2

I want to use IIS impersonation to connecto to a SQL server database as the user who is currently accessing a website. This is for auditing and security reasons.

I've done some reading and discovered that because the SQL Server is on a sepearate physical server I need to enable Protocol Transitioning and Constrained delegation for the server that's running IIS. This is the article that I found ... http://msdn.microsoft.com/en-us/library/ff649317.aspx

I didn't realise at the time I first read it but this article has the following header...

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

What I want to know is, does the information in the article still apply, if I want to impersonate the user all the way to the SQL Server, do i still need Constrained Delegation or has this been implemented in some other way for ASP.NET 4?

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
BenCr
  • 5,991
  • 5
  • 44
  • 68
  • Did you achieve what you were hoping for? Impersonation and trusted connection to SQL Server? Was it forms or windows authentication for your app? – Aaron Wagner Feb 08 '11 at 20:48
  • @Aaron Wagner, yes I managed to achieve the end result of accessing the SQL database as the windows principle. Our app uses SqlServer impersonation rather than IIS impersonation. We access the database with a single user and that user executes a "EXECUTE AS LOGIN..." SQL command to change the user context on the database. See this [link](http://msdn.microsoft.com/en-us/library/ms188304.aspx) – BenCr Feb 10 '11 at 13:23
  • Thanks for the link, it's an approach I hadn't thought of. – Aaron Wagner Feb 10 '11 at 14:12

1 Answers1

1

Constrained Delegation is the only way to flow impersonated credentials information to a second host. ASP.Net has nothing to do with it, is just an ordinary app that uses the Kerberos framework. Nothing changed. Once the ASP.NEt applicaiton impersonates the context authenticated by IIS (see Configure ASP.NET Impersonation Authentication) the same rules for delegation apply:

  • The app pool account must be configured to be trusted for constrained delegation
  • The SQL Server must have the SPN properly registered
Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569