Impersonate and IIS6 driving me nuts

your scenario will not work with ii5 or iis6.0. a search of this newsgroup
will give you lots of answers.

the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the one
hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network resouce.

your only option is basic (which gives iis a primary token), or digest which
supports delegation. digest requires AD and delegation to be enabled
(default is off).
-- bruce (sqlwork.com)


"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in message
news:#r**************@TK2MSFTNGP09.phx.gbl...

Hi NG,

I have written some Apps in ASP.NET that access a SQL Server on another
machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>. My
Problem is that I now had to install one app on a Windows 2003 Server. I
tried to run my app but I allways get the error that anonymous access is not allowed.

So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool. I changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to the
local group (IIS_WPG). After that I was prompted to enter my credentials if I access the website. But my creds are not accepted.

I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user that
accesses the website.

thx in advance
Bjoern

Do you need authentication for the whole website or just one of two specific
operations?
--
Shiv R. Kumar
http://www.matlus.com

Thx,

I thought this is one of the key features of Kerberos (which integrated
authentication will use). And a look at AD Users and Computers on the
delegation tab will show that it requires Kerberos.

Do you have any good articles about this ???

cu
Bjoern
"bruce barker" <no***********@safeco.com> schrieb im Newsbeitrag
news:O%****************@TK2MSFTNGP09.phx.gbl...

your scenario will not work with ii5 or iis6.0. a search of this newsgroup
will give you lots of answers.

the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the one
hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network resouce.

your only option is basic (which gives iis a primary token), or digest which supports delegation. digest requires AD and delegation to be enabled
(default is off).
-- bruce (sqlwork.com)


"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in message
news:#r**************@TK2MSFTNGP09.phx.gbl...

Hi NG,

I have written some Apps in ASP.NET that access a SQL Server on another
machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>. My
Problem is that I now had to install one app on a Windows 2003 Server. I
tried to run my app but I allways get the error that anonymous access is not

allowed.

So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool. I

changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to the
local group (IIS_WPG). After that I was prompted to enter my credentials

if

I access the website. But my creds are not accepted.

I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user

that accesses the website.

thx in advance
Bjoern

Thx,

I need it for the whole website (for the SQL Connection).

cu
Bjoern

"Shiv Kumar" <sh***@erolsnoooospaaaam.com> schrieb im Newsbeitrag
news:ed**************@TK2MSFTNGP11.phx.gbl...

Do you need authentication for the whole website or just one of two specific operations?
--
Shiv R. Kumar
http://www.matlus.com

Sorry it's me again.

I found this (taken from IIS6 resource kit - Managing a Secure IIS 6.0
Solution):
Constrained delegation is particularly useful in scenarios in which a site
that requires authentication - a site that does not allow anonymous access -
contains content that is housed on a remote UNC file server. With
constrained delegation, you can enable Integrated Windows authentication,
which can use NTLM authentication or send credentials across the network as
a Kerberos token. For more information about Integrated Windows
authentication, see "Integrated Windows Authentication" earlier in this
chapter.
If you do not use constrained delegation but you enable Integrated Windows
authentication, the token that the Web server obtains from the security
infrastructure of Windows does not have sufficient permissions to access
another computer, such as your file server. However, with constrained
delegation and Integrated Windows authentication, the token received by the
Web server from the security infrastructure of Windows is a Kerberos-based
token with permission to access other computers, including the file server.
Essentially, constrained delegation allows an NTLM-based token to be
upgraded to a Kerberos-based token.

Do I missunderstand this? This is what I want todo...

cu
Bjoern

"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> schrieb im
Newsbeitrag news:u1**************@TK2MSFTNGP10.phx.gbl...

Thx,

I thought this is one of the key features of Kerberos (which integrated
authentication will use). And a look at AD Users and Computers on the
delegation tab will show that it requires Kerberos.

Do you have any good articles about this ???

cu
Bjoern
"bruce barker" <no***********@safeco.com> schrieb im Newsbeitrag
news:O%****************@TK2MSFTNGP09.phx.gbl...

your scenario will not work with ii5 or iis6.0. a search of this newsgroup

will give you lots of answers.

the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the one hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network resouce.
your only option is basic (which gives iis a primary token), or digest

which

supports delegation. digest requires AD and delegation to be enabled
(default is off).
-- bruce (sqlwork.com)


"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in message news:#r**************@TK2MSFTNGP09.phx.gbl...

Hi NG,

I have written some Apps in ASP.NET that access a SQL Server on another machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>. My Problem is that I now had to install one app on a Windows 2003 Server. I tried to run my app but I allways get the error that anonymous access is

not

allowed.

So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool.

I

changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to

the local group (IIS_WPG). After that I was prompted to enter my

credentials if

I access the website. But my creds are not accepted.

I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user

that accesses the website.

thx in advance
Bjoern

Digest is the micorosft name for Kerberos, and only works with AD users.
also delegation is turned off by default.

-- bruce (sqlwork.com)

"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in message
news:u1**************@TK2MSFTNGP10.phx.gbl...

Thx,

I thought this is one of the key features of Kerberos (which integrated
authentication will use). And a look at AD Users and Computers on the
delegation tab will show that it requires Kerberos.

Do you have any good articles about this ???

cu
Bjoern
"bruce barker" <no***********@safeco.com> schrieb im Newsbeitrag
news:O%****************@TK2MSFTNGP09.phx.gbl...

your scenario will not work with ii5 or iis6.0. a search of this newsgroup

will give you lots of answers.

the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the one hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network resouce.
your only option is basic (which gives iis a primary token), or digest

which

supports delegation. digest requires AD and delegation to be enabled
(default is off).
-- bruce (sqlwork.com)


"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in message news:#r**************@TK2MSFTNGP09.phx.gbl...

Hi NG,

I have written some Apps in ASP.NET that access a SQL Server on another machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>. My Problem is that I now had to install one app on a Windows 2003 Server. I tried to run my app but I allways get the error that anonymous access is

not

allowed.

So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool.

I

changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to

the local group (IIS_WPG). After that I was prompted to enter my

credentials if

I access the website. But my creds are not accepted.

I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user

that accesses the website.

thx in advance
Bjoern