We have two intranet applications both hosted on the same domain, both hosted on IIS, both using Windows Authentication but hosted on DIFFERENT windows 2008 servers.
My goal is to have ASP.net web application A call the service B. I also want A to pass the logged-in user's authentication information to B.
One thing, I want to avoid Kerberos delegation, because of the hassle of setting it up and also the security concerns.
Can you please recommend me ways to achieve my goal?
I'm not sure how you think you can securely authenticate B from A without doing delegation.
If you're not concerned about doing this securely you can just pass the username in the request and impersonate on the far side.
Alternatively you can stuff the authenticated information into a token (JWT, SAML, etc.), sign it with a shared secret, and include it with the request. Then server B can validate it using the shared secret and impersonate as necessary. This does mean you need to make sure both servers know the secret, and figure out how to generate the token.
Delegation is the smart way to go here though. You don't have to figure out impersonation or build out a way to mint and validate tokens. It's primarily configuration driven.
