How to configure an ASP.NET application for a delegation scenario (810572)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 6.0
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

IN THIS TASK

SUMMARY

This step-by-step article describes how to configure Internet Information Services (IIS) and Active Directory required for delegation of ASP.NET applications. Delegation is the next step after impersonation. Delegation supports your ability to access remote resources on behalf of the client instead of accessing local resources only. This article describes the steps that you must take to delegate an ASP.NET-connected application.

back to the top

Requirements for Delegation

Delegation relies on Integrated Windows authentication to access resources. There is no limit on the number of computers that you can delegate your account -- you must correctly configure each of them. The Integrated Windows authentication method works only if the following two conditions exist:
  • You set up your network to use the Kerberos authentication protocol that requires Active Directory.
  • You set up the computers and accounts on your network as trusted for delegation.
If these conditions are not true, you cannot use Integrated Windows authentication to access data on a remote resource because Integrated Windows authentication only gives you access to the IIS server and not to the additional resources configured for Windows authentication that the IIS server remotely accesses.

Kerberos authentication authenticates the server and the client, whereas Windows NT Challenge/Response (NTLM) authenticates the client only. Operating systems that are earlier than Windows 2000 do not support Kerberos authentication. Kerberos requires that you use IIS 5.0 or a later version. Therefore, you must run Windows 2000 or a more recent operating system on all the computers where you use Kerberos delegation. Additionally, you must put all the computers in the same Active Directory forest. Only Microsoft Internet Explorer 5.0 and later versions support Kerberos. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

217098 Basic overview of Kerberos user authentication protocol in Windows 2000


back to the top

Configure Internet Explorer for Delegation

When you use Internet Explorer 5.0 or later versions, you can configure Internet Explorer for an ASP.NET - IIS delegation. To do this, follow these steps:
  1. Start Internet Explorer. On the menu bar, click Tools, and then click Internet Options.
  2. Click the Advanced tab, and then click to select the Enable Integrated Windows Authentication (requires restart) check box.

    This setting permits Internet Explorer to respond to a Negotiate challenge and then to perform Kerberos authentication. Because this feature requires Windows 2000 or later version, when Internet Explorer is not running on a Windows 2000 or later version operating system, then Internet Explorer does not respond to a Negotiate challenge. By default, Internet Explorer uses NTLM authentication, even if you click to select the Enable Integrated Windows Authentication (requires restart) check box.

    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

  3. Note On computers that are running Microsoft Windows 2000 and later versions, administrators can set the value of the EnableNegotiate REG_DWORD entry to 1 in the following registry key to turn on Integrated Windows authentication:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    .
  4. There are some issues where Kerberos may fail on the Internet Explorer client. For more information about issues related to Kerberos Authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    321728 Internet Explorer does not support Kerberos authentication with proxy servers

    325608 Authentication delegation through Kerberos does not work in load-balanced architectures

    248350 Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0

    264921 How IIS authenticates browser clients

back to the top

Configure IIS for Delegation

To turn on Integrated Windows authentication and impersonation for an ASP.NET-connected application, you have to configure Internet Information Services (IIS). To configure for Windows Authentication in IIS, follow these steps:
  1. Click Start, click Run, type inetmgr, and then click OK.
  2. Expand local computer, and then expand Web site.
  3. Right-click Default Web site, and then click Properties.
  4. Click the Directory Security tab, and then click Edit under Anonymous access and authentication control.
  5. Click to select the Integrated Windows authentication check box, and then click to clear the Anonymous access, Digest authentication for Windows domain server and Basic Authentication check boxes.

    Note If Anonymous authentication is enabled, IIS will always try to authenticate by using it first, even if other methods are enabled.

