impersonate with SQL Server on the same domain

[Mark]

We are attempting to use impersonation to connect from our ASP.NET website
to a SQL Server on the same domain. The code below works just fine in our
web.config file:

<identity impersonate="true" userName="mydomain\mylogin"
password="whatever">

However, if we attempt to impersonate the user that currently is logged in
to the client computer using ...

<identity impersonate="true">

we get the error message:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.

I'm an SA on the SQL Server box ... something else isn't quite clicking.
Any recommendations? In IIS we have Integrated Windows Authentication
checked, and nothing else.

Thanks in advance.

Mark
(e-mail address removed)

 

[Curt_C [MVP]]

just as a test, try Basic instead of Integrated auth once....

 

[bruce barker]

to pass the users credentials to the sqlserver (on a different box),
delegation is required. ntlm does support delegation. only basic (which
gives iis a primary token which is allowed 1 hop) and digest (if delegation
is enabled) support passing user creditals from the iis box to a different
box.

-- bruce (sqlwork.com)

 

[Mark]

Bruce,

I executed the following code:

System.Security.Principal.IIdentity ii = User.Identity;
System.Security.Principal.WindowsIdentity wi = WindowsIdentity.GetCurrent();

Response.Write("<br>IIdentity.AuthenticationType: " +
ii.AuthenticationType);
// Displays: IIdentity.AuthenticationType: Negotiate

Response.Write("<br>WindowsIdentity.AuthenticationType: " +
wi.AuthenticationType);
// Displays: WindowsIdentity.AuthenticationType: NTLM

??? What does this say?

Also, how does one enable delegation as opposed to impersonation?

Thanks for your help. We appreciate it.

Mark
(e-mail address removed)

 

[Mark]

Curt,

I'm not sure if this is good news, BUT it did work when I checked Basic. In
fact, it worked when I had Basic checked both with and without integrated
checked.

What does this mean? The thought of needing basic does not sound good on
the surface, but I'm no IIS guru.

Thanks!

Mark

 

[Curt_C [MVP]]

write out the user that the system thinks you are when you use Integrated.
It may be as simple as "user" vs "domain\user"

--
Curt Christianson
Owner/Lead Developer, DF-Software
www.Darkfalz.com

 

[Mark]

Curt,

I tried:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
which should display the impersonated user. With or without the Basic
checked, it displayed the domain/user.

What does this imply? Thanks again.

Mark
(e-mail address removed)