End-to-end kerberos delegated authentication in ASP.NET

Question

I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest. I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.

I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.

Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?

I've tried the following but it doesn't seem to work

CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;

I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.

Answer 1

In your application, you only need to use DefaultCredentials:

request.UseDefaultCredentials = true;

However, there is some work to do on Active Directory:

• Set up a SPN on your application pool account for your front end application
• Set up a SPN on your application pool account for your back end application
• Set up delegation from the first application pool to the second SPN