.NET 6 Blazor server on Windows domain - Kerberos delegation and impersonation

Jet 1 Reputation point

Hi all,

I'm trying to solve a problem which appear to be simple in theory but somewhat hard in reality. After reading a lot of posts online I feel the need to ask for help in here.

What I'm trying to do is this (all via Kerberos / Windows auth)

Client user (Windows, Domain A, has domain SPN) -> Blazor Server on Server 1 (Wndows Server, Domain A, IIS10, SPN TrusedForDelegation) -> Service API (Windows Server, Domain A, has domain SPN)

The trick is that I want the Blazor server app to call the "Service API" as the "Client user" (impersonation). This is working as expected when debugging using IIS Express on my laptop, however, when I deploy the build to the production server it does not work. The server hosting the Blazor Server app is trusted for delegation and I see no Kerberos errors on the network traffic.

I believe that I have tried every single permutation of IIS settings and ways to impersonate without any luck. My "Blazor server" gets a 401 back from the Service API. I can see that Authentication and AD authorization on the Blazor server is working as expected.

Is there a official way of configuring impersonation in .NET 6 with IIS 10 in a Blazor Server app using Kerberos as the authentication protocol?

Thank you for the help.

Internet Information Services
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
991 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
9,550 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 37,786 Reputation points

    Hi there,

    KRB Error: KRB5KDC_ERR_BADOPTION error occurs when the BIG-IP APM system is unable to obtain a Kerberos service ticket on behalf of the user and Kerberos SSO fails for the user.

    When these messages occur, consider the following:

    -In the Active Directory delegation account (Account Properties > Delegation), add the requested service to the Services to which this account can present delegated credentials box.
    -When using a non-Windows Kerberos KDC environment, ensure that the KDC can support the same options as Active Directory.

    The below thread discusses the same issue and you can get some insights from this.
    Kerberos error when using a DNS name that doesn't match the Active Directory domain name https://social.technet.microsoft.com/Forums/windowsserver/en-US/736b4f5e-536f-455d-bf73-3c4d147de4b6/kerberos-error-when-using-a-dns-name-that-doesnt-match-the-active-directory-domain-name?forum=winservergen

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments