I want to use IIS impersonation to connecto to a SQL server database as the user who is currently accessing a website. This is for auditing and security reasons.
I’ve done some reading and discovered that because the SQL Server is on a sepearate physical server I need to enable Protocol Transitioning and Constrained delegation for the server that’s running IIS. This is the article that I found … http://msdn.microsoft.com/en-us/library/ff649317.aspx
I didn’t realise at the time I first read it but this article has the following header…
Retired Content
This content is outdated and is no
longer being maintained. It is
provided as a courtesy for individuals
who are still using these
technologies. This page may contain
URLs that were valid when originally
published, but now link to sites or
pages that no longer exist.
What I want to know is, does the information in the article still apply, if I want to impersonate the user all the way to the SQL Server, do i still need Constrained Delegation or has this been implemented in some other way for ASP.NET 4?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Constrained Delegation is the only way to flow impersonated credentials information to a second host. ASP.Net has nothing to do with it, is just an ordinary app that uses the Kerberos framework. Nothing changed. Once the ASP.NEt applicaiton impersonates the context authenticated by IIS (see Configure ASP.NET Impersonation Authentication) the same rules for delegation apply:
- The app pool account must be configured to be trusted for constrained delegation
- The SQL Server must have the SPN properly registered
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0