Kerberos Impersonation level 'impersonation' instead of 'delegation'

Question

Situation

I have a .NET Core CLI 2.2. or 3.0 preview5 client, that sends a REST request to an server, secured with Kerberos. The impersonation level should be "delegation", but only "impersonation" is achieved.

Problem

I cannot achieve delegation level with the .net core client from 2.1 and up. It works on 2.0.

var handler = new HttpClientHandler();
handler.UseDefaultCredentials = true;

HttpClient httpClient = new HttpClient(handler) { BaseAddress = new Uri(baseUri) };
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

var response = await httpClient.GetAsync("");

var json = await response.Content.ReadAsStringAsync();

score 0 · Answer 1 · answered May 20 '19 at 15:55

There are a handful of reasons this may fail.

First, calling RunImpersonated using the current user token is a bit redundant.

Second, this all depends on whether you've configured constrained delegation for the service accounts. The service account this app is running as needs delegation permissions to whatever service is running behind uri.

Third, Windows will not let you get network impersonation rights on a machine without the right privileges -- specifically SeImpersonatePrivilege. This is only granted to by SYSTEM. The usual solution is to run this as a Windows Service (or let IIS take care of it).

I removed the other calls. The core of the problem is, that it works with 2.0, but not 2.1 and higher. So none of the stated reasons are the cause. — user3752647, May 21 '19 at 06:14

Kerberos Impersonation level 'impersonation' instead of 'delegation'

Situation

Problem

1 Answers1