0

I have 3-layers architecture: Client - Middle Tier - SQL. I need to delegate client rights to access SQL server. I made delegation between client - middle tier and it works fine (as I understand). but middle tier - SQL server connection is over NTLM (cant be changed) which does not support delegation. certainly while connecting it throw with 401 - 0x80070005 "0x80070005 Access is denied. You do not have permission to perform the requested operation".

So I need to to impersonate from MT to SQL delegated from client account. is it possible?

rene
  • 41,474
  • 78
  • 114
  • 152
dr11
  • 5,166
  • 11
  • 35
  • 77

1 Answers1

0

No, you need Kerberos and nothing else, forget NTLM.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • and what about to login on middle tier to make possible impersonation from middle tier? i need any solution for this issue (for beginning) – dr11 Jul 22 '13 at 08:37
  • How do you intend to gather credentials? – Michael-O Jul 22 '13 at 09:27
  • I'm working on it. If i LogonUser() on MT it work fine =) What about LogonUser on client with LOGON32_LOGON_NETWORK_CLEARTEXT and pass token over network. and then create WindowsIdentity() with passed token? Is token local or global on AD? – dr11 Jul 22 '13 at 10:28
  • This makes sense but beware to encrypt all traffic! – Michael-O Jul 22 '13 at 10:48
  • can't find any usage examples. what should i do with token? and how can i retrieve token on client machine without password (from current identity)? – dr11 Jul 22 '13 at 12:12
  • how can i check is my credentials on middle tier can be delegated? for example when i call DuplicateToken() with Delegation argument it fail with 1346 error – dr11 Jul 22 '13 at 12:14
  • all machine accounts must be trusted delegation. Ask your admin for first. – Michael-O Jul 22 '13 at 14:07