Impersonation and SQL Connections

TheMSsForum.com: The Microsoft Software Forum

Hello all -

I'm having a problem concerning Impersonation while connecting to SQL
Server. I'm not sure if I'm posting this to the right newsgroups, so let me
know if it belongs elsewhere, and please excuse the cross-post.

I'm writing a Windows Forms application that makes direct calls to a SQL 2k
database. This application requires a user to log in, and confirms their
login and password with whatever they have in Active Directory. I had planned
for the program to use the credentials of the user logged into the
application (NOT Windows) when connecting to the SQL Server, but it seems
I've encountered a slight pitfall.

I've been reading that in this scenario, using simple Identity
Impersonation, the SQL Server will attempt to connect as "NT
AUTHORITY\ANONYMOUS LOGON" because of a limit to the impersonation context.

I'm having trouble believing that this is true. I can impersonate users in
ASP.NET just fine, and connect to databases using those credentials, but am
unable to do the same through a desktop application? It doesn't make all that
much sense, but then again, I'm somewhat of an amateur in this regard.

So, that said, can anyone provide any examples or help to get this working?
I'm happy to provide code samples, I just wasn't sure if it'd be necessary.

Thanks!
Clint
Top

RE: Impersonation and SQL Connections by Shorty

Shorty
Tue Sep 28 13:23:06 CDT 2004

Here is an excellent example of impersonation at MSDN:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp

Shorty

"Clint" wrote:

> Hello all -
>
> I'm having a problem concerning Impersonation while connecting to SQL
> Server. I'm not sure if I'm posting this to the right newsgroups, so let me
> know if it belongs elsewhere, and please excuse the cross-post.
>
> I'm writing a Windows Forms application that makes direct calls to a SQL 2k
> database. This application requires a user to log in, and confirms their
> login and password with whatever they have in Active Directory. I had planned
> for the program to use the credentials of the user logged into the
> application (NOT Windows) when connecting to the SQL Server, but it seems
> I've encountered a slight pitfall.
>
> I've been reading that in this scenario, using simple Identity
> Impersonation, the SQL Server will attempt to connect as "NT
> AUTHORITY\ANONYMOUS LOGON" because of a limit to the impersonation context.
>
> I'm having trouble believing that this is true. I can impersonate users in
> ASP.NET just fine, and connect to databases using those credentials, but am
> unable to do the same through a desktop application? It doesn't make all that
> much sense, but then again, I'm somewhat of an amateur in this regard.
>
> So, that said, can anyone provide any examples or help to get this working?
> I'm happy to provide code samples, I just wasn't sure if it'd be necessary.
>
> Thanks!
> Clint
Top

RE: Impersonation and SQL Connections by Clint

Clint
Tue Sep 28 13:35:06 CDT 2004

I knew I was missing something small and stupid. I wasn't using
LOGON32_LOGON_INTERACTIVE (2), I was using (3) ... whichever that value
stands for. Changed my API call to use 2, and everything works great.

Thanks!!


"Shorty" wrote:

> Here is an excellent example of impersonation at MSDN:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp
>
> Shorty
>
> "Clint" wrote:
>
> > Hello all -
> >
> > I'm having a problem concerning Impersonation while connecting to SQL
> > Server. I'm not sure if I'm posting this to the right newsgroups, so let me
> > know if it belongs elsewhere, and please excuse the cross-post.
> >
> > I'm writing a Windows Forms application that makes direct calls to a SQL 2k
> > database. This application requires a user to log in, and confirms their
> > login and password with whatever they have in Active Directory. I had planned
> > for the program to use the credentials of the user logged into the
> > application (NOT Windows) when connecting to the SQL Server, but it seems
> > I've encountered a slight pitfall.
> >
> > I've been reading that in this scenario, using simple Identity
> > Impersonation, the SQL Server will attempt to connect as "NT
> > AUTHORITY\ANONYMOUS LOGON" because of a limit to the impersonation context.
> >
> > I'm having trouble believing that this is true. I can impersonate users in
> > ASP.NET just fine, and connect to databases using those credentials, but am
> > unable to do the same through a desktop application? It doesn't make all that
> > much sense, but then again, I'm somewhat of an amateur in this regard.
> >
> > So, that said, can anyone provide any examples or help to get this working?
> > I'm happy to provide code samples, I just wasn't sure if it'd be necessary.
> >
> > Thanks!
> > Clint
Top