1

I have the following setup:

  • ServerA, a web server with an asp.net mvc site
  • ServerB, a web server with an asp.net Web Api service

The MVC site on ServerA consumes the Web Api service on ServerB. Users log into the MVC site but certain service methods in the Web Api require that the user is in a particular role etc so I need to be able to authenticate the user at the Web Api level.

For this reason, I have tried to set up Kerberos. ServerA has been trusted for delegation. The MVC website is running under a network user account (we'll call it ServiceAccount here) which has been set for delegation. I have set up an SPN for this. However, all requests from the MVC site to the Web Api show that the user is ServiceAccount and not the actual logged in user of the MVC site.

Information around Kerberos seems fragmented so I'm struggling to find a solution. Has anyone got any ideas what may be wrong here?

Thanks

James
  • 121
  • 4
  • Lots of good info on troubleshooting Kerberos auth on asp.net here: http://serverfault.com/questions/172754/kerberos-authentication-in-iis-with-net-app-under-domain-identity-not-working – Trondh Sep 26 '13 at 09:18
  • Have you tried setting useAppPoolCredentials =true? http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx – Greg Askew Sep 26 '13 at 09:26

1 Answers1

1

After getting nowhere with this I eventually found the following article: http://blogs.msdn.com/b/canberrapfe/archive/2012/01/02/kerberos-troubleshooting.aspx in particular the instuctions in "Section 5". This describes how to set up a very basic test to troubleshoot Kerberos double hops which has helped me to get my own set up working.

James
  • 121
  • 4