views:

214

answers:

2

Is there a difference with impersonation between an ASP.Net MVC controller actions vs. an ASP.Net Web Form? Using the exact same code within the same web project, I am able to successfully impersonate the Windows user when connecting to SQL Server from a Web Form but not from the Controller Action. Here is the code sample I am testing from each:

string sqlQuery = @"SELECT Top 10 FullName FROM Customer";

// Connect to the database server. You must use Windows Authentication;
SqlConnection connection = new SqlConnection("Data Source=ServerName;Initial Catalog=DBName;Integrated Security=SSPI");
// Create a DataTable to store the results of the query.
DataTable table = new DataTable();

// Create and configure the SQL Data Adapter that will fill the DataTable.
SqlDataAdapter adapter = new SqlDataAdapter();
adapter.SelectCommand = new SqlCommand(sqlQuery, connection);

// Execute the query by filling the DataTable.
adapter.Fill(table);

I have checked the HttpContext user on both the controller and the web form and they look identical. However, when running a SQL trace the controller action is always running as Network Service, while the web form is running as the user. Any clarification on why these two are behaving different and how to impersonate within the controller action would be appreciated.

+1  A: 

This may help:

http://stackoverflow.com/questions/1405612/impersonation-in-asp-net-mvc

I should also mention that impersonation can have a negative effect on your ability to scale your app:

http://www.hanselman.com/blog/AvoidUsingImpersonationInASPNET.aspx

Nissan Fan
Agreed, I can't really see a reason to use user impersonation unless you simply don't have access to change db permissions.
Jess
+1  A: 

try to add

 <identity impersonate="true">

to

<system.web>

part of your web.config file for mvc app

Alexander Taran