问题
I want to use IIS impersonation to connecto to a SQL server database as the user who is currently accessing a website. This is for auditing and security reasons.
I've done some reading and discovered that because the SQL Server is on a sepearate physical server I need to enable Protocol Transitioning and Constrained delegation for the server that's running IIS. This is the article that I found ... http://msdn.microsoft.com/en-us/library/ff649317.aspx
I didn't realise at the time I first read it but this article has the following header...
Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
What I want to know is, does the information in the article still apply, if I want to impersonate the user all the way to the SQL Server, do i still need Constrained Delegation or has this been implemented in some other way for ASP.NET 4?
回答1:
Constrained Delegation is the only way to flow impersonated credentials information to a second host. ASP.Net has nothing to do with it, is just an ordinary app that uses the Kerberos framework. Nothing changed. Once the ASP.NEt applicaiton impersonates the context authenticated by IIS (see Configure ASP.NET Impersonation Authentication) the same rules for delegation apply:
- The app pool account must be configured to be trusted for constrained delegation
- The SQL Server must have the SPN properly registered
来源:https://stackoverflow.com/questions/4146864/double-hop-impersonation-protocol-transitioning-and-constrained-delegation-in-a