10

  1. I am required to create separate windows service accounts for each environment (dev, acceptance, and production) that my desktop application uses to connect to one of our internal databases.

  2. A global group has been added to these accounts to provide access thereby requiring access by windows authentication using impersonation.

  3. The connection string data is encrypted and stored on a network, accessed by class library for security.

If I don't impersonate, and use the base constructor for the DbContext base class that accepts a connection string, it works because my personal account is assigned to the same global group. But when I encapsulate the instantiation of the DbContext object to impersonate, it fails with an internal exception stating catastrophic failure while the outer exception states

The provider did not return a ProviderManifest instance.

For example:

Console.WriteLine(Environment.UserName); //This shows me!  So no impersonation yet!
using (new Impersonator("AppUser", "mydomain", "notapassword"))
{
    Console.WriteLine(Environment.UserName); //This shows as AppUSER!  So it works!
    using (BillMarkContext dbContext = new BillMarkContext())
    {
        //Read each bill mark object
        foreach (BillMarkCode code in dbContext.BillMarkCodes.AsEnumerable<BillMarkCode>())
            Console.WriteLine(code.Code);
    }
}

public partial class BillMarkContext : DbContext
{
    private static string _connection = "Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=DBServer";

    public BillMarkContext()
        : base(_connection)
    {}

    public virtual DbSet<BillMarkCode> BillMarkCodes { get; set; }

    protected override void OnModelCreating(DbModelBuilder modelBuilder)
    {}
}

Then I tried to hard-code the connection information by creating my own DbConfiguration object, but that results in an error where it's evidently trying to do more than establish a readable connection. It's trying to create the database instead to which I do not have the rights.

Example:

[DbConfigurationType(typeof(MyDbConfiguration))]
public partial class BillMarkContext : DbContext
{
    public BillMarkContext()
    {}

    public virtual DbSet<BillMarkCode> BillMarkCodes { get; set; }

    protected override void OnModelCreating(DbModelBuilder modelBuilder)
    {}
}

public class MyDbConfiguration : DbConfiguration
{
    public MyDbConfiguration()
    {
        SetProviderServices("System.Data.SqlClient", SqlProviderServices.Instance);
        SetDefaultConnectionFactory(new SqlConnectionFactory("Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=DBServer"));
    }
}

This is Code-First and I can only find very simple statements and super-high level examples using DbConfiguration. And with regards to a runtime definition of connection/provider information, info always seems to be directed at a model-based approach or neglects the provider all the way around.

How do I programmatically configure EF Code-First approach to accessing a database while impersonating an application's windows service account and not get these errors?

