Rank 2
Hi!
We are developing an intranet application that uses Windows Authentication with impersonation. Everything works well when everything is on one server and of course in the development environment. (We are using Visual Studio 2012, .NET 4.0, Windows Server 2008 R2, SQL Server 2008 Enterprise.)
We did have some initial issues with this setup until we realized that we need to support delegation for the Network Service account via AD. When we check the user object on a test webpage, everything works fine:
AuthenticationType: Kerberos
ImpersonationLevel: Impersonation
IsAnonymous: False
IsAuthenticated: True
IsGuest: False
IsSystem: False
Name: [user]
Owner: S-1-5-32-544
Token: 2536
User: S-1-5-21-1292428093-1715567821-839522115-9372
Note: we want to use Kerberos in this environment, and this is an HTTPS site. The database server and the web server are two different servers and both are on the same domain.
When we add a Telerik Listview control…
<telerik:RadListView BackColor="Gray" runat="server" ID="radListViewTasks" OnNeedDataSource="radListViewTasks_NeedDataSource" Width="100%"> <ItemTemplate> <div class="listViewItem"> <asp:HyperLink ID="hyperLinkTask" NavigateUrl='<%# Eval("PageURL") %>' runat="server" Target="_self"> <asp:Image ID="imageTask" runat="server" ImageUrl='<%# Eval("FolderIcon") %>' /><br /> <span><%#Eval("TaskName")%></span> </asp:HyperLink> </div> </ItemTemplate> </telerik:RadListView>…the database call on the backend:
protected void radListViewPages_NeedDataSource(object sender, RadListViewNeedDataSourceEventArgs e) { radListViewPages.DataSource = GetPagesDataTable(); }
… is causing the impersonated account to revert back to IIS’s account: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
When we bypass the ASP.NET impersonation account and use a domain account, the error changes to: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user '[REDACTED]WEB1$'
Thinking we might have an ajax issue, we turned off the RadAjaxManager. No effect.
I will spare you all the database access code because we have tested both impersonation paths in other parts of the application. (We need to support two paths because we do some database work in the application_start in the Global.asax file, so that work is done under one specific domain account and all other session (user) activity is done through the impersonation via asp.net.)
I am not sure this is specifically a Telerik Listview issue, but more of the ‘need datasource’ call.
Before I take the time to build another test project for tech support, I thought I would go to the forum to see if anyone has banged their head against this issue.
Why would the Telerik datasource calls use the IIS account and not honor the web config settings? Do I need to set up something up in IIS for the Telerik modules to use? Or what?
Thanks for your help!
Michael
1 Answer, 1 is accepted
Note that the issues you observe have nothing in common with RadControls. Actually you would get the exact same results if you use a standard MS ListView control instead of a RadListView and bind it to the same data source (call GetPagesDataTable method on PageLoad event for example).
I suspect that the problem comes from wrong application / IIS setup. Note that you have to ensure that:
- IIS anonymous access is disabled and WindowsAuthentication is enabled.
- Application is setup to use windows authentication and anonymous users are disabled for the application / folder.
- You have to manually Impersonate the user by calling the Impersonate method of the WindowsIdentity object. Another option would be to use a custom ApplicationPool that has the account in question as an identity.
Since I am not a seasoned IIS / ASP.NET security specialist I would strongly recommend that you refer to some dedicated books or other resources that would give you more insight on the matter.
Regards,
Martin
the Telerik team