Client Certificate Authentication and Kerberos Delegation

I am trying to enable a topology where:

Non domain-joined client (smartphone, non-Windows browser, etc.) authenticates via client cert to IIS 8
IIS 7.5 performs clientCertificateMappingAuthentication to match the certificate subject to an AD user
The user is then impersonated on an ASP.NET thread
The user's identity is delegated to a back end service - SQL, in this case.

I have 1-3 working. Requirement 4 escapes me (though it will work for HTTP basic authentication and Windows authentication).

I have enabled failed request tracing and don't see any IIS errors, the SQL connection just tries to open anonymously and fails. The same page request works (SQL request authenticates) if I just ignore client certs on the IIS site.

This is just a delegation issue. The app pool identity is mapped to an SPN and trusted for delegation (all protocols) to the service in question:

userPrincipalName: service-kerbtest@xyz.qa1
servicePrincipalName: http/kerbtest.xyz.qa1
msDS-AllowedToDelegateTo: MSSQLSvc/bcaps.dbs.xyz.qa1:1433

Here you can see some evidence the the client-IIS authentication is working.

WindowsIdentity (AppPool process: 2636):
WindowsIdentity (current thread): XYZQA1\Hugh.Kelley
AuthenticationType: Kerberos
IsAuthenticated: True

Connecting to:
Server=bcaps.dbs.xyz.qa1;Integrated Security=SSPI;Initial Catalog=master;

Error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Page User: XYZQA1\Hugh.Kelley
Page AuthenticationType: SSL/PCT

From web.config:

    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>

From applicationHost.config:

Latest Images

Trending Articles

Latest Images