Impersonation and asynchrony in ASP.NET WebAPI

2019-04-06 10:39发布

Update 2

This question originally was "Does impersonation work with Web API?"
And the question to that question is "Yes, it does."

But the problem was not about Web API but impersonation itself. (The description of the problem is below)

But now I'd like to tell others about the solution.

My controllers are async and my mistaken premise was that any thread spawned by impersonated thread has the same identity as its parent.
By default it is false: TPL does not flow impersonation across threads.

Impersonation flow can be enabled either programmatically or in configuration.
Note, please, that changes should be made to aspnet.config file and not web.config of your application.

As this post states aspnet.config file can be set per application pool.

And this post the link to which kindly provided Andrew tells about the whole quest in more details.

To those of you who will turn impersonation on for the first time I'd like to note that IIS 7.5 has a very nice feature to enter credentials of impersonated account. These credentials are not needed in config file and it is sifficient to write only.

<identity impersonate="true"/>

After entering credentials they will be automatically added to config file.

enter image description here enter image description here

Original question:

I turned impersonation on and provided user credentials.

<identity impersonate="true" usernName="foo" password="bar"/>

But when I connect to sql server via Entity Framework I get the error "Login failed for user {MachineName}$". That is EF runs under IUSR account. Meanwhile WindowsIdentity.GetCurrent() returns identity of 'foo' user.

Impersonated account has all needed permissions on SQL server where Windows authentiaction is enabled.

Moreover, if I disable impersonation and just set application pool to run with the credentials of this identity, everything works fine.

I cannot understand why it doesn't work when impersonation is on but AppPool runs under default account.

Update 1

EF Connection string is

<add name="PtKbEntities" connectionString="metadata=...;provider=System.Data.SqlClient;provider connection string=&quot;data source=...;initial catalog=...;Trusted_Connection=Yes;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />

I host application on Win2008 Srv, IIS 7.5

1条回答
干净又极端
2楼-- · 2019-04-06 11:01

As this answer explained; the impersonation in the web.config overrides the identity in the application pool.

In my opinion there is a fine explanation here which one to use: impersonation or application pool

查看更多
登录 后发表回答