Simple thread issue?

Discussion in 'ASP .Net' started by Brian, Feb 5, 2007.

  1. Brian

    Brian Guest

    I have an file based asp.net application the creates a thread to do some
    background printing. It works fine but when the application is deployed on a
    web server, the following error occurs in the thread when it accesses SQL:

    Login failed for user ''. The user is not associated with a trusted SQL
    Server connection.

    Note the blank user. It seems that the new thread does not have the
    credentials but looking at "Thread.CurrentPrincipal", there is a valid user
    (me).

    Is there something I am missing? Does the application need some assembly
    permissions? I wonder if there are any settings under IIS? Is there any way
    of telling why SQL cannot access the thread credentials?

    Brian
     
    Brian, Feb 5, 2007
    #1
    1. Advertising

  2. Brian

    Tim Mackey Guest

    hi brian,
    can you try it without using any threading code? also, verify that the code
    is using a valid connection string. is it set to use integrated/windows
    account logon? you've probably already tested that but no harm to check the
    obvious things first.

    tim



    "Brian" <> wrote in message
    news:...
    >I have an file based asp.net application the creates a thread to do some
    >background printing. It works fine but when the application is deployed on
    >a web server, the following error occurs in the thread when it accesses
    >SQL:
    >
    > Login failed for user ''. The user is not associated with a trusted SQL
    > Server connection.
    >
    > Note the blank user. It seems that the new thread does not have the
    > credentials but looking at "Thread.CurrentPrincipal", there is a valid
    > user (me).
    >
    > Is there something I am missing? Does the application need some assembly
    > permissions? I wonder if there are any settings under IIS? Is there any
    > way of telling why SQL cannot access the thread credentials?
    >
    > Brian
    >
     
    Tim Mackey, Feb 5, 2007
    #2
    1. Advertising

  3. Brian

    bruce barker Guest

    when you create a thread, its identity is the process identity, not the
    starting threads identity, so it will not match the pool account or
    impersonation account. the the case of asp.net, its the id of the worker
    process usually a network service account.

    you need to pass the desired identity to the new thread and have the new
    thread impersonate it.

    -- bruce (sqlwork.com)

    Brian wrote:
    > I have an file based asp.net application the creates a thread to do some
    > background printing. It works fine but when the application is deployed on a
    > web server, the following error occurs in the thread when it accesses SQL:
    >
    > Login failed for user ''. The user is not associated with a trusted SQL
    > Server connection.
    >
    > Note the blank user. It seems that the new thread does not have the
    > credentials but looking at "Thread.CurrentPrincipal", there is a valid user
    > (me).
    >
    > Is there something I am missing? Does the application need some assembly
    > permissions? I wonder if there are any settings under IIS? Is there any way
    > of telling why SQL cannot access the thread credentials?
    >
    > Brian
    >
    >
     
    bruce barker, Feb 5, 2007
    #3
  4. Brian

    Brian Guest

    Hi Tim,

    Yes it works fine without the threading code so the connection string is
    valid which uses integrated/windows security account.

    Brian

    "Tim Mackey" <> wrote in message
    news:...
    > hi brian,
    > can you try it without using any threading code? also, verify that the
    > code is using a valid connection string. is it set to use
    > integrated/windows account logon? you've probably already tested that but
    > no harm to check the obvious things first.
    >
    > tim
    >
    >
    >
    > "Brian" <> wrote in message
    > news:...
    >>I have an file based asp.net application the creates a thread to do some
    >>background printing. It works fine but when the application is deployed on
    >>a web server, the following error occurs in the thread when it accesses
    >>SQL:
    >>
    >> Login failed for user ''. The user is not associated with a trusted
    >> SQL Server connection.
    >>
    >> Note the blank user. It seems that the new thread does not have the
    >> credentials but looking at "Thread.CurrentPrincipal", there is a valid
    >> user (me).
    >>
    >> Is there something I am missing? Does the application need some assembly
    >> permissions? I wonder if there are any settings under IIS? Is there any
    >> way of telling why SQL cannot access the thread credentials?
    >>
    >> Brian
    >>

    >
     
    Brian, Feb 5, 2007
    #4
  5. Brian

    Brian Guest

    Hi Bruce,

    Thanks for your comment - it sounds like you are right on the mark!
    I tried adding the following line of code to the new thread. Note that
    "this.Context.User" seems to return the correct security principle - the
    impersonation account. It is also identical to Thread.CurrentPrincipal
    before the statement. Is there something I have missed setting the thread
    identity to impersonate the asp.net account?

    Thread.CurrentPrincipal = this.Context.User;

    I also tried adding the following statement because the app.domain principal
    policy in the new thread (only under asp.net) defaulted to
    "unauthenticated".

    Thread.GetDomain().SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);

    This too didn't make any difference - the error was the same when the code
    is run in a thread under asp.net (otherwise it works fine).

    I note that "this.Context.Request.LogonUserIdentity" normally returns the
    same as "this.Context.User.WindowsIdentity", except when running under the
    thread account in which case it returns, "Invalid token for impersonation -
    it cannot be duplicated." Is this the problem? Is there any way around this?

