Delegation / Impersonation problem

M

matt

I have started to put together an ASP.NET 2.0 application which
connects to a SQL server using the logged on identity.

I have read the articles on how to configure the connection string ,
web config and active directory servers.

It all seems to work fine from most machines on our network. However I
have found that the connection will fail with a 'Login failed for user
'NT AUTHORITY\ANONYMOUS LOGON' error if the client machine is 'trusted
for delegation' from within active directory.

I have been testing the following small bit of code with runs as an app
on one of the internal webservers:-

Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As
System.Security.Principal.WindowsIdentity

currentWindowsIdentity = CType(User.Identity,
System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()

Response.Write("anon=" & currentWindowsIdentity.IsAnonymous.ToString
& "<BR>")
Response.Write("level=" &
currentWindowsIdentity.ImpersonationLevel.ToString & "<BR>")


Try
Dim connection As New SqlConnection
connection.ConnectionString = "packet size=4096;data
source=mydbserver;persist security info=True;initial
catalog=northwind;Integrated Security=SSPI"

connection.Open()

Response.Write("connection made ok " &
Date.Now.ToShortDateString & " " & Date.Now.TimeOfDay.ToString)

Catch ex As Exception
Response.Write(ex.Message)
End Try

If i view the page from a number of clients (XP workstations) on the
network i get the following

anon=False
level=Delegation
connection made ok 30/10/2006 09:34:57.6818835

which is fine, all seems ok.

If I access the same page from the webserver itself the impersonation
level changes but the connection still works :

anon=False
level=Impersonation
connection made ok 30/10/2006 09:58:39.1254460

However if I access the page from another server which is set as
'trusted for delegation' the connection fails

anon=False
level=Impersonation
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Is there any reason why this would occur ? It seems an application
cannot use delegation in this way if the client accessing it may be
another server which is 'trusted fro delegation', such as another
webserver on the network or a domain controller for example.

Any help would be much appreciated,

Matt.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top