I have the following architecture:
Client1(Browser-App) -> Server1 (WebAPI/IIS) -> Server2 (WebAPI/IIS)
I am using ASP.NET for my server / apis server applications and the user must authenticate through "built-in authentication".
As you can see, there is a second jump from server1 to server2. NTML does not support the second leap if both WebAPIs are not on the same server. Therefore, I configured the AD domain to support "kerberos".
Now he works with the second jump. My test-WebAPI outputs the user ID as follows:
server1: test.domain/user1
server2: test.domain/user1
But if I change the registered user to Client1 and execute the same request as "otherUser2", only the first jump will get the correct identity:
server1: test.domain/otherUser2
server2: test.domain/user1
.
: , Windows...
, Windows 2... , , ... , !
? - ?
?
ASPAP WebAPI :
WindowsIdentity identity = (WindowsIdentity)HttpContext.Current.User.Identity;
using (var wic = identity.Impersonate())
{
try
{
WebClient c = new WebClient
{
UseDefaultCredentials = true
};
- WebClient.NET.
- IIS " Windows" "" "NTML".
- Server1 - DomainController, DNS DHCP- (+ IIS)
- Server2 - IIS.
- .
... . 'server2'?
IIS Windows, " ", "server2".