    Thanks very much for your help in this. By the way do you know if there any
    documentation on all this? Is there any other way of setting the thread
    identity?

    Brian

    "bruce barker" <> wrote in message
    news:...
    > when you create a thread, its identity is the process identity, not the
    > starting threads identity, so it will not match the pool account or
    > impersonation account. the the case of asp.net, its the id of the worker
    > process usually a network service account.
    >
    > you need to pass the desired identity to the new thread and have the new
    > thread impersonate it.
    >
    > -- bruce (sqlwork.com)
    >
    > Brian wrote:
    >> I have an file based asp.net application the creates a thread to do some
    >> background printing. It works fine but when the application is deployed
    >> on a web server, the following error occurs in the thread when it
    >> accesses SQL:
    >>
    >> Login failed for user ''. The user is not associated with a trusted
    >> SQL Server connection.
    >>
    >> Note the blank user. It seems that the new thread does not have the
    >> credentials but looking at "Thread.CurrentPrincipal", there is a valid
    >> user (me).
    >>
    >> Is there something I am missing? Does the application need some assembly
    >> permissions? I wonder if there are any settings under IIS? Is there any
    >> way of telling why SQL cannot access the thread credentials?
    >>
    >> Brian
     
    Brian, Feb 6, 2007
    #5
  6. Brian

    Brian Guest

    Hi Bruce,

    I found another post under microsoft.public.dotnet.framework.aspnet.security
    called "Exception when use asp.net with .net remoting". This suggested
    looking at:

    System.Security.Principal.WindowsIdentity.GetCurrent();

    This seems to be empty in the child thread so I added the following code to
    the thread (either of these lines work):
    ((WindowsIdentity)this.Context.User.Identity).Impersonate();
    ((WindowsIdentity)Thread.CurrentPrincipal.Identity).Impersonate();

    This fixes the problem when running on Windows XP but on windows 2003 it
    returns printing (system.drawing error) which I'll have to look into.

    Thanks again,
    Brian

    "Brian" <> wrote in message
    news:...
    > Hi Bruce,
    >
    > Thanks for your comment - it sounds like you are right on the mark!
    > I tried adding the following line of code to the new thread. Note that
    > "this.Context.User" seems to return the correct security principle - the
    > impersonation account. It is also identical to Thread.CurrentPrincipal
    > before the statement. Is there something I have missed setting the thread
    > identity to impersonate the asp.net account?
    >
    > Thread.CurrentPrincipal = this.Context.User;
    >
    > I also tried adding the following statement because the app.domain
    > principal policy in the new thread (only under asp.net) defaulted to
    > "unauthenticated".
    >
    > Thread.GetDomain().SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
    >
    > This too didn't make any difference - the error was the same when the code
    > is run in a thread under asp.net (otherwise it works fine).
    >
    > I note that "this.Context.Request.LogonUserIdentity" normally returns the
    > same as "this.Context.User.WindowsIdentity", except when running under the
    > thread account in which case it returns, "Invalid token for
    > impersonation - it cannot be duplicated." Is this the problem? Is there
    > any way around this?
    >
    > Thanks very much for your help in this. By the way do you know if there
    > any documentation on all this? Is there any other way of setting the
    > thread identity?
    >
    > Brian
    >
    > "bruce barker" <> wrote in message
    > news:...
    >> when you create a thread, its identity is the process identity, not the
    >> starting threads identity, so it will not match the pool account or
    >> impersonation account. the the case of asp.net, its the id of the worker
    >> process usually a network service account.
    >>
    >> you need to pass the desired identity to the new thread and have the new
    >> thread impersonate it.
    >>
    >> -- bruce (sqlwork.com)
    >>
    >> Brian wrote:
    >>> I have an file based asp.net application the creates a thread to do some
    >>> background printing. It works fine but when the application is deployed
    >>> on a web server, the following error occurs in the thread when it
    >>> accesses SQL:
    >>>
    >>> Login failed for user ''. The user is not associated with a trusted
    >>> SQL Server connection.
    >>>
    >>> Note the blank user. It seems that the new thread does not have the
    >>> credentials but looking at "Thread.CurrentPrincipal", there is a valid
    >>> user (me).
    >>>
    >>> Is there something I am missing? Does the application need some assembly
    >>> permissions? I wonder if there are any settings under IIS? Is there any
    >>> way of telling why SQL cannot access the thread credentials?
    >>>
    >>> Brian

    >
    >
     
    Brian, Feb 6, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles A. Lackman

    Terminating a thread from the main thread

    Charles A. Lackman, Dec 9, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    1,588
    Herfried K. Wagner [MVP]
    Dec 9, 2004
  2. pawo
    Replies:
    0
    Views:
    542
  3. Stephen Miller
    Replies:
    3
    Views:
    4,039
    Stephen Miller
    Jul 2, 2004
  4. Johanna
    Replies:
    0
    Views:
    625
    Johanna
    Oct 13, 2004
  5. =?Utf-8?B?Sm9oYW5uYQ==?=
    Replies:
    3
    Views:
    2,006
    =?Utf-8?B?Sm9oYW5uYQ==?=
    Oct 15, 2004
Loading...

Share This Page