LogonUser API Help




I am trying to authenticate a windows user using
LogonUser API on our website. I am able to authenticate
and impersonate the user just fine but I need to validate
these credentials to our SQL Server connections as well.
I'm using a DSN on my server with WindowsNT
authentication using network login ID. Is it possible to
pass on the credentials to an ODBC datasource using the
LogonUser API. I have to log into our SQL Server using
the windows account I used with the LogonUser API. I
know I could use a standard SQL Server Authentication to
pass the credentials using a DSN-less string but that is
not an option for me right now. I'm trying to log into
our website using windows authentication and I want to
omit the network username and password dialog box all
together and use a form to supply the windows
credentials. So far the LogonUser API has done the trick
but it doesn't seem to be authenticating throughout the
network. Any help would be appreciated.



Andrea D'Onofrio [MSFT]

Hi Gabriel,
fisrt of all I suppose that IIS and SQL server are in separate machines in
the same domain.
If I have understood well, in your scenario probably the best solution is to
use the basic authentication in IIS (this will prompt the username and
password dialog box) via HTTPS, set the impersonate=true in web.config file
and then simply connect to SQL server using "Windows NT integrated
security". i.e. the connection string could be:
Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=dbname;Data Source=sqlservername

But if you want to omit the network username and password dialog box, you
must enable Anonymous authentication in IIS, set the form authentication in
the web.config file, impersonate via code (LogonUser API) the domain
credential inserted in a custom authentication form and then simply connect
to SQL server using "Windows NT integrated security".

In these scenarios, the users must be flagged for delegate because of the
double hop (the IIS server must use the client credential for another
authentication on SQL server).

In these articles you will find more details:
283201 HOWTO: Use Delegation in Windows 2000 with COM+

287537 Using Basic Authentication to Generate Kerberos Tokens





After using the LogonUser API, I'm able to see that it
impersonates the user, I display the current principal
windows identity (VB.NET), and it impersonates as it
should, but I redirect to another page and it reverts
back to the Anonymous user. I want to keep that
impersonated windows login throughout the session. Is
there something I'm doing wrong or something I'm
missing? Or is this how impersonation supposed to work?