Delegation of Windows Credentials in ASP.NET : HTTPClient or WebClient?

I worked with a customer today to fix delegation not working issue via ASP.Net application, when making call to backend WebApi resource. A necessary prerequisite for Delegation is that Windows authentication of client (browser in this case) should happen using Kerberos.

We made sure:

-Windows Authentication is enabled on ASP.Net application

image

-It has Negotiate provider (Required for Kerberos)

image

-Impersonation is enabled on ASP.Net application

image

-Server authentication happened using custom domain identity by switching useAppPoolCredential=’true’

-Custom domain identity under which ASP.Net running has Delegation enabled in AD.

image

(Delegation should be enabled on AD object, which is used for server side authentication. It can be server host name or custom identity depending on useAppPoolCredentials setting. Point 3 in my post here can come handy to understand this. The post is for WCF delegation but same principle holds good for ASP.Net applications as well)

Once everything required in theory for delegation as above were verified, we browsed again to web application and sadly, delegation still failed. We captured value for ‘System.Security.Principal.WindowsIdentity.GetCurrent().Name; ’ on ASP.Net application to make sure that Impersonation has succeeded, and indeed got identity of account under which browser was run. So all well with Impersonation, why then application is not able to delegate it further?

It was time to look into part of code in ASP.Net application, which calls into backend WebApi. The application used HTTPClient object to get JSON over HTTP with WebApi. Before going deep into debugging these calls and figuring out what's going on with security contexts, I made a final web search for “httpClient+Delegation” and found this discussion on StackOverflow: https://stackoverflow.com/questions/12212116/how-to-get-httpclient-to-pass-credentials-along-with-the-request

Apparently, HttpClient by design are not able to delegate client credentials further downstream by default. There may be a way to achieve this with some advanced tweaking but not to my knowledge. If you are happy to move to WebClient as described in post above, Delegation of client credentials should most likely succeed.