End-to-end kerberos delegated authentication in ASP.NET - asp.net

I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest.
I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.
I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.
Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?
I've tried the following but it doesn't seem to work
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;
I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.

In your application, you only need to use DefaultCredentials:
request.UseDefaultCredentials = true;
However, there is some work to do on Active Directory:
Set up a SPN on your application pool account for your front end application
Set up a SPN on your application pool account for your back end application
Set up delegation from the first application pool to the second SPN

Related

.Net Framework Identity Server 3 - Windows Authentication

We are using Identity Server 3 in our tool that has the following structure. One (AngularJs) Spa with 10 Web APIs . We use the WindowsAuthWebHost mini project to do the windows handshake to get the windows(domain) identity of the user, based on which we build a complex(with custom claims) token that it's used by the client Web APIs. All the 10 Web APIs have anonymous authentication set in the IIS. And it works smoothly.
Now, we are trying to expose this tool outside the company network and a perquisite is to have windows authentication on all the Web APIs in the IIS. If we set this time of authentication, now all the calls are unauthorized.
Do you know if there is a way to keep the same flow, but also validated the windows authentication?
Windows authentication will not work outside of the network. The user needs to have a valid user account in your domain (username/password), or even a local account on your IIS server.
Note that NTLM doesn't work through some proxy servers, so this is one reason that Windows AuthN isn't used so much on the public internet.
To achieve your requirement you could use the form authentication with active directory.you may need to enable both form and anonymous authentication. then create deny authorization rule for anonymous users and allow rule for all users.
How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

SSO with Windows Authentication across multiple REST-APIs? (Kerberos Double hop)

I have the following scenario:
(Client/Browser) => (Web Service/Web API) => (SharePoint REST-Api).
Basically what I want to achive is to have the middle application (WebService/Web API) to act as a facade infront of the SharePoint-REST-API to ease the development for anybody that needs to communicate with our SharePoint-application. (Basically we wrap a few SharePoint-request-calls into one single call in the Web API/Facade).
Now the problem is that I also want to be able to send the logged in Windows user (AD-user) from the Client to the Web Service, and then the web service should act on behalf of that Windows user and perform whatever actions needed in the SharePoint REST-API (this is to make sure that permissions to files and so on are actually set based on the authenticated user).
What we have tried so far is setting uo the Web Service on one server, and SharePoint on a different server.. and then we have tried to setup authentication using Kerberos and delegation, but we could not get this working.
Based on the information I have provided, do you guys think that a "double hop" like this would work if we manage to get Kerberos setup properly?
Another thought that hit me is that maybe we dont have to host the Web Service and the SharePoint applications in two different servers, but we could actually host them both on the same server within one single IIS-server with two sites.
Would this still require Kerberos to be setup with a double hop? Or does a "hop" only count once the ticket actually leaves one server to another.. cause in the case described here, the request from the Web Service to the SharePoint-REST-API would never leave the actual server, but it might cross domains (as in web-domains.. not AD-domains).
Could this work, instead of having to hassle with Kerberos double hop, SPNs and what not..?
when you use integrated authentication, anonymous is disabled at that time and impersonate is enabled.so security settings will not allow your site to access resources on any network servers.
When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'. When IIS tries to access a network device, that would be the double or second hop which is not allowed. iis will not pass those credential to the next network device.
if you use anonymous enable and impersonate off this issue will not occur.
to configure Kerberos Authentication in iis you could follow the below steps:
1)open iis manager and select site.
2)select the authentication feature from the middle pane.
3)enable windows authentication and disable anonymous.
4)With Windows Authentication, click on the Providers from the Action pane.
5)set the provider in below manner:
Negotiate
NTLM
save the changes.
6)go back and select the configuration editor.
from section dropdown select system.webServer/security/authentication/windowsAuthentication.
“useAppPoolCredentials” set to true.
"useKernelMode" to "True" and save the settings.
7)restart the iis.
8)Configure SPNs
open the command prompt as administrator and run below command to check the machine name:
hostname
When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.
setspn -a HOST/${FQDN_HOST} ${MACHINE_NAME}
setspn -a http/${FQDN_HOST} ${MACHINE_NAME}
9)after doing that set application pool identity to the custom account and set the username and password.
You could refer this below article for more detailed information:
https://weblogs.asp.net/owscott/iis-windows-authentication-and-the-double-hop-issue
https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html
https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Setting-up-Kerberos-Authentication-for-a-Website-in-IIS/ba-p/324644

