How to configure an ASP.NET application for a delegation scenario
IN THIS TASK
This step-by-step article describes how to configure Internet Information Services (IIS) and Active Directory required for delegation of ASP.NET applications. Delegation is the next step after impersonation. Delegation supports your ability to access remote resources on behalf of the client instead of accessing local resources only. This article describes the steps that you must take to delegate an ASP.NET-connected application.
back to the top
Requirements for DelegationDelegation relies on Integrated Windows authentication to access resources. There is no limit on the number of computers that you can delegate your account -- you must correctly configure each of them. The Integrated Windows authentication method works only if the following two conditions exist:
- You set up your network to use the Kerberos authentication protocol that requires Active Directory.
- You set up the computers and accounts on your network as trusted for delegation.
Kerberos authentication authenticates the server and the client, whereas Windows NT Challenge/Response (NTLM) authenticates the client only. Operating systems that are earlier than Windows 2000 do not support Kerberos authentication. Kerberos requires that you use IIS 5.0 or a later version. Therefore, you must run Windows 2000 or a more recent operating system on all the computers where you use Kerberos delegation. Additionally, you must put all the computers in the same Active Directory forest. Only Microsoft Internet Explorer 5.0 and later versions support Kerberos. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
217098 Basic overview of Kerberos user authentication protocol in Windows 2000
back to the top
Configure Internet Explorer for DelegationWhen you use Internet Explorer 5.0 or later versions, you can configure Internet Explorer for an ASP.NET - IIS delegation. To do this, follow these steps:
- Start Internet Explorer. On the menu bar, click Tools, and then click Internet Options.
- Click the Advanced tab, and then click to select the Enable Integrated Windows Authentication (requires restart) check box.
This setting permits Internet Explorer to respond to a Negotiate challenge and then to perform Kerberos authentication. Because this feature requires Windows 2000 or later version, when Internet Explorer is not running on a Windows 2000 or later version operating system, then Internet Explorer does not respond to a Negotiate challenge. By default, Internet Explorer uses NTLM authentication, even if you click to select the Enable Integrated Windows Authentication (requires restart) check box.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756 How to back up and restore the registry in Windows
Note On computers that are running Microsoft Windows 2000 and later versions, administrators can set the value of the EnableNegotiate REG_DWORD entry to 1 in the following registry key to turn on Integrated Windows authentication:.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- There are some issues where Kerberos may fail on the Internet Explorer client. For more information about issues related to Kerberos Authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:321728 Internet Explorer does not support Kerberos authentication with proxy servers325608 Authentication delegation through Kerberos does not work in load-balanced architectures248350 Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0264921 How IIS authenticates browser clients
Configure IIS for DelegationTo turn on Integrated Windows authentication and impersonation for an ASP.NET-connected application, you have to configure Internet Information Services (IIS). To configure for Windows Authentication in IIS, follow these steps:
- Click Start, click Run, type inetmgr, and then click OK.
- Expand local computer, and then expand Web site.
- Right-click Default Web site, and then click Properties.
- Click the Directory Security tab, and then click Edit under Anonymous access and authentication control.
- Click to select the Integrated Windows authentication check box, and then click to clear the Anonymous access, Digest authentication for Windows domain server and Basic Authentication check boxes.
Note If Anonymous authentication is enabled, IIS will always try to authenticate by using it first, even if other methods are enabled.
If Anonymous authentication, Integrated Windows authentication, and Basic authentication are all selected, Integrated Windows authentication takes precedence over Basic authentication, after Anonymous authentication.
Configure ASP.NET for Delegation
- Open a Web.config file in a text editor such as Notepad. The Web.config file is located in the Web Application folder.
- In the Web.config file, locate the following information in the <configuration> section:
<allow users="*" /> <deny users="?" />
- Under the <System.web> section, verify that the authentication element is set to Windows as follows:
<authentication mode="Windows" />
- Under the <System.web> section, add the following element for impersonation:
<identity impersonate="true" />
- For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:306158 How to implement impersonation in an ASP.NET application317012 Process and request identity in ASP.NET315736 How to secure an ASP.NET application by using Windows security
Configure Active Directory for DelegationDelegation must be enabled on all computers with delegate credentials. It can be configured in the Active Directory tools.
For more information, visit the following Microsoft Web sites:
Allow a computer to be trusted for delegation
User and computer accountsThe core IIS process, InetInfo.exe, is a service that runs under the LocalSystem account, and is the process that does the following:
- Takes the client request
- Impersonates the user
- Performs the appropriate tasks
- Reverts to the process identity. This is LocalSystem
back to the top
- If the Web server name that you use in the URL to call the ASP.NET page is not the NetBIOS name of the IIS computer, the Integrated Authentication may fail with error 401.3. To resolve this problem, register a new Service Principal Name for the computer with the SetSPN.exe utility. For more information, click the following article number to view the article in the Microsoft Knowledge Base:294382 Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name
- Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft Knowledge Base:325608 Authentication delegation through Kerberos does not work in load-balanced architectures
- For Kerberos to work correctly, you must use fully qualified domain names (FQDN) for all the communication.
- When you use Internet Explorer on a Windows 2000 client and then you locate a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with error 401.3. Note that Internet Explorer clients that use Windows NT 4 or Windows 98 or Windows 95 will not fail. Also, other authentication schemes will work.
- If the Web server uses a fully qualified domain name, you must add the site is added to the list of intranet sites in Internet Explorer. To verify that the Web server uses a fully qualified domain name, follow these steps:
- Start Internet Explorer.
- On the Tools menu, click Internet Options, and then click the Security tab.
- Click to select Local intranet. Click Sites.
- Click Advance, and then type the Web address in the Add this Web site to the zone dialog box. Click Add, and then click OK.
- If the Internet Explorer client is set to use a proxy server, you must click to select the Bypass Proxy Server for local addresses check box. To verify that the Internet Explorer client is set to use a proxy server, this follow these steps:
- Start Internet Explorer.
- On the Tools menu, click Internet Options, and then click the Connections tab.
- Click LAN Settings. Under Proxy server, verify that the Bypass proxy server for local address check box is checked.
- If you want to access a SQL Server from your ASP.NET-connected application, you must use TCP/IP. Named pipes do not support Kerberos delegation. Named pipes use NTLM only. To do this, add the following attribute to the connection string:If you do not explicitly set the network library, NTLM takes the first library setup in the client configuration utility (Cliconfg.exe). This default changed from named pipes to TCP/IP in Microsoft Data Access Components (MDAC) 2.6.
"Network Library =dbmssocn"
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:315159 BUG: Named pipes do not work when worker process runs under ASPNET account247931 Authentication methods for connections to SQL Server in Active Server Pages
For more information about how to design more secure Web-based applications and delegation scenarios, visit the following Microsoft Developer Network (MSDN) Web site:
Designing Secure Web-Based Applications"back to the top
Michael Howard, Marc Levy, and Richard Waymire
Michael Howard, Marc Levy, and Richard Waymire
Article ID: 810572 - Last Review: 12/03/2007 19:53:57 - Revision: 8.8
Microsoft ASP.NET 1.1, Microsoft ASP.NET 1.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 6.0
- kbauthentication kbwebforms kbdomain kbclient kbconfig kbwebserver kbhowtomaster kbhowto KB810572