I have an MVC3 webapplication which runs as a DOMAIN\USER1 account. This user has SPN in AD set and is trusted for delegation.
I want this application to access sharepoint server on behalf of the caller and upload the file for her/him. I use the following code
Dim request = HttpWebRequest.Create(http://sharepoint.domain.com)
request.Method = WebRequestMethods.Http.Head
request.PreAuthenticate = True
Dim identity = New WindowsIdentity(callerName & "@domain.com")
Dim impContext = identity.Impersonate()
'###### At this point identity.ImpersonationLevel is `Impersonate` not `Delegate`
request.Credentials = CredentialCache.DefaultNetworkCredentials
'###### DefaultNetworkCredentials is empty (Username, domain and password are all empty strings)
Dim response As HttpWebResponse
Try
response = request.GetResponse()
Return JsonSuccess()
Catch ex As WebException
'###### I get 401 Unauthorized exception
Return JsonError(ex.Message)
Finally
impContext.Undo()
End Try
My question is. Should the impersonation level at this point be Impersonate or Delegate (Sharepoint runs on a different machine than IIS server)?
In AD I also configured protocol transition for the sharepoint and HTTP, so maybe Impersonate should change to Delegate after it makes the request? I have no idea, guidance will be appreciated.
Another question is - shouldn't CredentialCache.DefaultNetworkCredentials contain at least the username of the impersonated user?
