Steps to enable double-hop delegation in IIS7 windows 2008

my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication.

I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here:

http://msdn.microsoft.com/en-us/library/ff647404.aspx

Using code like this:

using System.Security.Principal;

// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
  // Now impersonating
  // Access resources using the identity of the authenticated user
  var request = WebRequest.Create("http://intranet/secureapp");
  request.Credentials = CredentialCache.DefaultCredentials;
  var response = request.GetResponse();
  using (var streamReader = new StreamReader(response.GetResponseStream()))
  {
      Response.Write(streamReader.ReadToEnd());
  }
}
// Prevent exceptions from propagating
catch
{
}
finally
{
  // Revert impersonation
  if (ctx != null)
    ctx.Undo();
}
// Back to running under the default ASP.NET process identity 

But, unfortunately, I always get a 401 unauthorized error.

Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?


There are several steps to configuring Kerberos/Delegation with Windows.

First, you need to configure ASP.NET to use delegation. I assume you have this configured in your web.config.

Then you need to configure the ASP.NET Service Account for delegation. Sometimes you have to create an SPN.

Then enable delegation for the IIS server AND the account in Active Directory.

Step by step instructions are provided here: http://msdn.microsoft.com/en-us/library/ms998355.aspx Follow Steps 1-3.