Integrated Security with Impersonate=true / Connection String issue / ASP.NET

Question

We have a website deployed with Impersonate=true.

A connection string is defined as this:

Integrated Security=SSPI;Persist Security Info=false;Initial Catalog=MyDatabase;Data Source=MyServer;

I assume Persist Security Info is redundant as that only applies to SQL authentication? We need to use integrated security as can't have passwords in the config file due to corporate security policies.

The website runs under a service account. The service account has permissions to access the database, but other accounts do not have access (security policy).

The problem we're facing is the user account is being passed to the database and being rejected, due to Impersonate=true.

We're required to have Impersonate=true for a Single Sign-On component to work.

Is this a catch 22 or is there a solution?

I hope I've written this clearly enough!

Answer 1

As per http://msdn.microsoft.com/en-us/library/134ec8tc(v=vs.80).aspx "Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application'" Accordingly, you do not need to enable impersonation to be able to authenticate users. Note however that your application will have to handle authorization. A ready framework to implement authorization is NetSQLAzman, see http://netsqlazman.codeplex.com/