Strange behavour with SqlMembershipProvider and impersonation

G

google

Hi all. I've got a problem with SqlMembershipProvider and impersonation
that I'm stuck on.

I'm using forms authentication for membership on the site, which is
running under a windows user account with priverlages to the SQL
database using impersonation and a connection string including
Integrated Security=SSPI.

If I specify the userName and password fields in the identity element
of web.config the SqlMembershipProvider gets access to the database
fine. However if I just use <identity impersonate="true" /> the
membership provider gets denied by the SQL database which says that no
user was specified.

At the same time System.Security.Principal.WindowsIdentity shows the
correct user and my own connections work fine from the same string.

I think it might be something to do with SqlMembershipProvider calling
System.Web.DataAccess.SqlConnectionHelper.GetConnection(String
connectionString, Boolean revertImpersonation) but this is hidden and
undocumented by Microsoft.

I don't want to include user names and passwords in my web.config as
this is bad practice, but I don't have an alternative at the moment!

Thanks in advance,
Graham
 
D

Dominick Baier [DevelopMentor]

Hi,

the SqlMembership provider will use the process identity when you specify
integrated in the connection string - not the client identity.

Does your worker process account have access to sql server?
 
G

google

Hi Dominick.

No it doesn't. However, if I give the same privileges to the network
service as what I would for each user, would all of the sites on that
server be able to access each others information?

The server I'm running is used for hosting public sites and our own
internally developed ones. I could set up an application pool for each
user, but that seems alot of work!

Cheers,
Graham
 
D

Dominick Baier [DevelopMentor]

Hi,

yes - if you want to use integrated - every app needs its own app pool with
a distinct identity.

yeah - there are some clicks involved :)
 
G

google

Thanks for the suggestion, got most of my sites seperated out now. Uses
quite a bit more memory but I'd rather that than have a potential
security flaw.

My problem now is getting the user accounts to work with application
pools, all I get is those "service unavailable" messages and
meaningless system event logs!
 
D

Dominick Baier [DevelopMentor]

Hi,

put all user accounts into the IIS_WPG group - iisreset - and try again.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top