De-impersonate to connect to SQL as Machine Account

Discussion in 'ASP .Net' started by Oleg Ogurok, May 30, 2006.

  1. Oleg Ogurok

    Oleg Ogurok Guest

    Hi there,

    My ASP.NET application has impersonation turned on in web.config as
    follows:

    <identity impersonate="true" />

    However, now I need to connect to a SQL database. Rather than allowing
    every single AD user access to the database, I'd like to connect to SQL
    server as the computer account, e.g. MYWEBSERVER$. This should simplify
    SQL security management, but most importantly, enable SQL connection
    pooling.

    If I turn impersonation off for the entire application (in web.config)
    I get the desired result, i.e. the application runs as NETWORK SERVICE
    user (IIS AppPool user), and I am able to connect to SQL -- good.
    However this affects other parts of the application that require
    impersonation to be turned on.

    There doesn't seem to be a way to turn impersonation on or off per
    page.

    Is there a way to "temporarily" turn off impersonation? Or any other
    way to connect to SQL and pass NETWORK SERVICE as the credentials?

    Thanks,
    -Oleg.
    Oleg Ogurok, May 30, 2006
    #1
    1. Advertising

  2. see RevertToSelf in the windows api. because ado.net pooling is lazy about
    connecting, you will have to surround all sql statements with RevertToSelf
    and restore impersonation statements.


    -- bruce (sqlwork.com)



    "Oleg Ogurok" <> wrote in message
    news:...
    > Hi there,
    >
    > My ASP.NET application has impersonation turned on in web.config as
    > follows:
    >
    > <identity impersonate="true" />
    >
    > However, now I need to connect to a SQL database. Rather than allowing
    > every single AD user access to the database, I'd like to connect to SQL
    > server as the computer account, e.g. MYWEBSERVER$. This should simplify
    > SQL security management, but most importantly, enable SQL connection
    > pooling.
    >
    > If I turn impersonation off for the entire application (in web.config)
    > I get the desired result, i.e. the application runs as NETWORK SERVICE
    > user (IIS AppPool user), and I am able to connect to SQL -- good.
    > However this affects other parts of the application that require
    > impersonation to be turned on.
    >
    > There doesn't seem to be a way to turn impersonation on or off per
    > page.
    >
    > Is there a way to "temporarily" turn off impersonation? Or any other
    > way to connect to SQL and pass NETWORK SERVICE as the credentials?
    >
    > Thanks,
    > -Oleg.
    >
    bruce barker \(sqlwork.com\), May 30, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Otis Mukinfus
    Replies:
    3
    Views:
    894
    Juan T. Llibre
    Jul 8, 2005
  2. esource
    Replies:
    0
    Views:
    546
    esource
    Aug 9, 2007
  3. Arulraj Joseph

    cmd.exe should run in impersonate account.

    Arulraj Joseph, Nov 29, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    212
    Arulraj Joseph
    Nov 29, 2003
  4. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    313
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
  5. Replies:
    4
    Views:
    617
    Paul Clement
    Sep 15, 2005
Loading...

Share This Page