Delegation / Impersonation problem

Discussion in 'ASP .Net Security' started by matt, Oct 30, 2006.

  1. matt

    matt Guest

    I have started to put together an ASP.NET 2.0 application which
    connects to a SQL server using the logged on identity.

    I have read the articles on how to configure the connection string ,
    web config and active directory servers.

    It all seems to work fine from most machines on our network. However I
    have found that the connection will fail with a 'Login failed for user
    'NT AUTHORITY\ANONYMOUS LOGON' error if the client machine is 'trusted
    for delegation' from within active directory.

    I have been testing the following small bit of code with runs as an app
    on one of the internal webservers:-

    Dim impersonationContext As
    System.Security.Principal.WindowsImpersonationContext
    Dim currentWindowsIdentity As
    System.Security.Principal.WindowsIdentity

    currentWindowsIdentity = CType(User.Identity,
    System.Security.Principal.WindowsIdentity)
    impersonationContext = currentWindowsIdentity.Impersonate()

    Response.Write("anon=" & currentWindowsIdentity.IsAnonymous.ToString
    & "<BR>")
    Response.Write("level=" &
    currentWindowsIdentity.ImpersonationLevel.ToString & "<BR>")


    Try
    Dim connection As New SqlConnection
    connection.ConnectionString = "packet size=4096;data
    source=mydbserver;persist security info=True;initial
    catalog=northwind;Integrated Security=SSPI"

    connection.Open()

    Response.Write("connection made ok " &
    Date.Now.ToShortDateString & " " & Date.Now.TimeOfDay.ToString)

    Catch ex As Exception
    Response.Write(ex.Message)
    End Try

    If i view the page from a number of clients (XP workstations) on the
    network i get the following

    anon=False
    level=Delegation
    connection made ok 30/10/2006 09:34:57.6818835

    which is fine, all seems ok.

    If I access the same page from the webserver itself the impersonation
    level changes but the connection still works :

    anon=False
    level=Impersonation
    connection made ok 30/10/2006 09:58:39.1254460

    However if I access the page from another server which is set as
    'trusted for delegation' the connection fails

    anon=False
    level=Impersonation
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    Is there any reason why this would occur ? It seems an application
    cannot use delegation in this way if the client accessing it may be
    another server which is 'trusted fro delegation', such as another
    webserver on the network or a domain controller for example.

    Any help would be much appreciated,

    Matt.
     
    matt, Oct 30, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with impersonation and delegation

    Kelly D. Jones, Sep 4, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,829
  2. jm
    Replies:
    1
    Views:
    1,939
    bruce barker
    Dec 20, 2003
  3. bruce barker

    Re: ASP.NET Impersonation / delegation

    bruce barker, Apr 28, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    4,126
    =?Utf-8?B?TWFnZGVsaW4=?=
    May 4, 2004
  4. =?Utf-8?B?UGF1bA==?=

    Impersonation/Delegation without web.config.

    =?Utf-8?B?UGF1bA==?=, Aug 5, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    891
    Patrice
    Aug 5, 2005
  5. Sam Roberts
    Replies:
    4
    Views:
    319
    Sam Roberts
    May 7, 2008
Loading...

Share This Page