Search code examples
asp.netauthenticationintranet

ASP.NET Intranet Config - Get Network User ID But Access Db And Folders As Different User

I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:

  1. Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
  2. The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
  3. Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
  4. The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
  5. Users can NOT access the uploaded files through a network share on the web server
  6. All of the folder creation, file upload, and file serving occur under some generic account like IUSR

I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.

Solution

  • Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:

    • Enable ASP.NET Impersonation and edit to Authenticated User
    • Enable Windows Authentication
      • Advanced Settings->Extended Protection->Off
      • Advanced Settings->Enable Kernel-mode authentication->unchecked
      • Providers->Available Providers->Negotiate:Kerberos and move that to the top
    • Disable all other authentications
    • Most critical: Make the server a 'trusted delegate' in Active Directory

    That should do it.