Delegation in ASP.NET

From: matthewt (matthewt_at_nospam.nospam)
Date: 09/13/04


Date: Mon, 13 Sep 2004 07:11:01 -0700

Hi,
 
As the title suggests I have a question about delegation in ASP.NET.
 
We have an ASP.NET application running on a web server which requires
clients to authenticate via Windows Integrated authentication. We're running
in a Win2K native-mode domain and the clients are IE6 so we should be using
Kerberos to authenticate.
 
At some points the application needs to send an email on behalf of the
client; this it achieves by impersonating the remote user and using WebDAV to
talk to the exchange server running on the DC (which is a physically separate
box from the web server).
 
This is working in the main and the credentials appear to flow from the
browser, through the web-app to the exchange server.
 
However, it only hangs together with a certain set of *browser* settings :s
 
If the site is configured to live in a zone (e.g. Intranet or Trusted Sites
etc.) that has either of the "automatic logon..." options in the IE custom
security level dialog selected then all is well.
 
As soon as this isn't true and we manually enter the credentials when
prompted, we authenticate with the web-server OK, but then the ASP.NET app
can't authenicate with the exchange box on the client's behalf (its as if
we're back to impersonation rather than delegation).
 
We believe that we've all the accounts are correctly configured for
delegation (i.e. user accounts are *not* marked as sensitive, app account is
marked as trusted for delegation, machine account trusted for delegation).
 
Does anyone have any ideas about what this browser option is actually doing
that makes the whole thing work?
 
The application only supports windows integrated authentication so it can't
be "falling back" to basic - is it falling back to NTLM though?

Any help will be much appreciated.
 
cheers,
Matt



Relevant Pages

  • Delegation in ASP.NET
    ... As the title suggests I have a question about delegation in ASP.NET. ... We have an ASP.NET application running on a web server which requires ... clients to authenticate via Windows Integrated authentication. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: New post: Integrated Windows Authentication for remote users
    ... All clients connect and authenticate using MSIE using W2k or better. ... > Microsoft MVP (Windows, Security) ... >> priveliges denied on the web server or on the firewall to this web ...
    (microsoft.public.inetserver.iis.security)
  • Re: Access denied. delegation scenario accessing to a shared resource in cluster
    ... Depending on how your web server is configured ... for delegation, ... application via Kerberos too. ... web server and the cluster server and find out what kind of authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: CA web component problems
    ... Could you please confirm that the Enterprise Admin account you are using is ... > for delegation via the ADUC check box. ... is there a way to install the Web enrollment pages ... >>> enabled the web server for delegation via ADUC and rebooted the ...
    (microsoft.public.win2000.security)
  • Kerberos Constrained Delegation for Writing Files
    ... We have a web application deployed on web server, ... We have tried to use constrained delegation through multiple tiers as ... This seemed to work at first but then stopped working. ...
    (microsoft.public.dotnet.framework.aspnet.security)