IIS10.0 not allowing transfer of identity even though impersonation

Ashwin Muralidhar 1 Reputation point
2021-02-24T08:42:33.917+00:00

Hi,

We have a issue with IIS 10.0 in windows server 2019. We have hosted a ASP.NET application which submit jobs to HPC server.

The issue is IIS 10.0 is not allowing transfer of identity even though impersonation is activated and legacy Impersonation is turned off for ASPWEBconfigfile in windows server 2019,

Pls help.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,539 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,288 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MotoX80 32,526 Reputation points
    2021-02-26T12:54:34.773+00:00

    If you have 3 machines.... client --->> IIS Server ----> HPC Server, then you have the IIS double hop problem. There are many sites that describe this issue and ways to fix it.

    https://www.bing.com/search?q=iis+double+hop

    In the past I have used the DelegConfig tool to test and help configure IIS. But it has been many years since I have used this tool and it does not appear that it has been updated in a while. I don't know if this still works with IIS 10. You could give it a try.

    https://www.iis.net/downloads/community/2009/06/delegconfig-v2-beta-delegation-kerberos-configuration-tool
    https://blogs.iis.net/brian-murphy-booth/delegconfig-delegation-configuration-reporting-tool

    I have only passing experience with HPC. Is there a main "control" server? If you can't get Kerberos working, you could install IIS and the web app on that server, and then the impersonation would allow the HPC interface to "see" who the user is.

    Do you really need to impersonate the user? I have built "administrative" web sites to allow users who are not members of the Administrators group to perform admin tasks. Those sites authenticate the user but do not impersonate them. Then I set the IIS worker process to run as a domain account that has admin access on various servers. The web site code then controls what the user can request. One example is a site where I let the desktop support team create user home directories and shares on file servers. Depending on what your web site does, you might be able to use that technique.

    0 comments No comments