End-to-end kerberos delegated authentication in ASP.NET

非 Y 不嫁゛ 提交于 2020-01-04 04:02:07

问题


I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest. I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.

I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.

Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?

I've tried the following but it doesn't seem to work

CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;

I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.


回答1:


In your application, you only need to use DefaultCredentials:

request.UseDefaultCredentials = true;

However, there is some work to do on Active Directory:

  • Set up a SPN on your application pool account for your front end application
  • Set up a SPN on your application pool account for your back end application
  • Set up delegation from the first application pool to the second SPN


来源:https://stackoverflow.com/questions/2963812/end-to-end-kerberos-delegated-authentication-in-asp-net

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!