I have written WebApplication using the latest ASP.Net Core. We are successfully hosting the application using the HttpPlatformHandler and IIS 8.5 using Anonymous Authentication. We are required to use Kerberos Authentication and required to use Kerberos Constrained Delegation.
Our Operations Administrator has setup all the required SPN's. We are using a service account, and all SPN's appear to be registered correctly. We have a number of other applications (SSRS SharePoint etc) with similar setup's
In IIS I have completed the following steps:
- Created a New AppPool that is "No Managed Code" and "Integrated Pipeline"
- We are using the service account under "Identity"
- Created a New Web Application
- Windows Authentication "Enabled" With Negotiate as the Primary provder
- Anonymous Authentication "Disabled"
- system.webServer/security/authentication/windowsAuthentication "useAppPoolCredentials = True" and "useKernelMode = False"
System.WebServer Security Authentication Windows Authentication Screen Capture
- I have also ensured that under the HttpPlatform config forwardWindowsAuth token s set to True
HttpPlatform IIS Screen Capture
When I perform an HttpGet from the WebApi, My application throws an authentication error that the "service account" cannot login to the server. This seemed very strange, so I am now running a fiddler trace and found that before the authentication page is rendered I get 3 401 errors.
The next following results show that the WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply.
