Re: IIS 7 and WindowsIdentity

Hi Peter,

With Windows authentication, either the Windows user must belong to a
privileged Windows group such as ORA_DBA on the Oracle server or external
authentication must be enabled. External authentication is not recommended,
because it is less secure than access through group membership.

Are the users which you want to impersonate belong to the Windows group
such as ORA_DBA?

For ASP.NET, we have to use <identity impersonate="true" /> to impersonate
the current logon user to process something rather than to use the default
NETWORK SERVICE account. I think the problem drop down to how the Orcale
database know the Windows acount is in the sercurity user list. Just like
we need to add the Windows account to the Security/Logins list in the
Microsoft SQL Server Management Studio. I think so does the Orcale databse
need your impersonated account to be added into his user list. And you also
said that the impersonation works on you local machine but not on the ISS
server, so I think it is a configuration problem on Orcale database. (Sorry
I'm not quite familiar with Orcale.)

Oracle database security problems are out of the support boundaries of this
managed newsgroups. So I also think we can find more help about how to
implementing Window Authentication for Orcale from the But I
still try my best to provide some useful clues to resolve your issue. Here
I found some useful links from third part websites.

Securing a .NET Application on the Oracle Database

This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
| From: "Peter Larsen [CPH]" <PeterLarsen@xxxxxxxxxxxxxxxx>
| References: <uvUaEbaLLHA.5792@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Wed, 28 Jul 2010 14:12:40 +0200
| Lines: 63
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <eOeLu4kLLHA.5196@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups:
| NNTP-Posting-Host:
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
| X-Tomcat-NG:
| Hi Jerry,
| I can't get it to work.
| I use the following sample to test with:
| string cs = ConfigurationManager.AppSettings["main.connectionstring"];
| Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
| string sql = "select * from table_name t";
| using (OracleCommand com = new OracleCommand(sql, oc))
| {
| oc.Open();
| OracleDataReader odr = com.ExecuteReader();
| }
| The web.config contains "identity impersonate = true" and user id=/; in
| connection string.
| On my own machine, this works just fine, but it fails on the ISS with the
| error "Oracle.DataAccess.Client.OracleException: ORA-1017".
| I log the text from the below line + checks that the logoff/logon events
| exist in the Security Log (on the server).
| string text = string.Format("windowsidentity:{0}:{1},
| currentthread:{2}:{3}",
| System.Security.Principal.WindowsIdentity.GetCurrent().Name,
| System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
| System.Threading.Thread.CurrentPrincipal.Identity.Name,
| System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);
| It all seems ok, but it doesn't work.
| What do i do wrong here ??
| Thank you.
| BR
| Peter
| "Jerry Weng" <v-jewen@xxxxxxxxxxxxx> wrote in message
| news:wj4dn$fLLHA.2348@xxxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Peter Larsen,
| > Thank you for posting.
| > From your post, my understanding on this issue is: login to the database
| > with the current user which authenticated in your web system. If I'm off
| > base, please feel free to let me know.
| >
| > We need to impersonate the user to meet the requirement.
| >
| > So the connectionString need to be like this:
| > <add key="Main.ConnectionString" value="data source=DATABASE;User
| > Id=/;"/>
| >
| > And we need to add <identity impersonate="true"> to the web.config.
| >
| > <system.web>
| > <identity impersonate="true"/>
| > </system.web>
| >