Delegation / Impersonation problem

I have started to put together an ASP.NET 2.0 application which
connects to a SQL server using the logged on identity.

I have read the articles on how to configure the connection string ,
web config and active directory servers.

It all seems to work fine from most machines on our network. However I
have found that the connection will fail with a 'Login failed for user
'NT AUTHORITY\ANONYMOUS LOGON' error if the client machine is 'trusted
for delegation' from within active directory.

I have been testing the following small bit of code with runs as an app
on one of the internal webservers:-

Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As
System.Security.Principal.WindowsIdentity

currentWindowsIdentity = CType(User.Identity,
System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()

Response.Write("anon=" & currentWindowsIdentity.IsAnonymous.ToString
& "<BR>")
Response.Write("level=" &
currentWindowsIdentity.ImpersonationLevel.ToString & "<BR>")


Try
Dim connection As New SqlConnection
connection.ConnectionString = "packet size=4096;data
source=mydbserver;persist security info=True;initial
catalog=northwind;Integrated Security=SSPI"

connection.Open()

Response.Write("connection made ok " &
Date.Now.ToShortDateString & " " & Date.Now.TimeOfDay.ToString)

Catch ex As Exception
Response.Write(ex.Message)
End Try

If i view the page from a number of clients (XP workstations) on the
network i get the following

anon=False
level=Delegation
connection made ok 30/10/2006 09:34:57.6818835

which is fine, all seems ok.

If I access the same page from the webserver itself the impersonation
level changes but the connection still works :

anon=False
level=Impersonation
connection made ok 30/10/2006 09:58:39.1254460

However if I access the page from another server which is set as
'trusted for delegation' the connection fails

anon=False
level=Impersonation
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Is there any reason why this would occur ? It seems an application
cannot use delegation in this way if the client accessing it may be
another server which is 'trusted fro delegation', such as another
webserver on the network or a domain controller for example.

Any help would be much appreciated,

Matt.

.

Relevant Pages

  • Re: SSAS 2005 with Kerberos/Delegation
    ... Analysis Services blog at http://www.sqljunkies.com/WebL­og/mosha ... Development Lead in the Analysis Server team ... Delegation is working fine with SQL Server, ... > I've verified the SPN, connection string, enabled delegation, configured ...
    (microsoft.public.sqlserver.olap)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect client to server 2003
    ... you need to reconfigure the IP schema of your SBS ... On the SBS 2003 Server open the Server Management console. ... On the Connection Type page, click Broadband, and then click Next. ... Alternate DNS server, type the IP addresses that are provided by your ISP ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Networking Question - VLANs on SBS 2003 Premium SP1
    ... port on the old router so I now have a segregated WLAN. ... be sure you do not enable any DHCP server in internal network. ... On the Connection Type page, click Broadband, and then click Next. ... On the Network Connection, You must enable and configure the network ...
    (microsoft.public.windows.server.sbs)