User-1882553206 posted
I'm setting up a IIS VM server to access a separate SQL Server VM, both machines running Windows Server 2016 and running on intranet. We're using windows authentication, and attemping to impersonate users through the machine account on IIS VM server machine.
We are building / deploying MVC IIS bits using ASP.NET Core.
I'm hitting the above (machine account login) error after having configured everything I can think of and referred to several postings. I've configured the following main items:
- Web Site setup with Windows Authentication, and ASP.NET Impersonation enabled, all other auth types disabled.
- Web Site Config Editor set "system.webServer/security/authentication/windowsAuthentication" : useKernelMode to True
- App Pool running .NET CLR Version "No Managed Code"
- App Pool using Classic Managed Pipeline Mode
- App Pool running as ApplicationPoolIdentity
- Confirmed HOST SPN registered for IIS VM machine account in AD (with setspn -L IISVMServer)
- Confirmed HOST SPN registered for SQL Server VM machine account in AD
- Confirmed ServiceClass/Host:Port registered for SQL Server VM in AD
- Registered SPN for IIS server machine account "Trust this computer for delegation to any service (Kerberos only)
- Plan to lock down to constrained delegation after getting unconstrained delegation working
- Tried running with / without web.config : "system.web identity impersonate="true" /system.web"
I previously posted http://forums.asp.net/p/2097886/6061062.aspx?Re+Kerberos+Double+Hop+Delegation+with+ASP+NET+Core+4+5+2+ which is indirectly related to this posting.
thanks, dave