    If Anonymous authentication, Integrated Windows authentication, and Basic authentication are all selected, Integrated Windows authentication takes precedence over Basic authentication, after Anonymous authentication.
back to the top

Configure ASP.NET for Delegation

  1. Open a Web.config file in a text editor such as Notepad. The Web.config file is located in the Web Application folder.
  2. In the Web.config file, locate the following information in the <configuration> section:
    <allow users="*" /> 
<deny users="?" />
  3. Under the <System.web> section, verify that the authentication element is set to Windows as follows:
    <authentication mode="Windows" />
  4. Under the <System.web> section, add the following element for impersonation:
    <identity impersonate="true" />
  5. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    306158 How to implement impersonation in an ASP.NET application

    317012 Process and request identity in ASP.NET

    315736 How to secure an ASP.NET application by using Windows security

back to the top

Configure Active Directory for Delegation

Delegation must be enabled on all computers with delegate credentials. It can be configured in the Active Directory tools.

For more information, visit the following Microsoft Web sites:

Allow a computer to be trusted for delegation
http://technet2.microsoft.com/windowsserver/en/library/b207ee9c-a055-43f7-b9be-20599b694a311033.mspx

User and computer accounts
http://technet2.microsoft.com/windowsserver/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx

The core IIS process, InetInfo.exe, is a service that runs under the LocalSystem account, and is the process that does the following:
  • Takes the client request
  • Impersonates the user
  • Performs the appropriate tasks
  • Reverts to the process identity. This is LocalSystem
If you are running InetInfo.exe under an account that is different from LocalSystem, you must verify that the account is permitted to act as a delegate. In this case, do not configure the computer for delegation.
back to the top

Troubleshoot

  1. If the Web server name that you use in the URL to call the ASP.NET page is not the NetBIOS name of the IIS computer, the Integrated Authentication may fail with error 401.3. To resolve this problem, register a new Service Principal Name for the computer with the SetSPN.exe utility. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    294382 Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name

  2. Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    325608 Authentication delegation through Kerberos does not work in load-balanced architectures

  3. For Kerberos to work correctly, you must use fully qualified domain names (FQDN) for all the communication.
  4. When you use Internet Explorer on a Windows 2000 client and then you locate a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with error 401.3. Note that Internet Explorer clients that use Windows NT 4 or Windows 98 or Windows 95 will not fail. Also, other authentication schemes will work.
  5. If the Web server uses a fully qualified domain name, you must add the site is added to the list of intranet sites in Internet Explorer. To verify that the Web server uses a fully qualified domain name, follow these steps:
    1. Start Internet Explorer.
    2. On the Tools menu, click Internet Options, and then click the Security tab.
    3. Click to select Local intranet. Click Sites.
    4. Click Advance, and then type the Web address in the Add this Web site to the zone dialog box. Click Add, and then click OK.
  6. If the Internet Explorer client is set to use a proxy server, you must click to select the Bypass Proxy Server for local addresses check box. To verify that the Internet Explorer client is set to use a proxy server, this follow these steps:
    1. Start Internet Explorer.
    2. On the Tools menu, click Internet Options, and then click the Connections tab.
    3. Click LAN Settings. Under Proxy server, verify that the Bypass proxy server for local address check box is checked.
  7. If you want to access a SQL Server from your ASP.NET-connected application, you must use TCP/IP. Named pipes do not support Kerberos delegation. Named pipes use NTLM only. To do this, add the following attribute to the connection string:
    "Network Library =dbmssocn"
    If you do not explicitly set the network library, NTLM takes the first library setup in the client configuration utility (Cliconfg.exe). This default changed from named pipes to TCP/IP in Microsoft Data Access Components (MDAC) 2.6.
    For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    315159 BUG: Named pipes do not work when worker process runs under ASPNET account

    176377 Accessing SQL Server with integrated security from ASP

    176379 How to set up IIS and SQL Server on separate machines with a trusted connection

    247931 Authentication methods for connections to SQL Server in Active Server Pages

back to the top

REFERENCES

For more information about how to design more secure Web-based applications and delegation scenarios, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

For more information about how to design secure Web-based applications, see the following:

Designing Secure Web-Based Applications"
Microsoft Press
Michael Howard, Marc Levy, and Richard Waymire
ISBN 0-7356-0995-0

back to the top
Modification Type:MajorLast Reviewed:2/25/2006
Keywords:kbAuthentication kbWebForms kbdomain kbClient kbConfig kbWebServer kbHOWTOmaster kbhowto KB810572 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.