-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASP.NET Core 2.1 Kerberos delegation not working #1453
Comments
@davidsh is this an issue you've seen with WinHttpHandler? |
This seems like it's likely an issue in |
@Phibsi Can you clarify, are you using .NET Framework with ASP.NET Core 2.1? Impersonation isn't support in .NET Core, so I'm presuming you are? Can you provide a runnable sample that illustrates what you're doing and where it's failing (I realize that it will depend upon per-machine configuration like Windows domains, etc.). |
Clarification: ASP.NET Core doesn't do impersonation by default on .NET or Core, but you can do impersonation manually on either. |
Hi @anurse, I created a sample project to reproduce the issue: https://github.com/phibsi/sample-aspnetcore-impersonation You need to publish the webservice to an IIS Website on Windows Server 2012 R2. |
Hi @Tratcher, Impersonation is done in https://github.com/phibsi/sample-aspnetcore-impersonation/blob/ec4aa0de0f2f44ee771c6cff0b0d2bf50155bc93/Services/ImpersonationService.cs#L64 using IIS, Kerberos and
|
Does it work any better when the action being run under impersonation is not async (or is forced to complete synchronously within the impersonation)? We've seen issues in the past with the impersonation being reverted too soon. |
Hi @Tratcher, I updated the project and changed the async CSOM request to sync WebRequest: But I get the same error message :( Any idea? |
Ok, since this is primarily an issue with impersonation and outgoing requests I'm going to transfer it over to the folks that own those. This does have some similarities to https://github.com/dotnet/corefx/issues/38646, but not quite the same stack trace. |
We haven't seen any prior customer issues with delegation and WinHttpHandler. I noticed that HttpWebRequest is being used. Also, WinHttpHandler is no longer the default HTTP stack for latest .NET Core (such as 3.0/3.1). You might want to try latest .NET Core to see if the problem reproduces. |
Triage: Looks like it may be addressed in .NET Core 3.0+. As we do not have clear repro to try, closing for now. Feel free to reopen if there is evidence it is still failing on .NET Core 3.0+. Ideally with a repro for us to try. Thanks! |
Hi all, I'm sorry for my late answer. I updated the app to ASP.NET Core 3.1 and I implemented async requests (HttpClient) and I removed the UseSocketsHttpHandler. Now the error message looks like this:
Any idea? |
You can find the code in this repo: https://github.com/phibsi/sample-aspnetcore-impersonation/ |
Hi all,
we have an ASP.NET Core 2.1 API running on a Windows Server 2012 R2 in IIS.
The IIS is configured to use Kerebros authentication, SPNs are set correctly and the application pool identity is a custom domain user. Delegation is enabled, too.
The API is called by a browser and tries to connect to a SharePoint 2013 Server using impersonation and web requests.
When I call the API with my account, which is a local administrator on the Server hosting the API impersonation works perfect.
If a regular account tries to call the API an exception gets thrown:
Now, if I just open the Internet Explorer on the server hosting the API as a regular user the impersonation works from the clients computer.
Has anyone an idea?
Greetings from Hamburg!
The text was updated successfully, but these errors were encountered: