Brian,
You are encountering the delegation issue. You can probably find a lot of
similar posts if you search for "delegation", "SQL Server", "ASP.NET",
"Kerberos", etc. In short, in a typical corporate environment you cannot do
what you want. And by typical environment, I mean that you have three
physical systems involved (Web browser, IIS, and SQL Server), which belong
to an Active Directory domain, and your ASP.NET site is protected using
integrated Windows authentication (IWA). Now, if instead of using IWA, you
use basic authentication, it will work. It will also work if you move SQL
Server or Web browser (either one) to the same machine where IIS runs. But
if you do not do any of these changes you will run into the delegation
problem. The problem here is that in a typical environment, impersonated
credentials do not cross the machine boundary. So while IIS can recognize
the user making the call and can use user's credentials for all local
authorization calls, as soon as an outgoing call is made (to a SQL Server,
Oracle, Web Service, or whatever), the credentials of IIS process (not
impersonated user) will be passed. There is a way to allow passing
impersonated credentials through the machine boundary (as Joe mentioned),
but it requires changing domain security settings, which are generally not
recommended. If you can and are planning to make these changes (to enable
Kerberos delegation), you must be aware of the associated security risks.
Alek
Thanks. That gets me authenticated to the web service, but how do I pass
those credentials onto SQL? I realize I can impersonate a user; I've
already successfully tried it. My first choice would be to pass the actual
Windows user credentials of the current logged on user to SQL, though.
(Integrated security=sspi works like a charm when I am doing this all
locally, btw, i.e. my SQL connection happens in a method or an instance of
another class.)
Whenever I try using integrated security in my connection string I always
get back the message that it can't connect using