IIS, Windows Authentication and the Double Hop issue

In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur.  When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.  This includes access to a UNC path directly from IIS or SQL Server using Windows authentication.

The reason is because of a 'double hop' that authentication is doing.  When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'.  When IIS tries to access a network device, that would be the double or second hop which is not allowed.  IIS cannot in turn pass on those credentials to the next network device, otherwise the developer or administrator could abuse your credentials and use them in ways that the site visitor didn't anticipate.

This doesn't occur with anonymous access or with impersonation off because in that case IIS takes care of authenticating you and then it uses a different user for local or network access.  This means that the app pool identity or anonymous user can make a network call as the first hop.

Anyway, I didn't mean to even write that much since the following links answer this already.  I wanted to blog this as a reference point for anyone running into this authentication issue, and so that I have a reference to it myself. 

http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx

 

7 Comments

  • Hi, i post another question in the default SMTP virtual server properties.

    Under the IP address/advance button.

    is there a bearing if i assign an ip address, but with the same port no. will be using.

    and additional to that, may i know what does the enable logging uses for? aside from logs?

  • Manchester,

    This doesn't pertain to the post but I'll see if I can help. In the Advanced Delivery window, you can set the fully-qualified domain name which tells your SMTP server what it will announce itself as. You should have that match your forward and reverse DNS record. The Smart host field can be used to allow another server to do the sending of the email rather than sending it directly from this server.

    As for enable logging, it does just as promised. It enables the logging of the email transaction to disk. When it's not enabled, nothing is logged to disk.

  • Hi Akela,

    You're right, that link doesn't seem to have anything to do with it anymore. I updated the blog post and replaced it with a couple other solid links on the subject.

  • Hello Scott,
    I have two web api's hosted on different machines which are windows authentication enabled , impersonation =true, When i am calling other web api using below code I am getting 401.1 and 401.2 error..
    HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
    request.Method = "POST";
    request.ProtocolVersion = HttpVersion.Version11;
    request.Accept = "application/json";
    request.ContentType = "application/json";
    request.Credentials = CredentialCache.DefaultCredentials;
    request.GetRequestStream().Write(new System.Text.UTF8Encoding().GetBytes(data), 0, data.Length);
    response = request.GetResponse();

    seems DefaultCredentials() is not passing...Can you help here ?

  • Hi Ram,

    A 401.1 error could be from the user not having access to log on locally, and a 401.2 can occur when no authentication methods are enabled (there are other causes too, but those are some common examples). Is there any chance that it's related to the Windows' user itself? You can test by explicitly passing in your Windows' user in your code call and see if it still fails. If it does then it's not an issue with the code, but it's something with the user.

  • I'm struggling to find a solution on using SSPI for my classic asp applications. We have internal sites and I want to do away with userid/pass in my connection strings. Any advice?

    Thanks for the article.

  • Is the issue the double hop, or just which user is used? You may need to turn on impersonation or set your anonymous user to use the app pool identity (IIS7+). What issues specifically are you running into so far?

Comments have been disabled for this content.