bjhuffine
  • 924
  • 1
  • 11
  • 23
  • Your content is too long to read. Please consider shortening it and put a relevant info only. – Nikhil Vartak Feb 09 '18 at 21:39
  • 2
    @niksofteng Fine, but usually I have folks telling me I didn't put enough. – bjhuffine Feb 09 '18 at 21:39
  • Do you have a question? I don't see a question mark anywhere. It is always good to sum up the entire post with a question at the bottom. Also, it would help if you would add some text formatting (bold, italic, bullet points, etc) to make the first 4 paragraphs easier to visually parse. Check out some other questions here for ideas. – NightOwl888 Feb 10 '18 at 01:58
  • Uh-oh, impersonation. That thing that [doesn't work by default](https://blogs.msdn.microsoft.com/oldnewthing/20110928-00/?p=9533/). I doubt EF Core considers that, and even if it did, at the lowest level `SqlConnection` does not. Run your entire process under a new login instead. – Jeroen Mostert Feb 12 '18 at 13:56
  • @JeroenMostert That's a good article. This is the first time I've used impersonation and that was an eye-opener. – bjhuffine Feb 12 '18 at 14:29
  • @JeroenMostert Also, just ahead of your comment, I got to thinking that maybe the issue was in how it was impersonating even if it showed the right account. Looking for additional approaches I found an article that allows different levels of impersonation. It was meant to be used with regards to SharePoint activities, but works. It's using the same COM functions as most impersonating examples, but allows for domain-level activities supposedly to help support Active Directory modifications. The AD-level capabilities is what caught my eye. I'm going to break this thing apart more. – bjhuffine Feb 12 '18 at 14:31
  • When people first hear of impersonation, they think it's a great feature that's going to help solve their problem. Unfortunately, it was only ever really intended to implement the very specific scenario of certain Windows services which must run with the highest privileges to do very specific things as less-privileged users instead, without writing a ton of validation code. If you're not one of those services, impersonation is almost never the answer. What *does* work consistently is running a process under a specific user token, even though this has more overhead. – Jeroen Mostert Feb 12 '18 at 14:36
  • @JeroenMostert I'll start digging for that, but do you have any up front ideas as to how I would run this process under a specific user token? In code that is? – bjhuffine Feb 12 '18 at 14:38
  • From the command line, `runas` will do it. Note that you can use `runas /netonly` to present a different identity *only* for the purposes of making network connections, which has the benefit of working cross-domain. From code, [here's a starting point](https://stackoverflow.com/q/4624113/4137916). Last but not least, for completely distinct servers you can use the Credential Manager on Windows to securely store different accounts for accessing SQL Server (by using `server:1433` for the network address). This *may* also work with DNS aliases so you can connect to the same server, but not sure. – Jeroen Mostert Feb 12 '18 at 14:48
  • @JeroenMostert Unfortunately, I'm exposing a service object through a separate class library and starting the application using System.Diagnostics.Process is not an option. I need to be able to run as that user for a specific set of operations within the class library's service methods and keep it transparent to the other layers. Can that be accomplished? – bjhuffine Feb 12 '18 at 15:42
  • @JeroenMostert Also, I'm being asked to use a WSA with global group assignment for access. There's not a set of SQL Server credentials that I am allowed to use. – bjhuffine Feb 12 '18 at 15:49
  • If *all* of those operations support Windows impersonation (or don't require an identity at all), or if *all* those operations are written to explicitly take an identity as a parameter and use their own logic for it, then yes. But as you've already discovered, this is most likely not the case in your scenario; impersonation failures can crop up in the weirdest spots. I'm not sufficiently familiar with the EF internals to say it's definitely (not) doable as it stands, nor how much work it would be to extend EF to handle impersonation correctly if it's not. (Or I'd have claimed that bounty. :-)) – Jeroen Mostert Feb 12 '18 at 15:51
  • Let clarify the question. You are using a constructor and want to pass a "real" connection string rather than connection string **name** from config? – Ivan Stoev Feb 12 '18 at 16:31
  • @IvanStoev yes, but considering that it has to occur under the permissions granted via a global group assignment to a special windows service account. It's that latter caviat that makes this an interesting problem. – bjhuffine Feb 12 '18 at 17:31

1 Answers1

0

So, I think I have finally got this worked out. It's been quite an adventure through and around many rabbit holes reading a ton of MSDN articles and many individual blogs. And in the process of working this out, I've also discovered issues in how our DB access roles were layed out. This part only goes to show that it's equally important to make sure and verify that your roles are setup correctly. Don't just take their word for it. We've got them fixed now, but probably have more controls to put in place and make sure they remain managed in the most appropriate manner. I wanted to provide my example to help someone else in the same situation as well as offer something for the veterans to comment on if they see some improvement opportunities. The sample below is still a bit naive in the since that I could probably do more around SecureString, but I figure that's not the core of the issue. So, here goes...

Consumer:

    [STAThread]
    static void Main(string[] args)
    {
        try
        {
            string domain = "myDomain";
            string userName = "myUserName";
            string password = "NotAPassword"

            //Using NEW_CREDENTIALS is the same as RunAs with the /netonly switch set.  Local computer login is based on the 
            //current user.  While the impersonated account will be used for remote access to resources on the network.  
            //Therefore authentication across the domain.
            //Per MSDN, NEW_CREDENTIALS should only work with the WINNT50 provider type.  However, I have verified this to work with Default.
            //I'm just not sure of the long-term implications since MS made a point to specify this.
            using (Impersonator.LogonUser(domain, userName, password, LogonType.NEW_CREDENTIALS, LogonProvider.LOGON32_PROVIDER_WINNT50))
            {
                //This will show the currently logged on user (machine), because NEW_CREDENTIALS doesn't alter this, only remote access
                Console.WriteLine("Current user...{0}", WindowsIdentity.GetCurrent().Name);  

                using (BillMarkContext dbContext = new BillMarkContext())
                {
                    //Read each bill mark object
                    foreach (BillMarkCode code in dbContext.BillMarkCodes.AsEnumerable<BillMarkCode>())
                    {
                        Console.WriteLine(code.Code);
                    }
                }
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex);
        }

        Console.ReadLine();
    }

Context:

Obviously a real-world implementation will not store the connection string in a static field.

public partial class BillMarkContext : DbContext
{
    private static string _connection4 = "Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer";

    public BillMarkContext()
        : base(_connection4)
    {
        //Since we're read-only
        Database.SetInitializer<BillMarkContext>(null);
    }

