0

I have an ASP.NET application which uses Impersonation. My ConnectionStrings are dynamically generated using EntityConnectionStringBuilder.

It works fine when I am using SQL Server Authentication but when I use Windows Authentication by replace User Id and Password with Trusted_Connection=Yes; I am getting an error saying "System.Data.SqlClient.SqlException (0x80131904): Cannot open database "DB_Name" requested by the login. The login failed. Login failed for user 'DomainName\MachineName$'".

It looks like Entity Framework is using an inbuilt User Account (MachineName$) instead of the Impersonated user 'DomainName\User1'.

How to configure EF to use the Impersonated User Account for Windows Authentication?

Libin TK
  • 1,477
  • 2
  • 25
  • 46

1 Answers1

2

You aren't using impersonation. If you were, then this would be working (assuming your database were otherwise correctly configured to allow access from the impersonated user).

EF is not using a "built-in" account. It's using whatever account the worker process is running under, which in most cases will be either an Application Pool identity, or Network Service, both of which use the machines Active Directory account for credentials.

In other words, EF uses whatever the connection string tells it to use, and if you're telling it to use a trusted connection, then it uses whatever the process/thread is running under.

In point of fact, impersonation is not supported in IIS7 or greater when running in Integrated pipeline mode. The reason for this is that IIS7 is more strongly tied to .NET and supports asynchronous handlers. Asynch handlers have issues with impersonation because the thread that started the handler, may not be the same thread that resumes the handler when the async request resumes after giving up its thread to do the async work.

In general, unless you have a very specific use case, you probably should not design your architecture to require impersonation, as this has a lot of repercussions.

If you need to utilize a resource with a specific user, then you can use a WindowsIdentity principal and Impersonate that way, but this has to be done in the confines of a small block (the network call itself).

I'm not sure how you are trying to do impersonation, but it's obviously not working. In most cases, you should be getting an error if you try to impersonate on IIS7+, so the question really is... What makes you think you're using impersonation?

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • Your answer makes lot of sense to me. I am running this application on `IIS 8.5` running on a `Windows Server 2012 R2`. I have ` ` in my `web.config` and `System.Security.Principal.WindowsIdentity.GetCurrent().Name` returns the current User Name. It shows the `ApplicationPoolIdentity` if I remove the setting. `ApplicationPool` is in `Integrated Mode` and Identity is set as `ApplicationPoolIdentity`. – Libin TK Dec 21 '14 at 09:07
  • @LibinTK - That doesn't make much sense, you should be seeing an error such as this: http://stackoverflow.com/questions/12966286/impersonate-domain-user-with-integrated-pipeline That tells me you have something misconfigured somewhere.. are you sure it's in integrated pipeline mode? Unless you've bypassed this with ``, in which case you won't get the error, but impersonation just won't work properly. – Erik Funkenbusch Dec 21 '14 at 10:03
  • @LibinTK - However, since you are setting the username explicitly in the web.config (as opposed to simply using the user credentials of the logged in user), what you should be doing instead is running the app pool as that user. Change the app pools identity to the username you want. You are also misunderstanding the difference between the logged in user, and the application pool identity. EF works with the identity of the current thread, which is usually the App Pool identity regardless of the logged in user. – Erik Funkenbusch Dec 21 '14 at 10:09
  • @ErikFunkenbysch I am sure that the App pool is in Integrated pipeline mode and not in Classic mode. Also I don't have `` in my `web.config`. – Libin TK Dec 21 '14 at 10:32
  • @ErikFunkenbysch I have removed the Identity Settings from `web.config` and changed the `AppPoolIdentity`. It works fine. – Libin TK Dec 21 '14 at 10:37