Identity Impersonate in ASP.NET

  • Thread starter Thread starter Doesn't Work At McDonalds
  • Start date Start date
D

Doesn't Work At McDonalds

So, I've got an intranet site I'm developing where I'm being told to
integrate a few pages that require me to query a remote MSSQL server.
That server's owner says authentication on his server is Windows based
(no SQL ID/password combos will be assigned, it has to be domain login
credentials), but I can only get him to permission one account.

AFAICT, that requires me use an <identity impersonate...> in the
web.config file for it to be able to run this particular set of
queries for all the users who might visit my intranet site. Problem
is that I have my own security items based on Windows login
credentials.

Based on what I've read and the result of my own testing, once I put
in that <identity impersonate...> statement, all users start using
that identity's login credentials and it overrides their own. So,
making it possible for my site to pass through his security breaks my
security.

Is there any way to set an identity impersonation for just a single
page or directory and not have it mess up user identities elsewhere
within the site?
 
Doesn't Work At McDonalds said:
So, I've got an intranet site I'm developing where I'm being told to
integrate a few pages that require me to query a remote MSSQL server.
That server's owner says authentication on his server is Windows based
(no SQL ID/password combos will be assigned, it has to be domain login
credentials), but I can only get him to permission one account.

AFAICT, that requires me use an <identity impersonate...> in the
web.config file for it to be able to run this particular set of
queries for all the users who might visit my intranet site. Problem
is that I have my own security items based on Windows login
credentials.

Based on what I've read and the result of my own testing, once I put
in that <identity impersonate...> statement, all users start using
that identity's login credentials and it overrides their own. So,
making it possible for my site to pass through his security breaks my
security.

Is there any way to set an identity impersonation for just a single
page or directory and not have it mess up user identities elsewhere
within the site?
Click to expand...

Do you need to use impersonation for this? Can you create a connection to
the SQL server with the appropriate credentials uid=domain\account and
pwd=pwd and maintain your existing impersonation on your "local" network?
Admittedly, I haven't tried that cross-domain and could be overlooking
something obvious. Do you need to access remote network resources as well,
or simply a SQL connection?
 
You can use code to impersonate the sql server account around all db
calls. Not as clean but it'll work. You could also centralize it
pretty easily by creating utility classes to create/destroy
connections and include impersonation or can create your own
connection class which does the impersonation for you at the right
time.

We do this in our apps for a situation where we need to read from a
remote directory.

Look at the docs for WindowsIdentity.Impersonate. There's a very good
example there.

HTH,

Sam
 
Back
Top