Impersonation and Delegation within a MVC 3 application on IIS 7.5

2
votes

Given the follow scenario:

  • Windows 2008 R2 x64 web server with IIS 7.5, Server 1
  • Windows 2003 R2 x64 file server, Server 2
  • MVC 3 application with Windows authentication and impersonation (authenticated user)
  • Configured Server 1 as 'Trusted computer for delegation' in Active directory
  • Internet Explorer 8

Within the application the user has the possibility to upload a file. This uploaded file has to be saved on Server 2. In the code we create the UNC path to this Server 2 and save it there.

public ActionResult Upload(HttpPostedFileBase file)
{
  var savedDirectory = "\\Path\To\Server2";

  if (Directory.Exists(savedDirectory))
  {
    file.SaveAs(savedFileName);
  }
  else
  {
    Directory.CreateDirectory(savedDirectory);
    file.SaveAs(savedFileName);
  }

  return RedirectToAction("Action", "Controller", new { id = 1 });
}

We installed the application on Server 1 and test it locally on Server 1, everything went fine. Files are uploaded to Server 2 no issues there.

When we test the same scenario from a client desktop we get an error saying that there is not enough permissions to save the file on Server 2.

A wireshark session shows us Server 1 did not impersonate, because the authenticated user on Server 2 was empty/anonymous.

Impersonation as Specific User instead of Authenticated User

We did not get the impersonation working so we created a service account and configured the application to impersonate with this Specific User instead of the Authenticated User. The service account is a domain account and has permissions on the folder on Server 2.

When we try to upload, the service account has no permissions on the local folder where we upload the file from.

Delegation

We learned, via Impersonation in asp.net mvc, that we need to trust Server 1 for delegation.

After we trusted Server 1 for delegation: still no permissions to save the file on Server 2. We tried this both with impersonation as Authenticated User en Specific user

  1. Impersonation as Authenticated User with delegation not working: not enough permissions on Server 2
  2. Impersonation as Specific User not working: not enough permissions on the Local folder

Do we miss something here? Do we need extra steps for delegation?

2
asp.net-mvc-3iis-7.5impersonationdelegation
Delegation only works with Kerberos, not Windows Integrated (NTLM.) Are you using Kerberos? If you're testing against localhost, be careful: kerberos will not work against the loopback.x0n
Tnx for your comment, I do not have the logs here, but I think it's kerberos. I'm aware of the localhost issue, cost me also a lot of time once ;)Andrew
The reason I say is because if it's not Kerberos, or is falling back to NTLM then guest/anonymous is the symptom for the double-hop failure issue.x0n

2 Answers

1
votes

We fixed this problem by:

  1. Configuring delegation on the domain for Server 1
  2. And adding Kerberos provider to the Application within IIS (right click on Windows Authentication)
0
votes

I encountered this error today and here are the steps I did to fix the problem:

  1. Make sure that ASP.NET Impersonation is enabled for your site. Go to your site in IIS Manager and under features double click on Authentication then enable ASP.NET Impersonation
  2. Use Integrated mode for your app pool

  3. Edit your application's web.config file to specify the settings below:

    <system.webServer>
  <validation validateIntegratedModeConfiguration="false" />
  <modules runAllManagedModulesForAllRequests="true" /> 
</system.webServer>