Sometimes you will run into the situation where you are not able to pass windows authentication/credentials across servers when dealing with a web application.
In order to do this you can do a few things:
1) Setup Kerberos on your network so the 2 servers trust each other and will accept passing the domain credentials
2) Create Application Pools so your web application can run under that identity and it will pass the application pool's credentials across servers.
Then the question rises...what if I want to have identity impersonate=true in my web.config? Below are examples of what you will
get when identity impersonate=true and when it is not configured in the web.config.
From a developer stand point and a network standpoint, I feel it is easier to configure application pools then starting to setup Kerberos
on the network.
First thing is first for this example, whatever web application you are using please make sure Anonymous Access is disabled in IIS on this web application.
Second, make sure authentication mode in the web.config is set to Windows
Below is code you can put in the Page_Load method to see how the credentials change through out configuring impersonation and application pools
using System.Security.Principal;
protected void Page_Load(object sender, EventArgs e)
{ Response.Write("<b>HttpContext:</b> " + HttpContext.Current.User.Identity.Name.ToString() + "<br />");
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write("<b>ApplicationPool Identity:</b>" + id.Name);
}
Below are the results without impersonation being enabled in the web.config.
With Web App Using Default App Pool
----------------------------------------------------------------
HttpContext: DOMAIN\yourusername
ApplicationPool Identity:NT AUTHORITY\NETWORK SERVICE
---------------------------------------------------------------
With Web App Using Application Pool
configured to use a seperate domain account
-------------------------------------------------------------
HttpContext: DOMAIN\yourusername
ApplicationPool Identity:DOMAIN\seperate_domain_account
---------------------------------------------------------------
Now lets set identity impersonate = true in the web.config and see the results
Below are the results with impersonation being enabled in the web.config.
With Default App Pool
----------------------------------------------------------------
HttpContext: DOMAIN\yourusername
ApplicationPool Identity:DOMAIN\yourusername
---------------------------------------------------------------
With an application pool configured to use a seperate domain account
-------------------------------------------------------------
HttpContext: DOMAIN\yourusername
ApplicationPool Identity:DOMAIN\yourusername
---------------------------------------------------------------
You notice with the identity impersonate = true the application pool does not matter what application pool you are using.
This concept helps when you are trying to deal with passing security credentials across servers to access SQL databases.
For most of the applications I have designed, I use the following concept if I need to use impersonation:
1) disable anonymous access in IIS
2) make sure impersonation is enabled
3) SQL connection string uses a standard SQL user account
This allows me to use the impersonation feature and since its a normal sql account we are using to access the SQL server it doesn't matter if it's on the same server or not.
This concept also helps even if the SQL Server and Web Server are on the same server. Reason being is that it's easier from a maintenance side for managing how many SQL accounts need to be configured on the database.
Subscribe