Access TFS via its API using Windows Authentication

All,
I am using the ASP.Net MVC 4 application.
I have enabled Windows Authentication.
Till now it is working fine.
Now I enhanced the application to connect to TFS via its API.
For this, I need to use the windows authentication credentials.
I have tried using
ICredentialsProvider credential = new UICredentialsProvider();
TfsTeamProjectCollection teamProjectCollection = new TfsTeamProjectCollection(collectionUri, credential);
This works great in the development environment. But when I host the application in IIS 8.5, it is not working at all under "Application Pool Identity" and "Network Service" account.
I tried with Local System and specific user in identity of application pool, it is working.
But I need this to work based on the windows credential (Active directory).
Can anyone suggest a solution?
You can deploy your web application on the TFS App Tier and configuring its app pool to run as the same identity as the TFS web services, and enable ASP.NET impersonation. Check this case: ASP.NET MVC3 Windows Authentication Pass Through to TFS
You are likely hitting a Kerberos double hope issue.
You have two options to resolve it:
Host your mvc web app on the same server as tfs
Configure Active Directory to allow your servers identity to delegate the logged in user credentials to another service.
#1 is easy but #2 will require a bunch of work for your Active Directory domain administrators.
https://support.microsoft.com/en-us/kb/810572
You will need:
At least one Service Principal Name (SPN) configured for your server's account (either a dedicated domain\svc_myaccout or the domain\servername$ account for Network Service).
The account you use needs to be enabled to allow delegation in AD
The server that hosts your application needs to be enabled for delegation
This is not 101 and in my experience, having done this a bunch in enterprise and small business, that most Domain Administrators don't know how Kerberos delegation works, or how to configure it.
You will need to learn how and make explicit requests that they can action. Like "run 'setspn myapp.mydomain.com domain\myserviceaccount'".

How to host asp.net application using Window authentication using window servicing account

I am working into an organization which uses Active directory for any kind of application authentication.
We recently created a web application on ASP.NET using Sql Server for database connectivity. During development process we used window authentication for connecting to Sql Server 2008. When application got completed it was a time to host this application on IIS.
Challenges
We have been asked to use window servicing account to host this application on server. We are not supposed to use any kind of username passwords anywhere. It should be active directory driven and window authentication driven.
Now I don't have any idea how to proceed with this. Do I need to make any changes to web config to configure impersonation, or I need to change my connection string.
I only know we have to use Window authentication.
Any guidelines would be a big help
This is what I've always done:
Create an application pool for the site to use. You can use a pool that is already created if you want.
Set the Identity of the application pool to the AD service account your IT staff wants you to use.
Ensure that service account also has access to the database resources
Configure your connection string to use Integrated Security.
Configure Windows authentication & impersonation in your web.config.
For #4 & 5: http://msdn.microsoft.com/en-us/library/bsz5788z(v=vs.100).aspx
Inside connection string use trusted connection, other configuration can be found here:
WindowsIdentity and Classic .Net App Pool
Just make sure you set Impersonation to Enabled.

ASP.NET Windows Authentication Impersonate Problem

In my previous questions I was asking how to use windows authentication within my application. That is now working, users can login with there account but I have one database access scenario I can't find anything on.
Basically I will have several servers and here is the problem.
On some servers they will have Windows Authentication accounts for the SQL Server database server, so using impersonate their credentials should be used. But I notice its a global setting in the web.config (not per connection) and it one case I want to use the applications (IIS or ASP) Windows Authentication account rather than the users. (Access to my configuration database)
How could I achieve this?
Web Application is ASP.NET MVC hosted on Server 2003/2008 IIS 6/7/7.5 with clients being Windows XP and above. Using SQL Server Express/Standard 2005/2008 mixed.
Impersonation is on a site wide basis, or you can manually turn it on. What you can't do is manually turn it off I'm afraid, nor can it be done via the connection strings.
So basically turn impersonation off, then wrap the database calls when impersonation is needed like so:
using System.Security.Principal;
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// Do your thing
}
catch
{
}
finally
{
if (ctx != null)
ctx.Undo();
}
The MSDN P&P guide to asp.net impersonation has more.
You'll have to set up delegation on your network so that the ASP.NET servers can impersonate users on the Sql server machines. This assumes your servers are on an Active Directory controlled network (not workgroups) and that the sql servers are on different machines than your web servers.
You would configure delegation for those database server machines where you want the users to be impersonated and don't configure it for those server machines that you want the ASP.NET worker process account to be the account accessing the server.
If you can't do this, you can turn off windows/mixed authentication on the Sql Server instances you wish to prevent delegation on, and then manually configure the Sql Server account to connect with in the connection string within web.config.
Use domain controller - so it could propagate same credentials for single user across entire domain.
The second trick for workgroups - create same account of impersonation (with exactly same login and password) on both servers (ASP and SQLServer). Don't forget to grant this permission on SQLServer.

Resources