Connect to SQL Server with EF using windows credentials of final user

Question

I have an application developed in ASP.NET MVC using Entity Framework / Sql Server 2008 Actually, connections to the database are made with the "sa" account.

Is it possible to use, instead of "sa" the windows final user credentials ? This would be helpful to control more efficiently the security limitations of each user. I use, in my application windows authentication.

Thank's !

Answer 1

It is possible but whole your system must run inside windows domain, users must have domain accounts and your system infrastructure must be enabled for Kerberos delegation (belongs to ServerFault). The reason is that you have two hoops in the system - first user authenticates from his client machine to your web server and then web server delegates user credentials to database server. If client computer, web server and database server are different machine Kerberos delegation must be enabled (if db and web runs on the same server you should be fine without Kerberos). Your web application will have to use impersonation and your connection string will have to use windows integrated security.

Also using end user credentials will reduce performance of your system because EF will have to maintain separate connection pool per user. Administrator of SQL server will have to give access for every single user (or user group) using your application.