IIS, Windows Authentication and the Double Hop issue

In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur.  When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.  This includes access to a UNC path directly from IIS or SQL Server using Windows authentication.

The reason is because of a 'double hop' that authentication is doing.  When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'.  When IIS tries to access a network device, that would be the double or second hop which is not allowed.  IIS cannot in turn pass on those credentials to the next network device, otherwise the developer or administrator could abuse your credentials and use them in ways that the site visitor didn't anticipate.

This doesn't occur with anonymous access or with impersonation off because in that case IIS takes care of authenticating you and then it uses a different user for local or network access.  This means that the app pool identity or anonymous user can make a network call as the first hop.

Anyway, I didn't mean to even write that much since the following blog post answers this well already, and includes the three most common solutions.  I wanted to blog this as a reference point for anyone running into this authentication issue, and so that I have a reference to it myself.  I'll let Numos complete the story:



No Comments