2

I am planning a public Web Api in ASP.Net Core. Also there is a database connected and sign on is planned as well.

There is a connection from my application to the database open using Integrated Security=True;. Is it possible to connect to the database using a different user (from active directory). Not the one under which the application is running, but any other user from Active Diretory.

My understandin is:

  1. The application runs as a certain user. Integrated Security=True; will open a connection as that user -> Not possible.
  2. Impersonation of another user requires the app to have elevated rights and know the password from that user -> Not an option.
  3. Doing it without a password means the applications right have to be elevated to the highest possible -> not an option.

So is there any way to connect to the database as a certain user from our AD? I have the feeling it's not possible.

Thank you!

msfriese
  • 111
  • 3
  • 9
  • What problem are you trying to solve by doing this? – Gabriel Luci Mar 06 '20 at 15:21
  • I am not sure if I am understanding this correctly. How is the security for the web API ? you can get their token and impersonate them. we have jwt authentication implemented and I use jwt token to impersonate!. – Bendram Mar 06 '20 at 15:22
  • The idea is that the security from the current active directory user can be used within the database implicitly by logging into the database as that active directory user. On the other hand (what's common these days, what we don't want): If the connection is open using (for example) the service account the application is running under, then we have to tell the database via (for example) a string which user we want to get data for and what his rights are. – msfriese Mar 06 '20 at 15:50
  • Thank you @Bendram but using a token won't do the trick. I think we'd need to impersonate by providing username and password of the user to `LogonUserA` in `advapi32.dll` and then use impersonation context to impersonate an active directory user for real. – msfriese Mar 06 '20 at 15:53
  • Basically is there a proper way of impersonation in ASP.Net Core avaiable? – msfriese Mar 10 '20 at 08:24
  • Did you find any workaround for this problem? I want to login on another server in my network and do some work on that system. with .net I was able to do this job but net core is a pain in you know where :| so anyway, thanks for your response... – Shahroozevsky Jan 10 '22 at 11:35

1 Answers1

1

Is that MSDN Article what you are looking for?

ASP.NET Core doesn't implement impersonation. Apps run with the app's identity for all requests, using app pool or process identity. If the app should perform an action on behalf of a user, use WindowsIdentity.RunImpersonated in a terminal inline middleware in Startup.Configure. Run a single action in this context and then close the context.

Yuriy Vikulov
  • 2,469
  • 5
  • 25
  • 32
  • No, the example shows how to get the current user's identity. I already stuck with not impersonating because this would always require user credentials to be passed along like username and password. I would then call a Win32 Routine to get the user reference but at this point I've done too much already. Also my original goal was to impersonate while connecting to the database, nowhere else. But thank you, it's a good reference. – msfriese Jun 02 '20 at 13:02
  • And NET Core for Windows Forms ? – Kiquenet Mar 18 '21 at 15:20