tags:

views:

1641

answers:

3
+3  Q: 

SharePoint and <identity impersonate="false" />

I would like to use integrated authentication to access a SQL database from a web part. It should use the IIS Application pool identity.

By default you will get the error:

System.Data.SqlClient.SqlException: Login failed for user 'SERVER\IUSR_VIRTUALMACHINE'.

Because in web.config impersonation is set to true:

<identity impersonate="true" />

I can set this to false and the database code will work. Anonymously accessed sites will also work. Any SharePoint site that uses authentication will fail however so this is not really a solution..

To solve this would I have to encapsulate all my database access code to run with elevated priviliges, is that how SharePoint does it internally? Somehow that doesn't seem like the most performant solution. Is that still the way to go, just use SQL security to access databases from SharePoint custom web parts?

A: 

This is incorrect. Because <identity impersonate="true" /> is set to true ASP.NET / IIS will run the thread as the user that is currently logged in (so not the app pool account but the actual user logged into the website).

Something else is going on here. Could you post your connection string for the custom database? (minus the private data off course)

Colin  2009-06-30 05:59:44
Nothing special really.. connectionString="Data Source=sqlserver;Initial Catalog=Logging;Trusted_Connection=True" The difference is the site is under anonymous auth.. so there is no actual user logged into the website.
ArjanP  2009-06-30 09:02:06
+3  A: 

Use SPSecurity.RunWithElevatedPrivileges to run your code in the context of the app pool identity.

Lars Fastrup  2009-06-30 07:19:25
Lars, How do you feel about Daniel Larson's assertion that RunWithElevatedPriveges should be avoided when possible? He suggests using SPUserToken impersonation instead and gives an example here: http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry?sa=636841091-Tom
Tom Resing  2010-01-18 22:05:16
+4  A: 

The <identity /> and <authentication /> elements in the web.config file will together determine the account that is used in to connect to SQL Server when using integrated authentication.

When <authentication mode="Windows" /> is configured, you're deferring to IIS to authenticate users. I'm guessing that your your web.config contains:

<authentication mode="Windows" />
<identity impersonate="true" />

and that IIS is configured to allow anonymous users. Setting <identity impersonate="true" /> causes IIS to pass the identity of the IIS anonymous access account to SQL Server.

As Lars point out, using SPSecurity.RunWithElevatedPrivileges will achieve what you want. I don't believe you'll see any noticeable impact on performance but that's something you can test :-)

dariom  2009-06-30 07:30:07
That database access is pretty pervasive throughout the site so I'd like to make an informed choice.. is SQL auth faster or slower than adding impersonation? I'll have to think about a test :-\
ArjanP  2009-06-30 09:00:17
I really don't think it makes a difference (but that's still best tested in your environment). There's likely some negligible performance hit with impersonation and context switching, but I doubt it's noticeable. The pooling of SQL connections will be the same whether using SQL authentication or integrated security and a single impersonated identity (this isn't true if impersonating a bunch of different users). For the sake of security, I think integrated security is the best approach.
dariom  2009-06-30 09:42:05

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?