Question: Windows Authentication + Delegation

[jruckert]

Hi All,

Traditionally when we want to setup impersonation/delegation we would usually setup the apppool credentials with a SPN (associated with the http/) + turn on impersonation under the web.config file.

In the new world, we have done the same regarding the SPN and http/ (NOTE: This url is different from the Kestrel hosting.json server.url)

We have tried every permutation under the sun (apart from the right one that is!) to try to get a simple IIS Windows Auth vNext Website + HttpPlatformHandler to delegate through the windows credentials to SQL, it always uses the app pool. (We have modified the web.config file to pass through the windows auth token as per documentation under this site)

Note: When we render out on the MVC Webpage the IHttpContextAccessor -> Context -> Identity -> Username, this is showing the correct authenticated username, not the app pool.

My theory to make this work is as follows:

If someone can please verify if this is correct, I would really appreciate it.

Dnx.exe (which is the one connecting to the DB, doing the web requests etc), is fundamentally proxied through IIS (+ the HttpPlatformHandler) to localhost:5002 at the moment. The w3wp.exe process is actually redundant in the security side of things.

localhost:5002 does not have any SPN’s etc for this service account etc.

If we update the hosting.json file (“server.urls”) to be say http://secure-dotnet.mywebserver.com:5002 and set the SPN to this (e.g. http/secure-dotnet.mywebserver.com:5002)

Will we have a fighting chance?

[Tratcher]

/cc: @blowdart

Your analysis is mostly accurate. Let me fill in some blanks.

The authentication is happening in IIS so you do need the SPN configured there. However the impersonation there is irrelevant as we are running out of process. The identity is passed to the back-end process through a special handshake, and used to populate HttpContext.User. However there is no automatic or configurable impersonation of the user. You would need to explicitly call WindowsIdentity.Impersonate() before performing delegated operations.

Side note: When running in IIS/Express you should not explicitly configure server.urls for the back-end process. HttpPlatformHandler tells us a random port to listen on.

[jruckert]

Thanks for your guidance, this clarifies a lot of my thinking, so in theory though if I wanted all operations to be delegated, would a valid approach be to create some middleware to perform this impersonation operation for all requests? (Thinking about this as I write this, I'm thinking its not valid as we are interested in outbound impersonation to another service, not the inbound request?)

I suppose we are all complacent with the old school method of the one liner

<identity impersonate="true"/>

into the web.config without having to write any additional code.

Would the middleware approach (if its valid) have the potential to lead to cross contamination of impersonation requests (e.g. one thread having the wrong impersonation credentials?)

If the middleware approach is not valid, then this would mean we would have to identify any services such as SQL and wrap each call (EF7 Create/Update etc), WCF/Web Services outbound calls with this impersonate request (quite a lot of code to wrap).

Most enterprises apps would like understand this scenario from my experience (our team is trying to develop one as we speak which helps!) which requires pass through authentication to a myriad of services (SQL, web services etc).

Thank you for your thoughts!

[Tratcher]

@blowdart, I'll defer to you on this one.

[blowdart]

Assuming the identity flows async and to background tasks that would work, however it may not be what you want to be honest. Error handling would now run elevated and that's usually not a good idea, especially if threads abort and things hang around for a while.

So if I were recommending an approach it would be to wrap only the code that requires it in an impersonation call, and ensure that you catch errors and de-elevate properly no matter what Usually this involves writing a class that implements IDisposable and using using to wrap your code.

[jruckert]

Thanks!

[jruckert]

Sorry last question, will we need a SPN for the dnx.exe process for the specific port that it is listening on?

[Tratcher]

No, there is no authentication being processed in the dnx.exe, that all happens in IIS and is handed off to us.

[jruckert]

I've done everything that has been recommended so far, and still not delegation of rights.

I'm running under both Anonymous and Windows Auth (due to a CORS being a requirement).

I'll attempt to send a stack trace/wireshark etc, as this is not working.

[muratg]

@pakrym Could you attempt a repro for this issue?