IIS10.0 not allowing transfer of identity even though impersonation

Question

Hi,

We have a issue with IIS 10.0 in windows server 2019. We have hosted a ASP.NET application which submit jobs to HPC server.

The issue is IIS 10.0 is not allowing transfer of identity even though impersonation is activated and legacy Impersonation is turned off for ASPWEBconfigfile in windows server 2019,

Pls help.

Answer 1

If you have 3 machines.... client --->> IIS Server ----> HPC Server, then you have the IIS double hop problem. There are many sites that describe this issue and ways to fix it.

https://www.bing.com/search?q=iis+double+hop

In the past I have used the DelegConfig tool to test and help configure IIS. But it has been many years since I have used this tool and it does not appear that it has been updated in a while. I don't know if this still works with IIS 10. You could give it a try.

https://www.iis.net/downloads/community/2009/06/delegconfig-v2-beta-delegation-kerberos-configuration-tool
https://blogs.iis.net/brian-murphy-booth/delegconfig-delegation-configuration-reporting-tool

I have only passing experience with HPC. Is there a main "control" server? If you can't get Kerberos working, you could install IIS and the web app on that server, and then the impersonation would allow the HPC interface to "see" who the user is.

Do you really need to impersonate the user? I have built "administrative" web sites to allow users who are not members of the Administrators group to perform admin tasks. Those sites authenticate the user but do not impersonate them. Then I set the IIS worker process to run as a domain account that has admin access on various servers. The web site code then controls what the user can request. One example is a site where I let the desktop support team create user home directories and shares on file servers. Depending on what your web site does, you might be able to use that technique.