As by title.
As far as I can read here ASP.NET Core supports Impersonation using WindowsIdentity.RunImpersonated or RunImpersonatedAsync in order to switch the security context to the passed WindowsIdentity access token.
In .NET framework ASP.NET distinguished clearly (and needed to be configured differently) between impersonation and delegation:
-
Impersonation happens when a user connects to a web app or api and the web app or api performs an action in the security context of the connecting user ON THE SAME SERVER
-
Delegation instead happens when a user connects to a web app or api and the web app or api performs an action in the security context of the connecting user ON A DIFFERENT SERVER
The app on which I am trying to implement delegation is a Blazor Server web app using WindowsIdentity as authentication method and it is made up:
- Blazor Server Web App: I get the connecting user from AuthenticationStateProvider.GetAuthenticationStateAsync, cast it to WindowsIdentity and impersonate it using WindowsIdentity.RunImpersonatedAsync when calling our custom REST apis.
- Asp.NET Core Web Api (deployed on the same server as Blazor Server Web App): using HttpContextAccessor I can see that the user passed it the one connected to the Blazor Server Web App, again here I impersonate it using WindowsIdentity.RunImpersonatedAsync when calling Azure Devops REST services on premises (on a different server), but the unluckily the call fails with 401 Forbidden:-(
Does anyone has an idea why and at least could give me an hint what to analyze in order to troubleshoot the issue ? I gave a quick look at EventViewer but I was unable to find anything related 🙁