We have multiple server machines with web server and databases. On web server W, there is an ASP.NET Core app (the app runs in IIS with a service user GMSA). The database is on a different machine (server name is D). The security configuration of the database requires that Windows client user accounts have to access it. So the web server needs to impersonate before calling the database.
My impersonation code looks like this:
public class ImpersonationAdapter : IImpersonation
{
private readonly HttpContext _context;
private readonly ILogger<ImpersonationAdapter> _logger;
public ImpersonationAdapter(ILogger<ImpersonationAdapter> logger, IHttpContextAccessor context)
{
if (context is null)
throw new ArgumentNullException(nameof(context));
_context = context.HttpContext;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
[SupportedOSPlatform("windows")]
public void RunImpersonatedOrNot(Action action)
{
if (action is null)
throw new ArgumentNullException(nameof(action));
var winIdent = _context?.User?.Identity as WindowsIdentity;
if (winIdent is null)
{
action();
}
else
{
WindowsIdentity.RunImpersonated(winIdent.AccessToken, () =>
{
using (_logger.BeginScope("Impersonated User: '{0}'", winIdent.Name))
{
action();
}
});
}
}
}
The impersonation code is working fine. But the database access throws an error because an anonymous user will access the database. If I move the database from server D to W, then the impersonation is working fine.
After searching the internet I found that windows network supports a feature called token delegation. We activated that feature on the target machine (server D), but it is still not working.
We configured server D like this manual.
Have you any ideas where the problem could be? Is there a trick on C# side or on network configuration? Thanks!
