CODEWITHSUNDEEP
sql-serverwcfsilverlight-4.0wcf-securityimpersonation
Myles J
Myles J

Reputation: 2880

Impersonation failing for database connection

I have a SL4 app that uses WCF to communicate with a backend SQL Server 2008 database. One of the WCF services needs to connect to the database with a dedicated system account due to the database permissions required by the stored procedure that is called. I have attempted to implement a solution using impersonation within the service code e.g.

int result = LogonUser(userName, domain, password,
    LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out _token);

if (result > 0)
{
    ImpersonateLoggedOnUser(_token);
    //Code here to call NHibernate data access code
}

My connection string for this service is:

<add name="MyConnection" connectionString="Data Source=servername\instance;Initial Catalog=MyDatabase;Integrated Security=SSPI" providerName="System.Data.SqlClient"/>

However, the data access routine is still failing with the following message:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

The impersonation is being ignored in the database connection. Any ideas?

Upvotes: 2

Views: 3456

Answers (2)

Chris Dickson
Chris Dickson

Reputation: 12135

Change LOGON32_LOGON_NETWORK to LOGON32_LOGON_NETWORK_CLEARTEXT in your call to LogonUser.

This caches the logon credentials in the local security provider, which should enable a successful SSPI handshake with SQL Server.

Upvotes: 2

Myles J
Myles J

Reputation: 2880

I've actually managed to get this to work by getting rid of the impersonation API code and adding the following to my web.config:

  <location path="Services/MyServiceThatNeedsHigherPermissions.svc">
    <system.web>
      <identity impersonate="true" userName="domain\MyAccountWithElevatedPermissions" password="******"/>
    </system.web>
  </location>

The service runs under the context of my dedicated system account and connects to SQL using the same context.

Upvotes: 0

Related Questions