29 August, 2008

delegation in a load balanced enivornment

last week i tried to get impersonation and delegation working for a couple of wcf services and a website. unfortunately, getting this to work took me a lot longer than it should have, so i thought i'd share some of the things i learned.

in iis 6.0 and earlier, you can only get delegation to work in a load balanced environment, if you do the following:

  1. make your app run under a domain account
  2. set the proper SPNs (service principal name) on the account:
    HTTP/appserver domainName\accountName
    HTTP/appserver.fullyqualified.name domainName\accountName
  3. trust the account (and the machine) for delegation in AD
  4. run aspnet_regiis with the -ga flag and the domain qualified user name
  5. finally add your domain account to IIS_WPG
i'm sure most systme engineers know this already, but as a developer, it's the first time i've come across this.

it's also worth mentioning that under iis 7.0 you do not need to do any of this: you can run your apps under NetworkService, and still have them load balanced.

what's funny is that after we finally figured out how to get delegation to work for our load balanced applications, we decided that it was way too much setup and we would move to iis 7.0.
in a way, a lot of the time i put into this was wasted, but i learned a ton about security and delegation/impersonation while doing the research to get this to work. i hope it'll save you some time. if it does, or if you have any other questions, please let me know.