Windows Authentication with Impersonation Failure

2 posts, 0 answers
  1. Michael O'Flaherty
    Michael O'Flaherty avatar
    67 posts
    Member since:
    Jun 2010

    Posted 20 Feb 2013 Link to this post

    Hi!

    We are developing an intranet application that uses Windows Authentication with impersonation. Everything works well when everything is on one server and of course in the development environment. (We are using Visual Studio 2012, .NET 4.0, Windows Server 2008 R2, SQL Server 2008 Enterprise.)

    We did have some initial issues with this setup until we realized that we need to support delegation for the Network Service account via AD. When we check the user object on a test webpage, everything works fine:

    AuthenticationType: Kerberos

    ImpersonationLevel: Impersonation

    IsAnonymous: False

    IsAuthenticated: True

    IsGuest: False

    IsSystem: False

    Name: [user]

    Owner: S-1-5-32-544

    Token: 2536

    User: S-1-5-21-1292428093-1715567821-839522115-9372

    Note: we want to use Kerberos in this environment, and this is an HTTPS site. The database server and the web server are two different servers and both are on the same domain.

    When we add a Telerik Listview control…

    <telerik:RadListView BackColor="Gray" runat="server" ID="radListViewTasks" OnNeedDataSource="radListViewTasks_NeedDataSource" Width="100%">
      
                                <ItemTemplate>
      
                                    <div class="listViewItem">
      
                                        <asp:HyperLink ID="hyperLinkTask" NavigateUrl='<%# Eval("PageURL") %>' runat="server" Target="_self">
      
                                            <asp:Image ID="imageTask" runat="server" ImageUrl='<%# Eval("FolderIcon") %>' /><br />
      
                                            <span><%#Eval("TaskName")%></span>
      
                                        </asp:HyperLink>
      
                                    </div>
      
                                </ItemTemplate>
      
                            </telerik:RadListView>

    …the database call on the backend:

    protected void radListViewPages_NeedDataSource(object sender, RadListViewNeedDataSourceEventArgs e)
      
            {
      
                radListViewPages.DataSource = GetPagesDataTable();
      
            }

    … is causing the impersonated account to revert back to IIS’s account: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    When we bypass the ASP.NET impersonation account and use a domain account, the error changes to: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user '[REDACTED]WEB1$'

    Thinking we might have an ajax issue, we turned off the RadAjaxManager. No effect.

    I will spare you all the database access code because we have tested both impersonation paths in other parts of the application. (We need to support two paths because we do some database work in the application_start in the Global.asax file, so that work is done under one specific domain account and all other session (user) activity is done through the impersonation via asp.net.)

    I am not sure this is specifically a Telerik Listview issue, but more of the ‘need datasource’ call.

    Before I take the time to build another test project for tech support, I thought I would go to the forum to see if anyone has banged their head against this issue.

    Why would the Telerik datasource calls use the IIS account and not honor the web config settings? Do I need to set up something up in IIS for the Telerik modules to use? Or what?

    Thanks for your help!

    Michael

  2. Martin
    Admin
    Martin avatar
    811 posts

    Posted 25 Feb 2013 Link to this post

    Hello Michael,

    Note that the issues you observe have nothing in common with RadControls. Actually you would get the exact same results if you use a standard MS ListView control instead of a RadListView and bind it to the same data source (call GetPagesDataTable method on PageLoad event for example).

    I suspect that the problem comes from wrong application / IIS setup. Note that you have to ensure that:
    • IIS anonymous access is disabled and WindowsAuthentication is enabled.
    • Application is setup to use windows authentication and anonymous users are disabled for the application / folder.
    • You have to manually Impersonate the user by calling the Impersonate method of the WindowsIdentity object. Another option would be to use a custom ApplicationPool that has the account in question as an identity. 

    Since I am not a seasoned IIS / ASP.NET security specialist I would strongly recommend that you refer to some dedicated books or other resources that would give you more insight on the matter.

    Regards,
    Martin
    the Telerik team

    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
  3. UI for ASP.NET Ajax is Ready for VS 2017
Back to Top