Impersonation, Active Directory, and "user does not have authority for xxxx"

Question

Impersonation, Active Directory, and "user does not have authority for xxxx"

I have 2 ASP.NET MVC 3 applications. I use impersonation through web.config to allow me to query Active Directory to get detailed user information. The application uses Windows authentication and does not allow anonymous users. One of the applications is the main application in which the user performs his tasks. Another allows the user to configure another user to look like one of the applications.

The test user receives the following error:

SQL1092N  "<DOMAIN ID>" does not have the authority to perform the requested command.

This happens after sending a web request from my primary application to the secondary. To get this working, I had to make a request to impersonate the actual user, and not the identifier that the application uses to impersonate. This is actually a question that I wrote and answered. What is here: How can I trigger an MVC action through WebRequest and validate the request through Active Directory?

At the end of this code, I call:

impersonationContext.Undo();

After this web request, the primary application is trying to access the database, and now it seems that the aforementioned call has canceled the impersonation of the application, so the user is trying to do everything that opens the database connection, the failure. At least my working theory is after a day of beating my head.

: web.config? , -, , ?

, sql-. DB2. , . , , - .

, , / . ?

+5

c# asp.net asp.net-mvc asp.net-mvc-3 impersonation

jason 01 . '13 14:25

1

jason · Accepted Answer · 2013-02-01T19:32:04+0000

... , IPrincipal , - , . , api, , Sql Server Entity Framework.

api:

            proxyRequestResultDetails = ProxyApiWrapper.GetProxies(
                adUserInfo.AssociateId,
                context.User);

.

public void OnAuthorization(AuthorizationContext filterContext)

GetProxies :

        public static StreamReader GetWebRequestStream(
             string url,
             string contentType,
             bool useDefaultCredentials,
             IPrincipal user)
        {

            var impersonationContext = ((WindowsIdentity)user.Identity).Impersonate();            
            var request = WebRequest.Create(url);

            try
            {
                request.ContentType = contentType;
                //request.ImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
                //request.UseDefaultCredentials = useDefaultCredentials;            
                //IWebProxy p = new WebProxy();
                //request.Proxy = p.
                request.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
                request.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
                var response = (HttpWebResponse)request.GetResponse();
                return new StreamReader(response.GetResponseStream());
            }
            catch (Exception e)
            {
                impersonationContext.Undo();
                throw e;
            }
            finally
            {
                impersonationContext.Undo();
            }

        }

, . :

            //Track current identity before proxy call
            IPrincipal user = context.User;
            proxyRequestResultDetails = ProxyApiWrapper.GetProxies(
                adUserInfo.AssociateId,
                context.User);

            //Undo any impersonating done in the GetProxies call
            context.User = user;

2 12 . . . . , .

Impersonation, Active Directory, and "user does not have authority for xxxx"

More articles: