问题
I have a SL4 app that uses WCF to communicate with a backend SQL Server 2008 database. One of the WCF services needs to connect to the database with a dedicated system account due to the database permissions required by the stored procedure that is called. I have attempted to implement a solution using impersonation within the service code e.g.
int result = LogonUser(userName, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out _token);
if (result > 0)
{
ImpersonateLoggedOnUser(_token);
//Code here to call NHibernate data access code
}
My connection string for this service is:
<add name="MyConnection" connectionString="Data Source=servername\instance;Initial Catalog=MyDatabase;Integrated Security=SSPI" providerName="System.Data.SqlClient"/>
However, the data access routine is still failing with the following message:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The impersonation is being ignored in the database connection. Any ideas?
回答1:
Change LOGON32_LOGON_NETWORK to LOGON32_LOGON_NETWORK_CLEARTEXT in your call to LogonUser.
This caches the logon credentials in the local security provider, which should enable a successful SSPI handshake with SQL Server.
回答2:
I've actually managed to get this to work by getting rid of the impersonation API code and adding the following to my web.config:
<location path="Services/MyServiceThatNeedsHigherPermissions.svc">
<system.web>
<identity impersonate="true" userName="domain\MyAccountWithElevatedPermissions" password="******"/>
</system.web>
</location>
The service runs under the context of my dedicated system account and connects to SQL using the same context.
来源:https://stackoverflow.com/questions/5961496/impersonation-failing-for-database-connection