Hello
I'm working on three-tier project that uses LogonUser and ImpersonateLoggedInUser API calls to run connection to the database on the service side with client credentials. And there is a little security issue that I cann't find how to solve.
On the Windows 2000 server service part works fine. But on the Windows 2008 server if the service application was not started with 'run administrator' option then it fails to connect to the MS SQL database with errors:
The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception.
The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception.
The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception.
Requested registry access is not allowed.
I've found that registry key HKLM\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL cann't be accessed with BAD_IMPERSONATION error in the ProcessMonitor.
The code that impersonates looks like
if (ImpersonateLoggedOnUser(logonToken)) // Windows API call, token was received with LogonUser API function call { message = string.Format("ImpersonateLoggedOnUser as {0}", WindowsIdentity.GetCurrent().Name); Console.WriteLine(message); Trace.WriteLine(message); string cn = "Server=SERVER_NAME;Database=DATABASE_NAME;Integrated Security=True;MultipleActiveResultSets=true;Pooling=True;Max Pool Size=2500";try {using (SqlConnection conn = new SqlConnection(cn)) { conn.Open();using (SqlCommand comm = new SqlCommand("select GETDATE()", conn)) {object res = comm.ExecuteScalar(); message = string.Format("\tfound {0}", res); Console.WriteLine(message); Trace.WriteLine(message); } conn.Close(); } }catch (Exception ex) { Exception exi = ex;while (exi != null) { message = string.Format(" error:{0}", exi.Message); Console.WriteLine(message); Trace.WriteLine(message); exi = exi.InnerException; } } Console.WriteLine("\tbefore RevertToSelf as {0}", WindowsIdentity.GetCurrent().Name); RevertToSelf(); Console.WriteLine("\tafter RevertToSelf as {0}", WindowsIdentity.GetCurrent().Name); }else Console.WriteLine("impersonation failed {0}", Marshal.GetLastWin32Error());
the same code works with 'run as administrator' on Windows 2008 server and fails to connect to sql (or to impersonate) started from user account with local administator rights. User accounts that are impersonated are included only to the local Users group.
The very similar code works well if .Net remoting is used as transport between client and service. In all cases service part is started as console application under the same user account (local administrator on the server). NetTCPBinding is used to communicate client and service
Can you please help me and give some tip or link where I can find some information about user rights that are required?
I've checked that in the local group policy local administrators group was included to the 'Impersonate a client after authentication' policy. Also I've added administrator to the 'Create a token object policy but it didn't help.
PS I cann't use standart impersonation from WCF because there is not trust relationships between client computer domain and server domain.
Regards
