Hi!
We are developing an intranet application that uses Windows Authentication with impersonation. Everything works well when everything is on one server and of course in the development environment. (We are using Visual Studio 2012, .NET 4.0, Windows Server 2008 R2, SQL Server 2008 Enterprise.)
We did have some initial issues with this setup until we realized that we need to support delegation for the Network Service account via AD. When we check the user object on a test webpage, everything works fine:
AuthenticationType: Kerberos
ImpersonationLevel: Impersonation
IsAnonymous: False
IsAuthenticated: True
IsGuest: False
IsSystem: False
Name: [user]
Owner: S-1-5-32-544
Token: 2536
User: S-1-5-21-1292428093-1715567821-839522115-9372
Note: we want to use Kerberos in this environment, and this is an HTTPS site. The database server and the web server are two different servers and both are on the same domain.
When we add a Telerik Listview control…
<
telerik:RadListView
BackColor
=
"Gray"
runat
=
"server"
ID
=
"radListViewTasks"
OnNeedDataSource
=
"radListViewTasks_NeedDataSource"
Width
=
"100%"
>
<
ItemTemplate
>
<
div
class
=
"listViewItem"
>
<
asp:HyperLink
ID
=
"hyperLinkTask"
NavigateUrl='<%# Eval("PageURL") %>' runat="server" Target="_self">
<
asp:Image
ID
=
"imageTask"
runat
=
"server"
ImageUrl='<%# Eval("FolderIcon") %>' /><
br
/>
<
span
><%#Eval("TaskName")%></
span
>
</
asp:HyperLink
>
</
div
>
</
ItemTemplate
>
</
telerik:RadListView
>
…the database call on the backend:
protected
void
radListViewPages_NeedDataSource(
object
sender, RadListViewNeedDataSourceEventArgs e)
{
radListViewPages.DataSource = GetPagesDataTable();
}
… is causing the impersonated account to revert back to IIS’s account: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
When we bypass the ASP.NET impersonation account and use a domain account, the error changes to: Exception of type 'System.Web.HttpUnhandledException' was thrown.. Login failed for user '[REDACTED]WEB1$'
Thinking we might have an ajax issue, we turned off the RadAjaxManager. No effect.
I will spare you all the database access code because we have tested both impersonation paths in other parts of the application. (We need to support two paths because we do some database work in the application_start in the Global.asax file, so that work is done under one specific domain account and all other session (user) activity is done through the impersonation via asp.net.)
I am not sure this is specifically a Telerik Listview issue, but more of the ‘need datasource’ call.
Before I take the time to build another test project for tech support, I thought I would go to the forum to see if anyone has banged their head against this issue.
Why would the Telerik datasource calls use the IIS account and not honor the web config settings? Do I need to set up something up in IIS for the Telerik modules to use? Or what?
Thanks for your help!
Michael