Impersonation only works when a user is specificed

Question

I am having an issue accessing a webservice with impersonate without a specified user.

Works: <identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / >

Doesn't Work

<identity impersonate="true" /> 

While debugging I used the code below to verifiy the correct Domain and Username were being used, they are.

System.Security.Principal.WindowsIdentity.GetCurrent().Name;

Here is more of my web.config

<authentication mode="Windows" />
<identity impersonate="true" /> 
<authorization>
  <allow users="*" />
  <deny users="?"/>
</authorization>

I am logging into the prompt, image below

Any ideas why it will only work when I specify a user in the web.config? I am logging in with the same Domain\\Username and password that I put into the <identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / > . I've tried with multiple accounts and they all work when I put their credentials in the web.config but none work with identity set as <identity impersonate="true" /> and logging in.

EDIT The remote server returned an error: (403) Forbidden.

EDIT 2 Everything works fine while debugging and while hitting the service on the server that contains the IIS it is hosted on, I've tried with multiple accounts and they all work. Everything is on the same domain

Answer 1

Note the following text from https://support.microsoft.com/en-us/kb/306158

Impersonate a Specific User for All the Requests of an ASP.NET Application

To impersonate a specific user for all the requests on all pages of an ASP.NET application, you can specify the userName and password attributes in the tag of the Web.config file for that application. For example: Note The identity of the process that impersonates a specific user on a thread must have the "Act as part of the operating system" privilege. By default, the Aspnet_wp.exe process runs under a computer account named ASPNET. However, this account does not have the required privileges to impersonate a specific user. You receive an error message if you try to impersonate a specific user. This information applies only to the .NET Framework 1.0. This privilege is not required for the .NET Framework 1.1.

To work around this problem, use one of the following methods: Grant the "Act as part of the operating system" privilege to the ASPNET account (the least privileged account).

Note Although you can use this method to work around the problem, Microsoft does not recommend this method. Change the account that the Aspnet_wp.exe process runs under to the System account in the configuration section of the Machine.config file.

You could setup the Aspnet_wp.exe process to run as the user you are trying to impersonate to get the desired privileges.

This has also been discussed before: How do you do Impersonation in .NET?

Answer 2

It could be the NTLM double-hop authentication issue. In short, ensure that Kerberos SPNs are properly set so it is used instead of NTLM. This MSDN blog post has a great explaination.

http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx

Alternatively, basic or forms authentication will also achieve what you're looking to accomplish. This is because the application will have the user's credentials and, if properly configured, can use them to access back end resources.

You may also want to look into Kerberos delegation. Its a way to restrict that second hop to just one resource via it's SPN.