Windows 2008R2 (IIS 7.5) ASP.NET 4.0 Configuration For Impersonation
In my first attempt at building a custom web form for workflow tasks I used the default settings in IIS 7.5 for a new website. In my web application, my C# calls to connect to the workflow server threw errors saying the IIS application pool account did not have rights to access the task I was trying to run. That makes sense, I needed to use the logged in user account rather than the application pool. It took a bit of guess-n-test, but I found a configuration that allows this kind of impersonation to happen - and thankfully in this case kerberos is not required (single hop impersonation works with NTLM).
The tricky part was enabling support for the .NET 4.0 framework on Windows Server 2008R2 - I still cant believe microsoft disables their latest and greatest ASP.NET version on a windows 2008 product -.- Anyway, here's what I did:
- Install server Features required for IIS integrated authentication and impersonation. From the Server Manager tool, confirm the following:
- Confirm the "Web Server (IIS)" Role is installed.
- Confirm the "Windows Authentication" feature is installed, along with any other features required for your web application (ASP.NET, ISAPI Extension/Filters, etc).
- Enable .NET 4.0 framework (this took me forever to figure out!)
- Launch the "Internet Information Services (IIS) Manager" tool.
- Click on the root IIS server in the "Connections" pane, then open the "ISAPI and CGI Restrictions" tool from the Features View pane.
- Set both versions of "ASP.NET v4.0.xxxxx" to "Allowed"
- Disable Anonymous Authentication for the site. Enable Windows authentication and Impersonation.
- Launch the "Internet Information Services (IIS) Manager" tool.
- Click on your website in the "Connections" pane, then open the "Authentication" tool from the Features View pane.
- Disable "Anonymous Authentication". Enable both "Windows Authentication" and ASP.NET Impersonation.
- Click on "Windows Authentication", then click "Advanced Settings" and confirm that "Extended Protection" is turned off and that "Enable Kernel-mode authentication" is not checked.
- Modify the web application web.config to support impersonation. Here is an example:<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>