Hybrid sql server and asp.net windows authentication

O

Onur Gorur

I have an asp.net web application that executes stored procedures on SQL
Server 2000 on the backend and displays the results of this stored procs on a
grid. I use integrated windows authentication on IIS, asp.net and SQL Server.
Here is what I want to do:

- When a user starts to use the application I want to get the credentials of
the user. (This can be done by web.config:: <identity impersonate="true">)
- After I get the user info, I would like to run the stored procedures with
a different specific NT user's credentials, one that I will give all SQL
Server accesses. So, I will not give any application user SQL Server direct
query access but only this specific user account. (This can be done by
impersonating this specific user in the web.config)

I want both of this, but I could not find a way to accomplish both. One
method I thought would be having one asp.net application and another web
service application both running with different credentials: First, with the
logged in user and second with my sql server account)

Any other ideas? Help wanted!

Thanks in advance
 
J

Joe Kaplan \(MVP - ADSI\)

Couldn't you just set up your process model run as the trusted SQL account
and then disable impersonation in ASP.NET? In that case, the SQL calls will
be made with the process account, but users will still log in to the site as
normal. If you needed to impersonate the current user for some reason
(local file security or something), then you could manually impersonate by
casting Content.User.Identity to a WindowsIdentity and then creating the
impersonation context from there.

Another option would be to put the db access code in a COM+ component and
run it under a different identity.

Joe K.
 
O

Onur Gorur

The only reason that I impersonate the current user is to get his NT login
name. After I get the login name, I do not need the impersonation to this
current account anymore. when i run the process with the trusted sql account
(with integrated security=sspi), then as far as I know, correct me pls if I
am wrong, when I get the identity of the user, i will get sql account's
loginname and not the current user's or not?

and also I think I should change the process's account from machine.config?
or can it be changed from web.config? will it also affect other running web
applications?

I will be glad if you can give some code examples and elaborate on what you
mean by "you could manually impersonate by casting Content.User.Identity to a
WindowsIdentity and then creating the impersonation context from there."

Thanks,
Onur



Joe Kaplan (MVP - ADSI) said:
Couldn't you just set up your process model run as the trusted SQL account
and then disable impersonation in ASP.NET? In that case, the SQL calls will
be made with the process account, but users will still log in to the site as
normal. If you needed to impersonate the current user for some reason
(local file security or something), then you could manually impersonate by
casting Content.User.Identity to a WindowsIdentity and then creating the
impersonation context from there.

Another option would be to put the db access code in a COM+ component and
run it under a different identity.

Joe K.
 
J

Joe Kaplan \(MVP - ADSI\)

Ok, a couple of things here:

Context.User (or Page.User or Thread.CurrentPrincipal) will represent the
user who authenticated. If you are using Windows authentication, this will
be a WindowsPrincipal. If you want to get the name of the authenticated
user, just do Context.User.Identity.Name. You don't need impersonation to
do this. With Windows authentication, impersonation will just make whoever
is in Context.User.Identity be the same as
System.Security.Principal.WindowsIdentity.GetCurrent(), which is the
identity of the token that is executing code on the current thread. Without
impersonation, that will be the process account.

In IIS5, changing the process account is done by changing the
machine.config. Note that this change will affect all other applications
that are sharing that same worker process. In II6, you change the AppPool
identity. You have more options of having different applications in
different pools with IIS and the config is via the MMC and integrated with
IIS.

To impersonate any WindowsIdentity, just call the Impersonate method. When
you are done, just call the Undo method on the WindowsImpersonationContext
that is returned from Impersonate.

HTH,

Joe K.

Onur Gorur said:
The only reason that I impersonate the current user is to get his NT login
name. After I get the login name, I do not need the impersonation to this
current account anymore. when i run the process with the trusted sql
account
(with integrated security=sspi), then as far as I know, correct me pls if
I
am wrong, when I get the identity of the user, i will get sql account's
loginname and not the current user's or not?

and also I think I should change the process's account from
machine.config?
or can it be changed from web.config? will it also affect other running
web
applications?

I will be glad if you can give some code examples and elaborate on what
you
mean by "you could manually impersonate by casting Content.User.Identity
to a
WindowsIdentity and then creating the impersonation context from there."

Thanks,
Onur
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top