Monday, January 03, 2011

Windows 2008R2 (IIS 7.5) ASP.NET 4.0 Configuration For Impersonation

Admittedly I am still learning a lot about .NET - and recently I was stumped on how to configure an IIS website properly to allow ASP.NET code to impersonate the user hitting the website. Impersonation doesnt seem to be a very common thing to do - often we hard code account credentials to access things like database repositories - but this case, I was using a workflow product called K2 which allows you to use their C# API to access their workflow engine so that the user hitting your application can access and manipulate their tasks on the K2 workflow server. To allow my web application to allow you to manipulate workflow tasks on that remote K2 server, I need impersonation.

In my first attempt at building a custom web form for workflow tasks I used the default settings in IIS 7.5 for a new website. In my web application, my C# calls to connect to the workflow server threw errors saying the IIS application pool account did not have rights to access the task I was trying to run. That makes sense, I needed to use the logged in user account rather than the application pool. It took a bit of guess-n-test, but I found a configuration that allows this kind of impersonation to happen - and thankfully in this case kerberos is not required (single hop impersonation works with NTLM).

The tricky part was enabling support for the .NET 4.0 framework on Windows Server 2008R2 - I still cant believe microsoft disables their latest and greatest ASP.NET version on a windows 2008 product -.- Anyway, here's what I did:

  1. Install server Features required for IIS integrated authentication and impersonation. From the Server Manager tool, confirm the following:
    1. Confirm the "Web Server (IIS)" Role is installed.
    2. Confirm the "Windows Authentication" feature is installed, along with any other features required for your web application (ASP.NET, ISAPI Extension/Filters, etc).
  2. Enable .NET 4.0 framework (this took me forever to figure out!)
    1. Launch the "Internet Information Services (IIS) Manager" tool.
    2. Click on the root IIS server in the "Connections" pane, then open the "ISAPI and CGI Restrictions" tool from the Features View pane.
    3. Set both versions of "ASP.NET v4.0.xxxxx" to "Allowed"
  3. Disable Anonymous Authentication for the site. Enable Windows authentication and Impersonation.
    1. Launch the "Internet Information Services (IIS) Manager" tool.
    2. Click on your website in the "Connections" pane, then open the "Authentication" tool from the Features View pane.
    3. Disable "Anonymous Authentication". Enable both "Windows Authentication" and ASP.NET Impersonation.
    4. Click on "Windows Authentication", then click "Advanced Settings" and confirm that "Extended Protection" is turned off and that "Enable Kernel-mode authentication" is not checked.
  4. Modify the web application web.config to support impersonation. Here is an example:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" />
                </authentication>
            </security>
        </system.webServer>
        <system.web>
            <identity impersonate="true" />
        </system.web>
    </configuration>

3 comments:

Justin said...

Bryan, when I setup my service this way, I get a message:
Error

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Any suggestions?

Bryan said...

Hi Justin. If your web application is deployed under another site with its own web.config, it will inherit properties from the parent web.config above it, which could be causing your problem. Work your way up the directory structure on the IIS server where your application is deployed and check the web.config files along the way. One of them my have locked a section of the web config you want to modify.

I hope that helps!

Justin said...

I was finally able to solve my problem by turning off Windows authentication, turning on impersonation and anonymous authentication.

Thanks