Here is what I've been trying to do
Build an ASP.NET MVC 3 application with forms authentication and active directory membership. The web server and database are different physical servers hence a double hop.
I thought the answer was this older article on constrained delegation and protocol transition? So far, I have not been able to get the technique to work.
I'm testing this from my DEV machine (Windows 7, IIS7) for the web server before deploying to windows 2008 (IIS7) in the production setup. Would windows 2008 make a difference?
What works and what fails
I'm able to login with forms auth and the AD membership. This seem to be working fine. When I try to make a database call using this code:
public void AsUser(Action action)
{
using (var id = new WindowsIdentity(User.Identity.Name + @"@example.com"))
{
WindowsImpersonationContext context = null;
try
{
context = id.Impersonate();
action.Invoke();
}
catch (Exception ex)
{
// ex.Message is The type initializer for System.Data.SqlClient.SqlConnection threw an exception
// buried inner exeption is Requested registry access is not allowed
}
finally
{
if (context != null)
{
context.Undo();
}
}
}
}
It fails with an exception leading me to believe I have setup issues on my local DEV server. The inner exception is Requested registry access is not allowed
.
If I set a breakpoint and inspect the WindowsIdentity
after the Impersonate()
call I see that the ImpersonationLevel
is set to Identification
. This seems like a clue that it is not setup correctly. Can anyone confirm?
Am I on the right track and is this even possible to setup? Any pointers would be appreciated.