ASP.Net not impersonating for WSE 2.0 AuthenticateToken method

From: Francois (Francois_at_discussions.microsoft.com)
Date: 11/12/04

  • Next message: Ray Costanzo [MVP]: "Re: Session State" 
    Date: Fri, 12 Nov 2004 13:09:02 -0800

    I have several web services that use WSE to authenticate calling users.
    I use a UsernameToken that validates the sent username and password
    against our SqlServer database. The SqlServer database is on a
    different machine than the website. For all of my database access I use
    Windows Integrated Security. As such, I've had to change the ASP.Net
    process model to system in the machine.config and set <identity
    impersonate="true" /> in the web.config for the web service project.
    For all regular db access throughout the web services the impersonation
    works and the code can connect to the database with the user we
    specified as the anonymous user for the website.

    However, when the password validation code for the AuthenticateToken
    method in my custom UsernameTokenManager object runs
    WindowsIdentity.GetCurrent().Name returns 'NT AUTHORITY\SYSTEM' and the
    database says "Login failed for user 'DOMAIN\MACHINENAME$'"

    This means that either the code in AuthenticateToken is ran using the
    builtin machine user, or because the class was constructed before
    aspnet_wp.exe switched users according to the <identity
    impersonate="true" /> tag in the web.config.

    As I see it, there are only a couple of options to fix this problem:
    1) Add the machine user to the database (is this even possible?)
    2) Change my db to mixed mode authentication (against MS's best
    practises) and store the connection string somewhere

    Are there any other options? What have other people done in this
    situation? What is my best solution? I find it hard to believe that
    I'm the only person using WSE to authenticate against SqlServer with
    integrated security, yet I've never seen any documentation on the
    subject nor discussion about it on the newsgroups.

    I'm using Windows 2000/IIS 5.0/SQL Server 2000/.NET Framework 1.1 SP2

    TIA,

    Colin Svingen

  • Next message: Ray Costanzo [MVP]: "Re: Session State"

    Relevant Pages

    • Re: Problem in authentication using asp.net for a webpage
      ... indicative of password and username not matching? ... SQL statement must be surrounded by single quotes. ... Did you think to try running your sql statement against the database outside ... >I am trying to implement a simple way to authenticate users before ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Application to Application authentication models....
      ... >you should be comfortable if that application's back-end or database ID's ... The very fact that the security credentials have to ... I accept that this may be the case for web applications per machines. ... authenticate against a directory service, ...
      (SecProg)
    • Re: oracle - authenticate with username and password
      ... I think we aren't clear on what the OP means by the "oracle [sic] ... The usual way to authenticate is to have a username / ... system tables), that applies to the application, not the database. ...
      (comp.lang.java.programmer)
    • Re: Authentication
      ... how are you accessing the database? ... then you probably should be using a windows ... single sign on system) to authenticate your user. ... methods/properties with the PrincipalPermission attribute. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: postgresql configuration and set-up
      ... > But how do I log in to the database foo as user foouser? ... You have to tell createuser that you want to supply a ... Then the final column says how to authenticate. ...
      (Debian-User)