AnsweredAssumed Answered

AF Delegation

Question asked by BjörnHöper on Jul 6, 2016
Latest reply on Jul 6, 2016 by BjörnHöper

Hello everyone,

we are currently working on a web forms based application consuming data from an AF Server. For configuration purposes we want to delegate the user account to the AF Server. The delegation fails with the error: Cannot connect to server <Server Name>. It may be that the impersonated client user account cannot be delegated to the remote AF Server.

 

We already followed the steps explained in this document:

KB00599 - Configuring Delegation for PI AF

and everything seems to be configured correctly. The IIS from which the application is served is running under a dedicated account. All user accounts are not marked as sensitive and allow delegation. All the needed SPNs seem to exist and the servers are allowed for general delegation at the moment to test the Setup. The Delegation for the Computer running the AF Server is disabled at the Moment but the Service account running the AFServer Service is allowed to delegate.

 

 

We created a small test application that just performs impersonation and tries to connect to the Server using this code:

 

 

protected void Page_Load(object sender, EventArgs e)
{             
 WindowsIdentity currentUserId = User.Identity as WindowsIdentity;           
 using (var ctx = currentUserId.Impersonate())
 {
  PISystem myPISystem = new PISystems().DefaultPISystem;
  Log.DebugFormat("Started impersonation. User name is {0}. User Authentication state is {1}",
   currentUserId.Name, currentUserId.IsAuthenticated);                  try
  {
   myPISystem.Connect();
   Log.DebugFormat("Connected to server");
   Log.DebugFormat("Pi User is: {0}", myPISystem.CurrentUserName);
  }
  catch (Exception ex)
  {
   Log.ErrorFormat("Error occured while connecting. Exception was: {0}", ex);
  }
 }
}

 

The application fails with an Exception. Does anyone have any idea what could potentially be the Problem?

Outcomes