    //View property setup since we're read-only
    protected virtual DbSet<BillMarkCode> _billMarkCodes { get; set; }

    public DbQuery<BillMarkCode> BillMarkCodes
    {
        get { return Set<BillMarkCode>().AsNoTracking(); }
    }

    protected override void OnModelCreating(DbModelBuilder modelBuilder)
    { }
}

Impersonator & supporting classes/enums:

[PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
internal sealed class Impersonator : IDisposable
{
    #region Properties

    private SafeTokenHandle _handle;

    private WindowsImpersonationContext _context;

    private bool _isDisposed;

    public bool IsDisposed
    {
        get { return _isDisposed; }
        private set { _isDisposed = value; }
    }

    #endregion

    #region Constructors / Factory Methods

    private Impersonator(string domain, string userName, string password, LogonType logonType, LogonProvider provider)
    {
        bool gotTokenHandle = NativeLoginMethods.LogonUser(userName, domain, password, (int)logonType, (int)provider, out _handle);

        if (!gotTokenHandle || _handle.IsInvalid)
        {
            int errorCode = Marshal.GetLastWin32Error();
            throw new System.ComponentModel.Win32Exception(errorCode);
        }
    }

    public static Impersonator LogonUser(string domain, string userName, string password, LogonType logonType, LogonProvider provider)
    {
        Impersonator impersonator = new Impersonator(domain, userName, password, logonType, provider);

        impersonator._context = WindowsIdentity.Impersonate(impersonator._handle.DangerousGetHandle());

        return impersonator;
    }

    #endregion

    #region Dispose Pattern Methods

    private void Dispose(bool disposing)
    {
        //Allow the Dispose() to be called more than once
        if (this.IsDisposed)
            return;

        if (disposing)
        {
            // Cleanup managed wrappers
            if (_context != null)
                _context.Dispose();

            if (_handle != null && !_handle.IsClosed)
                _handle.Dispose();

            //Suppress future calls if successful
            this.IsDisposed = true;
        }
    }

    public void Dispose()
    {
        //Dispose the resource
        Dispose(true);
        GC.SuppressFinalize(this);
    }

    #endregion

internal class NativeLoginMethods
{
    [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    internal static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);

    [DllImport("kernel32.dll")]
    [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
    [SuppressUnmanagedCodeSecurity]
    [return: MarshalAs(UnmanagedType.Bool)]
    internal static extern bool CloseHandle(IntPtr handle);
}

internal sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
{
    #region Constructors

    internal SafeTokenHandle()
        : base(true)
    { }

    #endregion

    #region Support Methods

    [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
    protected override bool ReleaseHandle()
    {
        return NativeLoginMethods.CloseHandle(base.handle);
    }

    #endregion
}

/// <summary>
/// Logon Type enum
/// </summary>
internal enum LogonType : int
{
    /// <summary>
    /// This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
    /// </summary>
    INTERACTIVE = 2,
    /// <summary>
    /// This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.
    /// </summary>
    NETWORK = 3,
    /// <summary>
    /// This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
    /// </summary>
    BATCH = 4,
    /// <summary>
    /// Indicates a service-type logon. The account provided must have the service privilege enabled.
    /// </summary>
    SERVICE = 5,
    /// <summary>
    /// GINAs are no longer supported.  Windows Server 2003 and Windows XP:  This logon type is for GINA DLLs that log on users who will be interactively using the computer. This logon type can generate a unique audit record that shows when the workstation was unlocked.
    /// </summary>
    UNLOCK = 7,
    /// <summary>
    /// This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network servers while impersonating the client. A server can accept plaintext credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
    /// </summary>
    NETWORK_CLEARTEXT = 8,
    /// <summary>
    /// This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections. This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.
    /// </summary>
    NEW_CREDENTIALS = 9
}

internal enum LogonProvider : int
{
    /// <summary>
    /// Use the standard logon provider for the system. The default security provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case, the default provider is NTLM.
    /// </summary>
    LOGON32_PROVIDER_DEFAULT = 0,
    /// <summary>
    /// Use the Windows NT 3.5 logon provider.
    /// </summary>
    LOGON32_PROVIDER_WINNT35 = 1,
    /// <summary>
    /// Use the NTLM logon provider.
    /// </summary>
    LOGON32_PROVIDER_WINNT40 = 2,
    /// <summary>
    /// Use the negotiate logon provider. 
    /// </summary>
    LOGON32_PROVIDER_WINNT50 = 3
}
bjhuffine
  • 924
  • 1
  • 11
  • 23