Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Impersonation: IIS and SQL on seperate boxs

260 views
Skip to first unread message

Jay Pondy

unread,
Oct 16, 2001, 6:20:34 PM10/16/01
to

We have 2 development machines running Windows 2000
Professional - one with IIS 5 and the other with SQL
Server 2000. We are attempting to access SQL Server from
a client machine via IIS.

We have an application where we need to use Integrated
Windows Authentication on the IIS Server. (We want to be
able to use NT group memberships to custom configure the
Web User Interface.)

Anonymous access is NOT enabled on the Virtual Directory.

We also need the users identity to pass through IIS to SQL
Server using the following connection string: "Data
Source=RemoteHost; Integrated Security=SSPI; Initial
Catalog=DBName". (We need to control access to SQL
objects for this and other applications not running under
IIS.)

We have the Web.Config file set up for Windows
Authentication and impersonation as follows:

<configuration>
<authentication mode="Windows" />
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>


When we attempt to open the database we get the following
error message:

Login failed for user 'NT AUTHORITY\ANONYMOUS
LOGON'.


Anybody know where we might be going wrong and/or is this
possible?


Peter Wu

unread,
Oct 17, 2001, 2:09:44 AM10/17/01
to
Hello Jay,

Hope the following information may be of some help.

When you want to Impersonate a thread with a user in ASP.NET, you can do that in
any of the following ways based on your requirment.

- Impersonate the IIS Authenticating user

- Impersonate a Specific user for all the requests on all the pages of an
ASP.NET application

- Impersonate the Authenticating user whereever required within the code

- Impersonate a Specific user whereever required within the code

Impersonate the IIS Authenticating User
---------------------------------------

To Impersonate the IIS Authenticating user on every request for every page in an
ASP.NET application, you need to have an identity tag in the web.config file of
this application and set its impersonate attribute to True.

<identity impersonate="True" />

Impersonate a Specific user for all the requests on all the pages of an ASP.NET
application
-----------------------------------------------------------------------------------------
--

To impersonate a specific user for all the requests on all the pages of an
ASP.NET application, you can specify that userName and password in the identity
tag of the web.config file for that application as shown below.

<identity impersonate="True" userName="accountname" password="password" />

Impersonate the Authenticating user whereever required within the code
----------------------------------------------------------------------

When you want to Impersonate the IIS authenticating user only during execution of
a piece of code, you can use the following code to perform that.
VB

Dim impCtx as System.Security.Principal.WindowsImpersonationContext()
impCtx = System.Security.Principal.WindowsIdentity.GetCurrent.Impersonate()
'Your code that runs under the security context of the IIS authenticating user goes
here.
impCtx.Undo()

C#

System.Security.Principal.WindowsImpersonationContext impCtx;
impCtx = System.Security.Principal.WindowsIdentity.GetCurrent.Impersonate();
//Your code that runs under the security context of the IIS authenticating user goes
here.
impCtx.Undo();

Impersonate a Specific user whereever required within the code
--------------------------------------------------------------

When you want to impersonate a specific user only during the execution of certain
piece of code, you can use the following mechanism to do that.

VB

Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As String,
ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Integer,
ByVal dwLogonProvider As Integer, ByRef phToken As IntPtr) As Integer
Declare Auto Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As
IntPtr) As Integer
Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Integer

if impersonateValidUser("accountname", "Domainname", "password") then

'Your code that runs under the security context of a specific user goes
here.............

undoImpersonation()
else
'your impersonation failed. So, have a failsafe mechanism here
end if

function impersonateValidUser(username as String, Domain as String, password as
String) as boolean
Dim LogonType as Integer
Dim LogonProvider as Integer
Dim Tk as IntPtr

LogonType = 2 'Interactive
LogonProvider = 0 'Default Provider

if LogonUser(username ,Domain ,password , LogonType, LogonProvider ,Tk) <> 0 then
if ImpersonateLoggedonUser(Tk) <> 0 then
impersonateValidUser() ="True"
else
impersonateValidUser() ="False"
End if
End function

Sub undoImpersonation()
RevertToSelf()
End Sub

C#

[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

[DllImport("ADVAPI32.DLL")]
public static extern int RevertToSelf();

[DllImport("ADVAPI32.DLL")]
public static extern int ImpersonateLoggedOnUser(IntPtr phToken);

if impersonateValidUser("accountname", "Domainname", "password") {

//Your code that runs under the security context of a specific user goes
here.............

undoImpersonation();
}
else {
//your impersonation failed. So, have a failsafe mechanism here
}

public boolean impersonateValidUser( String name, String domain, String passwd) {

IntPtr tok = IntPtr.Zero;
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;

int result = NativeMethods.LogonUser(name, domain, passwd,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref tok);
impersonateValidUser ="False";
if result!=0 {
int result1 = ImpersonateLoggedOnUser(tok);
if result1 != 0 return "True";
}

}

public void undoImpersonation(){
RevertToSelf();
}


Thanks,

Peter Wu
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights. You assume
all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
--------------------
Content-Class: urn:content-classes:message
From: "Jay Pondy" <jpo...@AugustaNewsprint.com>
Sender: "Jay Pondy" <jpo...@AugustaNewsprint.com>
Subject: Impersonation: IIS and SQL on seperate boxs
Date: Tue, 16 Oct 2001 15:20:34 -0700
Lines: 44
Message-ID: <605401c15690$c66fa750$a5e62ecf@tkmsftngxa07>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Thread-Index: AcFWkMZv+ru89nUrSqeRoIJxEfri6g==
Newsgroups: microsoft.public.dotnet.framework.adonet
NNTP-Posting-Host: TKMSFTNGXA07 10.201.232.166
Path: cppssbbsa01.microsoft.com!tkmsftngp01!cpmsftngxa10!cpmsftngxa07
Xref: cppssbbsa01.microsoft.com microsoft.public.dotnet.framework.adonet:5965
X-Tomcat-NG: microsoft.public.dotnet.framework.adonet

0 new messages