Impersonation problem.

[szhang]

When I enable impersonation in web.config and show User identity in .aspx
page, it is the user IIS authenticates. But when I try to access Sql server,
I get an access denied error message. It looks like asp.net does not
impersonate it at sql server side. I can impersonate a specific user in
web.config without problem. Is this a bug or by design? I need to give users
permissions based on their Windows login and I have a lot of users, but they
are not going to access these web pages at the same time.

 

[Brock Allen]

It sounds like you have the "network hop" authentication issue. If you're
authenticating from machine A to machine B (without passing a password across
the network, so think SSPI), then machine B tries to use those same credentials
to go to machine C, then it will fail unless you've configured your used
in AD to have the password stored with reversible encryption. Most security
experts think that's ridiculous as that's not secure. Thus you need to design
your app around this inherent problem.

 

[Joe Kaplan \(MVP - ADSI\)]

Agreed.

The canonical solution to the double hop problem is to implement Kerberos
delegation. There are many references on this newsgroup and on Microsoft's
sites that you can search for.

Joe K.

 

[Paul Clement]

¤ When I enable impersonation in web.config and show User identity in .aspx
¤ page, it is the user IIS authenticates. But when I try to access Sql server,
¤ I get an access denied error message. It looks like asp.net does not
¤ impersonate it at sql server side. I can impersonate a specific user in
¤ web.config without problem. Is this a bug or by design? I need to give users
¤ permissions based on their Windows login and I have a lot of users, but they
¤ are not going to access these web pages at the same time.

Is your SQL Server set up for integrated security and is it specified in your connection string?


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[szhang]

Thanks for your replies.

Here is my real problem. Our existing asp pages use windows authentication
and have no problem accessing sql server. All stored procedures use
is_member() function to determine user's permission. It will be too much to
rewrite all those stored procedures. Most users are computer illiterate and
all applications are on intranet, so security is not a big issue. The new web
server is on W2k3. The old one is on W2k and the PDC is still on a NT box.
What is the easiest way to get around this problem?

 

[Joe Kaplan \(MVP - ADSI\)]

Ah, if you are using an NT4 domain controller, than Kerberos delegation is
right out as that requires AD.

Just out of curiosity, in the instance where access to SQL works, is SQL
server on the same box as the web server?

Joe K.