[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.aspnet.webservices

Impersonation, Database connection

Vijay Verma

12/27/2002 7:12:00 PM

Hi all,

I am developing a webservice that needs to connect to a SqlServer7 database
via namedpipes. I realize that the default ASPNET user does not have
sufficient privileges to achieve this and that I need to use impersonation.

The error that I receive upon accessing the service that uses impersonation
is:

System.InvalidOperationException: An anonymous identity cannot perform an
impersonation.
at System.Security.Principal.WindowsIdentity.Impersonate(IntPtr
userToken, WindowsAccountType acctType)
at System.Security.Principal.WindowsIdentity.Impersonate()

I cannot specify the username and password for the user that I want the
application to impersonate as because of our security considerations.

Could you someone point out what more do I need to do in this regard. In
general, are there any documents over the web that talk about standard
practices for ASP.Net or Webservices hosting?

Thanks in advance,
Vijay


=========================================
Current configuration

1. web.config file
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>

2. The webservice directory is configured for anonymous access

3. Invoke impersonation code before opening the connection:

private void OpenConnection() {

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

try {
connection = new SqlConnection(sConnectionString);
connection.Open();
} catch (Exception ex) {
LogErrorMessage("Exception", "OpenConnection", "",
ex.Message);
connection = null;
}
impersonationContext.Undo();
}
4 Answers

Vijay Verma

12/28/2002 12:28:00 AM

0

Adding to my previous note:

The good news first:
I got the impersonation to work by changing the web.config file to :
<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true"/>
</system.web>
</configuration>

and removing all extraneous code from the actual webservice. After doing
this, I can open a database connection via named pipes.

Now the bad news, I can't seem to write to disk via this webservice!! The
directory that I need to write to, grants write permissions to IUSER and
ASPNET.

Does anyone have any bright idea as to what's going on?

Thanks in advance,
Vijay

Vijay Verma

12/28/2002 12:36:00 AM

0

Another update for whatever it's worth:

If I open a webbrowser to access this webservice (on a remote server),
everything works fine. However, if the same webservice gets invoked from a
C# application running from the same computer, the webservice cannot write
to the disk.

Really Useful Stuff

12/29/2002 2:57:00 AM

0

What you need is single user impersonation - add the following to your
web.config in your webservices folder.
<system.web>
<identity impersonate="true" userName="DOMAIN\USER" password="PASSWORD" />
</system.web>

This will allow the web service to impersonate a service account and you can
then use a trusted connection.

I'm not sure about the security issues with putting a valid NT username and
password in the web.config in the webservices folder, I'd love to hear from
some other folks more knowledgable about why this is OK. (or not..)



"Vijay Verma" <vjverma@nospam.hotmail.com> wrote in message
news:eYrfq2frCHA.1964@TK2MSFTNGP09...
> Another update for whatever it's worth:
>
> If I open a webbrowser to access this webservice (on a remote server),
> everything works fine. However, if the same webservice gets invoked from a
> C# application running from the same computer, the webservice cannot write
> to the disk.
>
>

Vijay Verma

12/30/2002 6:57:00 PM

0

Another update:

I finally got the application running, though after all the head banging I
am not quite sure if that's how it should be, or if I reached a fluke
configuration. Please feel free to share any thoughts regarding this:

1. Anonymous access allowed via IIS.
2. web.config is same as the previous post.
3. api.Credentials = System.Net.CredentialCache.DefaultCredentials before
each and every webservice call.
4. No change in machine.config.

-Vijay



"Vijay Verma" <vjverma@nospam.hotmail.com> wrote in message
news:eYrfq2frCHA.1964@TK2MSFTNGP09...
> Another update for whatever it's worth:
>
> If I open a webbrowser to access this webservice (on a remote server),
> everything works fine. However, if the same webservice gets invoked from a
> C# application running from the same computer, the webservice cannot write
> to the disk.
>
>