1

I'm trying to hit my intranet website and get it to run a simple sql query as the windows user I'm logged in as.

When I debug through Visual Studio, everything works great. When I hit the webserver though, I get an error from sqlconnection saying, "ERROR:Login failed for user 'YOUR_DOMAIN\YOUR_WEBSERVER_NAME'."

Request.ServerVariables[AUTH_USER]: YOUR_DOMAIN\UserBob 
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
Page.User.Identity.Name: YOUR_DOMAIN\UserBob
System.Threading.Thread.CurrentPrincipal.Identity.Name: YOUR_DOMAIN\UserBob

So how do I get the SQL query to execute under UserBob?

Here's my setup:

  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    <customErrors mode="Off"/>
  </system.web>

Webserver is a Win 2008 server with IIS7, Windows Authentication on, Anon Auth off.

Code is simply:

Response.Write("Request.ServerVariables[AUTH_USER]: " + Request.ServerVariables ["AUTH_USER"].ToString());
Response.Write("<br>System.Security.Principal.WindowsIdentity.GetCurrent().Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
Response.Write("<br>Page.User.Identity.Name: " + Page.User.Identity.Name);
Response.Write("<br>System.Threading.Thread.CurrentPrincipal.Identity.Name: " + System.Threading.Thread.CurrentPrincipal.Identity.Name);

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["CarbonDB"].ConnectionString);

conn.Open();

SqlCommand sqlcom = new SqlCommand("dbo.runsomething", conn);
sqlcom.CommandType = CommandType.StoredProcedure;
SqlDataReader sqlDataReader = sqlcom.ExecuteReader();

conn.Close();
Improve this question

2 Answers 2

Reset to default
1

Is the SQL Server on a different machine than the web server?

If so, the issue you are running into is related to Kerberos Delegation. Basically, your web server doesn't have the permission/ability to impersonate the end user to another server.

Try this link for more information on delegation.

Be aware that this isn't trivial, and requires assistance from a network admin, as it involves making changes to your Active Directory environment.

If possible, use a service account (such as Network Service) to access the SQL Server.

Erick

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

SQL Server is on a different machine. Thing is, if I set the authentication to ASP.NET impersonation and hardcode my own creds, it'll work when I hit the webserver from my desktop. Does that still count?
If you hardcode your own creds, then you aren't doing multiple hops (i.e., delegation) any more, you are directly connecting from one machine to another (IIS to SQL). The problem is that if you use integrated security, the creds actually flow from the browser, not the server.
0

Is the site using Integrated or Classic pipeline mode. In IIS7, check the Basic Settings of the website, click Connect As... and make sure that Application user (pass-through authentication) is checked.

Improve this answer

1 Comment

App Pool is Integrated pipeline. Yup, pass-through auth was checked.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.