ I am able to retrieve the values while browsing from IIS machine, but not from any remote machine in the domain. Hence delegation is not working for me L ]

     

    IIS Server: 2012R2IIS

    AppPoolIdentity: contoso\administrator ( This is domain admin and have all permissions on AD)

     

    • Enabled ASP.NET impersonation and Windows Authentication on IIS Authentication Section. (Rest all Authentication disabled). On Windows Authentication, I have selected only Negotiate: Kerberos from providers and Enabled Kernel Mode Authentication in Advanced section.
    • I have also got <authentication mode="Windows"/>  and <identity impersonate="true"/> in System.web Section.
    • I have also added SPNs as SetSpn -s http/2012R2IIS:80 administrator , SetSpn -s http/2012R2MEM.contoso.com:80 administrator , SetSpn -s http://2012R2IIS administrator etc
    • Also Marked the IIS Server (2012R2IIS) and the IIS identity account (contoso\administrator) for delegation using Kerberos in AD.

     

     

    I am getting below error while trying from remote machine:

    Thursday, August 4, 2016 11:26 AM

Answers

  • Hi Harkirat IIIT,

    Delegation relies on Integrated Windows authentication to access resources. There is no limit on the number of computers that you can delegate your account. Please check if the following two conditions exist:

    1.  set up your network to use the Kerberos authentication protocol that requires Active Directory.

    2.  set up the computers and accounts on your network as trusted for delegation.

    If these conditions are not true, you cannot use Integrated Windows authentication to access data on a remote resource because Integrated Windows authentication only gives you access to the IIS server and not to the additional resources configured for Windows authentication that the IIS server remotely accesses.

    For more information, please refer to:

    #How to configure an ASP.NET application for a delegation scenario

    https://support.microsoft.com/en-sg/kb/810572

    #How To: Use Impersonation and Delegation in ASP.NET 2.0

    https://msdn.microsoft.com/en-us/library/ff647404.aspx

    Best regards,

    Cole Wu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, August 5, 2016 5:54 AM
    Moderator

All replies

  • Correction:

    I have also added SPNs as SetSpn -s http/2012R2IIS:80 administrator , SetSpn -s http/2012R2IIS.contoso.com:80 administrator , SetSpn -s http://2012R2IIS administrator etc

    Thursday, August 4, 2016 11:27 AM
  • Hi Harkirat IIIT,

    Delegation relies on Integrated Windows authentication to access resources. There is no limit on the number of computers that you can delegate your account. Please check if the following two conditions exist:

    1.  set up your network to use the Kerberos authentication protocol that requires Active Directory.

    2.  set up the computers and accounts on your network as trusted for delegation.

    If these conditions are not true, you cannot use Integrated Windows authentication to access data on a remote resource because Integrated Windows authentication only gives you access to the IIS server and not to the additional resources configured for Windows authentication that the IIS server remotely accesses.

    For more information, please refer to:

    #How to configure an ASP.NET application for a delegation scenario

    https://support.microsoft.com/en-sg/kb/810572

    #How To: Use Impersonation and Delegation in ASP.NET 2.0

    https://msdn.microsoft.com/en-us/library/ff647404.aspx

    Best regards,

    Cole Wu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, August 5, 2016 5:54 AM
    Moderator