The double-hop to Exchange (EWS) via web site (IIS 7) without setting browsers negotiate delegation list RRS feed

  • Question

  • Hello,

    i have an asp.net mvc 5 application hosted by iis 7 that allows to do basic CRUD operations with user's Exchange calendar items (meetings, appointments). All users are in domain. In IIS: win authorization - on; impersonation - on; useKernelMode - on; AppPool - ApplicationPoolIdentity.

    Mostly done as written here https://stackoverflow.com/questions/41424890/ews-managed-api-double-hop

    If i set up a browsers NegotiateDelegate white-list on the client machine, my site doesnt ask for login\pass and immediately log in. Everthing is good, default credential pass to Exchange (2016) so i can see (or create, update) my calendar's items on a web page.

    If i doesnt set up browers for delegation, site asks domain login\pass, but Exchange returns "The request failed. The remote server returned an error: (401) Unauthorized."

    In both cases (if the site asks or not a login), I obtain WindowsIdentity.GetCurrent().Name and other AD properties such as email, ExtensionAttribute.

    My question: is it possible to pass default credentials without configuring browsers? Each browser is configured differently and it’s not good to customize them for each user individually. Or maybe I should use a different method than kerberos(NTLM)?

    sry 4 my english.

    Friday, December 7, 2018 8:27 AM

All replies

  • You can give a try by enabling basic authentication for Exchange web service virtual directory.

    However it is not recommended to use basic authentication by Microsoft.

    Thanks, Ashish MCITP, MCT, MCSE

    Tuesday, January 8, 2019 1:29 PM