0
votes

I am using Windows Authentication Mode/Negotiate

Server 2012R2 - IIS8.5. windows authentication and asp.Net impersonation is on WebServer is calling an ASMX on serviceServer

In case if site is hosted on default web site (URL is http:/Test/access.apx) called the Service server asmx working fine.

But if host the website at (http://Test/access.apx) on same and mapped the Domain if http://Test to . it opened the 1st page but calls to is failing. Getting following error.

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'

I tried wireshark intersting in case of URL is "http:/Test/access.apx)" its sending negotiate security data. but in case of (http://Test/access.apx) its sending NTLM security context.

Also I set the domain to Delegation to : "Trust this computer for delegation to any service" than tried with SPN "Trust this account for delegation to any service" as per http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis.aspx

Please suggest how to pass the windows authentication/Negotiate context to the asmx in case of non server name websites. Thanks

2

2 Answers

0
votes

In my case I had a http website (A), calling https website (B), which was supposed to call back http website (A). But the problem was that URL address in web.config of B pointed to https, therefore it didn't work.

So I changed binding of original website (A) to https and everything started working.

-1
votes

Finally got it right

Followed the steps

  • Added new a new AD/service user allowed the Trusted this use to delegation to any service

--Updated SPN

setspn -s http/test Domain\serviceuser

setspn -s http/test.domain.com Domain\serviceuser

Open IIS-

Select Website

Select Authentication

-Disable Anonymous

-Enable - ASP.Net Impersonation

-Enable - Windows Authentication -

Set Providers Negotiate, NTLM

Select Website

Select ‘Configuration Editor’

Select ‘system.webServer/security/authentication/windowsAuthentication’

Set authPersistNonNTLM to False

useAppPoolCredential to True

useKernelMode to True