3 Replies Latest reply on Jul 6, 2016 2:17 PM by BjörnHöper

    AF Delegation


      Hello everyone,

      we are currently working on a web forms based application consuming data from an AF Server. For configuration purposes we want to delegate the user account to the AF Server. The delegation fails with the error: Cannot connect to server <Server Name>. It may be that the impersonated client user account cannot be delegated to the remote AF Server.


      We already followed the steps explained in this document:

      KB00599 - Configuring Delegation for PI AF

      and everything seems to be configured correctly. The IIS from which the application is served is running under a dedicated account. All user accounts are not marked as sensitive and allow delegation. All the needed SPNs seem to exist and the servers are allowed for general delegation at the moment to test the Setup. The Delegation for the Computer running the AF Server is disabled at the Moment but the Service account running the AFServer Service is allowed to delegate.



      We created a small test application that just performs impersonation and tries to connect to the Server using this code:



      protected void Page_Load(object sender, EventArgs e)
       WindowsIdentity currentUserId = User.Identity as WindowsIdentity;           
       using (var ctx = currentUserId.Impersonate())
        PISystem myPISystem = new PISystems().DefaultPISystem;
        Log.DebugFormat("Started impersonation. User name is {0}. User Authentication state is {1}",
         currentUserId.Name, currentUserId.IsAuthenticated);                  try
         Log.DebugFormat("Connected to server");
         Log.DebugFormat("Pi User is: {0}", myPISystem.CurrentUserName);
        catch (Exception ex)
         Log.ErrorFormat("Error occured while connecting. Exception was: {0}", ex);


      The application fails with an Exception. Does anyone have any idea what could potentially be the Problem?

        • Re: AF Delegation

          Hello Bjoern,


          Similar has been challenging me in the past and I found that for a web application some additional settings that need to be taken care for.

          1. The web.config file must contain the following:


              <identity impersonate="true" />

              <authentication mode="Windows" />


          2. For your web site, you need to explicitly set the Authentication (IIS Manager -> Sites -> <YourSite> -> Authentication)

          For NTLM, you need to enable Basic Authentication (HTTP 401 Challenge)

          For Kerberos Delegation, enable Windows Authentication (HTTP 401 Challenge)


          Not sure if this is a requirement but I was using ApplicationPoolIdentity under IIS Manager -> Application Pools -> <MyApplicationPool> -> Advanced Settings -> Identity

            • Re: AF Delegation

              Hi Gregor,

              thanks for the fast reply and all the Details.


              Our Application has the requirement to grant different Access Levels. Every user that can reach the IIS Server should be able to view the visualized data and only users of a certain authorization Level (member of specific AD Groups) shall be able to modify the configuration. Thus I have a global Web.Config and a configuration file specific for a locked Folder in the application. In this setting  I already had the Windows Authentication Attribute set in my top-Level Web.Config file. I added the impersonation element in the Folder containing pages for which the authentication should be performed but it does not Change anything.


              Also I looked at the Authentication section you mentioned Windows-Authentication, as we want to use Kerberos, is enabled. I also activated ASP.NET Impersonation but it also did not Change anything.


              We already tried to use the Application Pool Identity which also had no effect. We would also like to keep the site running as a specific user from the Domain to be able to have tight control over Access restrictions.


              Best Regards,


            • Re: AF Delegation
              Marcos Vainer Loeff

              Hello Bjoern,


              I am not very familiar with ASP.NET WebForms. I am not sure if this would work the same way it does with ASP.NET MVC.


              My recommendation is to download the sample from the ASP.NET MVC 5 with PI AF SDK: Part 2 - Security blog post and make sure if it works properly. If it does, it means that Kerberos and your SPNs are well configured. Then, you can start thinking about your code.


              One thing I've realized is different is the way the impersonation is callled. On the blog post above,  impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();  is called. I am not sure if this is the problem but this is something you should take a look at.


              Hope this helps!