RE: Occasional SecurityException when impersonating a user on a ne
- From: Eiríkur Fannar Torfason <Eiríkur Fannar Torfason@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 18 May 2007 04:51:03 -0700
Well, you see, I work for an ISV and this problem relates to a product of
ours. Many years ago when we were working on the initial release we decided
that using windows authentication was the best way to go for a number of
reasons. One of the reasons is that its more secure. Another one is that SQL
server by default does not have SQL server authentication enabled and
enabling it might be seen as a security risk by some customers.
If we were to switch to using SQL server authentication then that would
require us to alter support materials (like the operations guide) and of
course modify our installer which currently takes care of creating a local
user account for the product and granting it access to the database.
"Peter Bromberg [C# MVP]" wrote:
Curious,.
Why don't you just use SQL server authentication? If the connection string
is valid, it won't matter what the identity is of the calling thread.
Peter
--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net
"Eiríkur Fannar Torfason" wrote:
I'm wrestling with a problem that I'm hoping someone can help me with.
I have a web application written in VS.2003 and running on version 1.1
of the .NET Framework on XP pro and Windows server 2003 that connects
to a SQL server database and authenticates itself using windows
authentication. The web application is configured to impersonate a
local user account that has been granted access to the database.
Here's the impersonation snip from the web.config.
<identity impersonate="true" userName="<username>"
password="<password>" />
For certain long running tasks we create a new thread so that the task
can completed asynchronously. When the new thread is created it has
the user context of the local aspnet account. We therefore must let
the new thread impersonate the local user so that the thread will be
able to access the database. This works most of the time but sometimes
I get a SecurityException with the following message: 'Unable to
impersonate user'.
The most effective way for me to reproduce this error has been open
two browsers on two separate computers and point them to a page that
executes a long running task in a separate thread and refresh the
page, first on one computer and then immediately on the second
computer. I repeat this about 10-15 times and I'll usually end up with
a handful of securityexceptions (which I log in the event log).
I've found two knowledge base articles that seem to focus on this
issue. The first one is here: http://support.microsoft.com/kb/842790.
I've tried 2 out of 3 workarounds mentioned in that article and
neither helped. The third workaround, calling RevertToSelf, is not a
viable option for me since the main thread will then no longer be able
to access the database. The second article is here: http://support.microsoft.com/kb/319615
but it only applies to version 1.0 of the framework.
I've tried numerous things in a weak attemtp to fix this issue. One
thing I tried was calling the DuplicateToken method in advapi32.dll,
passing the token of the impersonated user on the main thread and
using the duplicated token for impersonation on the new thread. That
unfortunately didn't work but it might be of interest that the
DuplicateToken method failed (returned false) occasionally, probably
because of the same conditions that cause the impersonation to fail
with a securityexception.
Here's a simplified example of the code that is being executed:
public class LongRunningTask
{
private IntPtr userToken;
private WindowsImpersonationContext impersonationContext;
public void StartTask()
{
//
// This is executed on the main thread
//
IntPtr userToken = WindowsIdentity.GetCurrent().Token;
LongRunningTask task = new LongRunningTask(userToken);
Thread thread = new Thread(new ThreadStart(task.ExecuteTask));
thread.Name = "Task running thread";
thread.Priority = ThreadPriority.Lowest;
thread.IsBackground = false;
thread.Start();
}
public LongRunningTask()
{
}
public LongRunningTask(IntPtr userToken)
{
this.userToken = userToken;
}
public void ExecuteTask()
{
//
// This is executed on the new thread
//
ImpersonateCallingThread();
// ... do work
UndoImpersonation();
}
private void ImpersonateCallingThread()
{
this.impersonationContext =
WindowsIdentity.Impersonate(this.userToken);
}
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
}
- Follow-Ups:
- References:
- Occasional SecurityException when impersonating a user on a new thread
- From: Eiríkur Fannar Torfason
- RE: Occasional SecurityException when impersonating a user on a new th
- From: Peter Bromberg [C# MVP]
- Occasional SecurityException when impersonating a user on a new thread
- Prev by Date: RE: Occasional SecurityException when impersonating a user on a new th
- Next by Date: Re: Occasional SecurityException when impersonating a user on a ne
- Previous by thread: RE: Occasional SecurityException when impersonating a user on a new th
- Next by thread: Re: Occasional SecurityException when impersonating a user on a ne
- Index(es):
Relevant Pages
|
