tags:

views:

1398

answers:

2
Q: 

ASP.NET Impersonation and SQL Server Trusted Connection Calls

I am working on an ASP.NET page that we, in code impersonate the requesting user. We are using the following code to start impersonating.

Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()

After this we have validated that the application is running under the proper context by calling:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

This returns the proper identity of the user, and file access and other items appear to be using their account. However when using the Microsoft Application Data Application Block SqlHelper class to call out to a database using a trusted connection authentication fails for the "NT AUTHORITY\ANONYMOUS LOGON" user.

We can re-validate after the failure that the current identity is still our desired account and NOT the ANONYMOUS LOGIN account.

Does anyone have an idea why this is? Or more specifically how we can get around it?

Edit Some additional information about how the calls from these pages work.

We do the impersonate call from the .aspx page.

After we impersonate we call out to a "business logic" assembly that is referecned.

We know that the context identity is still correct here.

After that, the "business logic" assembly calls another assembly that actually executes the trusted connection call. We cannot modify this "data access" assembly, the authentication exception is reported by this assembly as well.

A: 

I know that I've used impersonation in ASP.NET before (using C# and accessing the filesystem) and I was wondering if you had tried wrapping the logic that includes currentWindowsIdentity.Impersonate() with a 'Using / End Using' (to explicitly define the security context for a block of code).

So, it would look like this:

Using impersonationContext = currentWindowsIdentity.Impersonate() 
' Logic here 
End Using
Dan Esparza  2008-12-19 22:30:43
no using statement, but it is inside of a try catch, and the finally statement has the call to undo
Mitchel Sellers  2008-12-19 22:40:13
+3  A: 

I think @John Sonmez is right, you're hitting the Double Hop issue. Impersonation is only half of the story, you also need to look at Delegation (assuming your network is using Kerberos authentication). The articles below were the most useful in helping me through the same issue

Impersonation and Delegation

ASP.NET Delegation

Paul Nearney  2008-12-19 22:49:28
That was the issue, then we found out that delegation cannot work in our environment.....oh well!
Mitchel Sellers  2008-12-23 19:52:31

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application