question

Jet-5068 avatar image
0 Votes"
Jet-5068 asked Bruce-SqlWork edited

.NET 6 Blazor server on Windows domain - Kerberos delegation and impersonation

Hi all,

I'm trying to solve a problem which appear to be simple in theory but somewhat hard in reality. After reading a lot of posts online I feel the need to ask for help in here.

What I'm trying to do is this (all via Kerberos / Windows auth)

Client user (Windows, Domain A, has domain SPN) -> Blazor Server on Server 1 (Wndows Server, Domain A, IIS10, SPN TrusedForDelegation) -> Service API (Windows Server, Domain A, has domain SPN)

The trick is that I want the Blazor server app to call the "Service API" as the "Client user" (impersonation). This is working as expected when debugging using IIS Express on my laptop, however, when I deploy the build to the production server it does not work. The server hosting the Blazor Server app is trusted for delegation and I see no Kerberos errors on the network traffic.

I believe that I have tried every single permutation of IIS settings and ways to impersonate without any luck. My "Blazor server" gets a 401 back from the Service API. I can see that Authentication and AD authorization on the Blazor server is working as expected.

Is there a official way of configuring impersonation in .NET 6 with IIS 10 in a Blazor Server app using Kerberos as the authentication protocol?

Thank you for the help.

windows-serverwindows-server-iisdotnet-aspnet-core-blazor
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The official windows authentication documentation cover this topic.

Impersonation

Is this what you tried?

0 Votes 0 ·

Exactly, this leads to the expected TGS-REQ against AD with an additional ticket (I assume that this is the TGT from the Client). However, I see that AD returns an KRB Error: KRB5KDC_ERR_BADOPTION.

I can see that the SPN making the TGS-REQ is <domain>\<hostname of Blazor server>$. Perhaps my issue is that the default host user (which supposedly runs the IIS process as the app pool identity) is not trusted for delegation.

0 Votes 0 ·

it all works local because the domain account is yourself, and because the browser and the web server are on the same box, no delegation is required (because the web server gets a primary token).

to work on an IIS server, the server must be configured for kerberos delegation. also the app pool account needs the impersonation permission.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication

0 Votes 0 ·

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

KRB Error: KRB5KDC_ERR_BADOPTION error occurs when the BIG-IP APM system is unable to obtain a Kerberos service ticket on behalf of the user and Kerberos SSO fails for the user.

When these messages occur, consider the following:

-In the Active Directory delegation account (Account Properties > Delegation), add the requested service to the Services to which this account can present delegated credentials box.
-When using a non-Windows Kerberos KDC environment, ensure that the KDC can support the same options as Active Directory.

The below thread discusses the same issue and you can get some insights from this.
Kerberos error when using a DNS name that doesn't match the Active Directory domain name https://social.technet.microsoft.com/Forums/windowsserver/en-US/736b4f5e-536f-455d-bf73-3c4d147de4b6/kerberos-error-when-using-a-dns-name-that-doesnt-match-the-active-directory-domain-name?forum=winservergen



--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.