Problem: Unable to access remote resources when ASP.NET applications impersonate users
An ASP.NET application may not be able to access remote resources when the following conditions are true:
- Internet Information Server (IIS) is configured to use Integrated Windows authentication
- The ASP.NET application is configured to impersonate the logon user.
- The web browser and IIS are on different machines and IIS and remote sources are on different machines.
When the above conditions are true, the ASP.NET application uses delegation to access the remote sources. Your network may not be configured to allow delegation. To confirm this is a delegation problem, try one of the following:
- Run the Web browser from the same machine that hosts IIS
- Access a resource on the same machine as IIS
- Configure the IIS application to use Digest authentication or Basic authentication.
If any of the above approaches works, the problem was the delegation problem.
Delegation relies on Integrated Windows authentication to access resources. There is no limit on the number of computers that you can delegate your account, as you must just correctly configure each of them. The Integrated Windows authentication method works only if the following two conditions exist:
- You set up your network to use the Kerberos authentication protocol that requires Active Directory.
- You set up the computers and accounts on your network as trusted for delegation.
If these conditions are not true, you cannot use Integrated Windows authentication to access data on a remote resource because Integrated Windows authentication only gives you access to the IIS server and not to the additional resources configured for Windows authentication that the IIS server remotely accesses.
Solution or Workaround
Either configure the network to allow delegation or configure the application not to use delegation.
- Configure the network to allow delegation.
Please follow the Microsoft Knowledge Base article KB810572 to configure your network to allow delegation.
- Configure the application not to use delegation.
The ASP.NET application does not require relegation in any of the following scenarios:
- When the Web browser and the IIS are on the same machine
- When the IIS and resources are on the same machine
- When the IIS application is configured to use Digest authentication
- When the IIS application is configured to use Basic authentication. This approach is not recommended because the passwords will be passed in clear text.
- When the ASP.NET application is configured to impersonate a specific user. In this scenario, the username and password of the user will be stored in the web.config file of the ASP.NET application. It is recommended that you encrypt the portion of your web.config file following the instructions in Microsoft Knowledge Base article KB329290.
- Both the Impersonation object in ESRI Web Application Developer Framework (Web ADF) and the Impersonation Control in Web ADF 9.1 can impersonate users without requiring delegation.