We have an IIS 7.5 with the following site structure:

WebApp (ASP.NET Forms) = Web Site (http://WebApp)
   WebAPI (MVC 4 Web API) = Folder converted to Application (http://WebApp/webapi)

Both are running under the same ApplicationPool.

Both have the same Authentication settings:
– ASP.NET impersonation (authenticated user)
– Windows Authentication (providers: negotiate)

Both web.configs define:

<authentication mode="Windows" />  
<identity impersonate="true" /> 

The WebApp calls a WebService from the WebAPI by using HttpClient:

HttpClient _httpClient = new HttpClient(new HttpClientHandler() { UseDefaultCredentials = true });
_httpClient.BaseAddress = new Uri("http://WebApp/webapi/");
_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage _response = _httpClient.GetAsync("api/Entity/Get").Result;

and the WebAPI connects to a DB by using MS Enterprise Library.

When I run this localy everything works fine, when I deploy this on the IIS 7.5 server and start remote debugging, my HttpContext Current user in the Web API is the Application Pool Identity instead of the user that is logged on to the Web Application. I ofcourse want it to be the user logged on to the WebApp because I want to use security based on AD account (groups).

Can anyone, please, offer some advice to get this working. Thanks in advance.