Impersonating other domain user in ASP.Net

Discussion in 'ASP .Net Security' started by cmw@europe.com, Feb 14, 2007.

  1. Guest

    I am trying to debug an ASP.Net application that uses impersonation to
    access a secured SQL Server database (Microsoft cRM as it happens) so
    my web.config has

    <authentication mode="Windows" />
    <identity impersonate="true"/>
    <authorization>
    <deny users="?" />
    </authorization>

    Now I'm not too clued up on authentication, active directory etc so
    I'm confused as to how my asp.net app appears to SQL Server as a
    totally different domain and user.

    Here's the code I've used to demonstrate what's happening.

    SqlConnection conn = new
    SqlConnection("Trusted_Connection=No;Server=sndbx2003dev;Database=03dev_MSCRM;Integrated
    Security=SSPI;");
    SqlCommand comm = new SqlCommand("SELECT SUSER_SNAME()", conn);
    conn.Open();

    Literal1.Text = comm.ExecuteScalar().ToString();
    conn.Close();

    Literal2.Text = HttpContext.Current.User.Identity.Name;

    Now Literal1 has 03dev\crmadmin whereas Literal2 has my own company
    \myname login.

    I've trying to reproduce the same behaviour on a client's machine and
    don't know what's going on. I've asked the network guys but they don't
    seem to know either but somethings were set up before them.

    I've found references to Kerberos but it's a bit over my head at the
    moment.

    How is this possible?
     
    , Feb 14, 2007
    #1
    1. Advertising

  2. Consultant Guest

    in your connection string, you specify the server, user id and password

    <> wrote in message
    news:...
    >I am trying to debug an ASP.Net application that uses impersonation to
    > access a secured SQL Server database (Microsoft cRM as it happens) so
    > my web.config has
    >
    > <authentication mode="Windows" />
    > <identity impersonate="true"/>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > Now I'm not too clued up on authentication, active directory etc so
    > I'm confused as to how my asp.net app appears to SQL Server as a
    > totally different domain and user.
    >
    > Here's the code I've used to demonstrate what's happening.
    >
    > SqlConnection conn = new
    > SqlConnection("Trusted_Connection=No;Server=sndbx2003dev;Database=03dev_MSCRM;Integrated
    > Security=SSPI;");
    > SqlCommand comm = new SqlCommand("SELECT SUSER_SNAME()", conn);
    > conn.Open();
    >
    > Literal1.Text = comm.ExecuteScalar().ToString();
    > conn.Close();
    >
    > Literal2.Text = HttpContext.Current.User.Identity.Name;
    >
    > Now Literal1 has 03dev\crmadmin whereas Literal2 has my own company
    > \myname login.
    >
    > I've trying to reproduce the same behaviour on a client's machine and
    > don't know what's going on. I've asked the network guys but they don't
    > seem to know either but somethings were set up before them.
    >
    > I've found references to Kerberos but it's a bit over my head at the
    > moment.
    >
    > How is this possible?
    >
     
    Consultant, Feb 14, 2007
    #2
    1. Advertising

  3. cmw,

    Have you established domain trusts between the calling and receiving
    domains?

    Shaun McDonnell

    <> wrote in message
    news:...
    >I am trying to debug an ASP.Net application that uses impersonation to
    > access a secured SQL Server database (Microsoft cRM as it happens) so
    > my web.config has
    >
    > <authentication mode="Windows" />
    > <identity impersonate="true"/>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > Now I'm not too clued up on authentication, active directory etc so
    > I'm confused as to how my asp.net app appears to SQL Server as a
    > totally different domain and user.
    >
    > Here's the code I've used to demonstrate what's happening.
    >
    > SqlConnection conn = new
    > SqlConnection("Trusted_Connection=No;Server=sndbx2003dev;Database=03dev_MSCRM;Integrated
    > Security=SSPI;");
    > SqlCommand comm = new SqlCommand("SELECT SUSER_SNAME()", conn);
    > conn.Open();
    >
    > Literal1.Text = comm.ExecuteScalar().ToString();
    > conn.Close();
    >
    > Literal2.Text = HttpContext.Current.User.Identity.Name;
    >
    > Now Literal1 has 03dev\crmadmin whereas Literal2 has my own company
    > \myname login.
    >
    > I've trying to reproduce the same behaviour on a client's machine and
    > don't know what's going on. I've asked the network guys but they don't
    > seem to know either but somethings were set up before them.
    >
    > I've found references to Kerberos but it's a bit over my head at the
    > moment.
    >
    > How is this possible?
    >
     
    Shaun C McDonnell, Feb 14, 2007
    #3
  4. Guest

    On 14 Feb, 19:21, "Shaun C McDonnell" <>
    wrote:
    > cmw,
    >
    > Have you established domain trusts between the calling and receiving
    > domains?
    >


    I'll look into domain trusts but this is what I don't know about. How
    do I find out?

    Consultant: Any uid and pwd I add to the connection string makes no
    difference as its not an SQL login.
     
    , Feb 15, 2007
    #4
  5. Consultant Guest

    create the sql login account, give it appropriate permissions, dbo reader,
    whatever. then in your web.config on your webservices, in the appsettings
    section, construct this:

    <add key="DBConnStr" value="initial
    catalog=insert_your_catalog_name;uid=insert_sql_login;pwd=insert_password;data
    source=insert_sql_servername;persist security info=False;"/>

    c


    <> wrote in message
    news:...
    > On 14 Feb, 19:21, "Shaun C McDonnell" <>
    > wrote:
    >> cmw,
    >>
    >> Have you established domain trusts between the calling and receiving
    >> domains?
    >>

    >
    > I'll look into domain trusts but this is what I don't know about. How
    > do I find out?
    >
    > Consultant: Any uid and pwd I add to the connection string makes no
    > difference as its not an SQL login.
    >
     
    Consultant, Feb 15, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SW5kZXB0aA==?=
    Replies:
    1
    Views:
    486
    Bruce Barker
    Apr 1, 2005
  2. Replies:
    3
    Views:
    362
    Eric Pederson
    Mar 6, 2005
  3. =?iso-8859-1?q?Eir=EDkur_Fannar_Torfason?=

    Occasional SecurityException when impersonating a user on a new thread

    =?iso-8859-1?q?Eir=EDkur_Fannar_Torfason?=, May 18, 2007, in forum: ASP .Net
    Replies:
    4
    Views:
    436
    =?Utf-8?B?RWlyw61rdXIgRmFubmFyIFRvcmZhc29u?=
    May 18, 2007
  4. kedar

    Impersonating user

    kedar, Sep 12, 2007, in forum: ASP .Net
    Replies:
    4
    Views:
    351
    Cowboy \(Gregory A. Beamer\)
    Sep 12, 2007
  5. Francois
    Replies:
    0
    Views:
    139
    Francois
    Nov 12, 2004
Loading...

Share This Page