0

We have a website deployed with Impersonate=true.

A connection string is defined as this:

Integrated Security=SSPI;Persist Security Info=false;Initial Catalog=MyDatabase;Data Source=MyServer;

I assume Persist Security Info is redundant as that only applies to SQL authentication? We need to use integrated security as can't have passwords in the config file due to corporate security policies.

The website runs under a service account. The service account has permissions to access the database, but other accounts do not have access (security policy).

The problem we're facing is the user account is being passed to the database and being rejected, due to Impersonate=true.

We're required to have Impersonate=true for a Single Sign-On component to work.

Is this a catch 22 or is there a solution?

I hope I've written this clearly enough!

pfeds
  • 2,183
  • 4
  • 32
  • 48

1 Answers1

1

As per http://msdn.microsoft.com/en-us/library/134ec8tc(v=vs.80).aspx "Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application'" Accordingly, you do not need to enable impersonation to be able to authenticate users. Note however that your application will have to handle authorization. A ready framework to implement authorization is NetSQLAzman, see http://netsqlazman.codeplex.com/

Tarik
  • 10,810
  • 2
  • 26
  • 40
  • Are you saying Integrated Windows Authentication should be sufficient without Impersonation being set to true? Should having it set to impersonate=false still work, but use the service account permission on the database just like we need it to? – pfeds Aug 02 '13 at 03:01
  • Yes, that should be sufficient. – Tarik Aug 02 '13 at 03:10
  • Ok, that makes sense. I think there's a problem with our software as we need to have impersonate turned on for windows authentication to work. Unfortunately I'm not involved in the coding so can't investigate. Thanks for your help. – pfeds Aug 02 '13 at 04:38