Impersonate Windows Account

  • I’m trying to help the developers of a legacy app to get their app to run under the authority of a Windows domain user account other than the currently logged on user. Their app will do the authentication, not Windows. I’ve seen and tested ways to use the authority of a SQL user account. For example,

     

    OSQL -S DEV -d Pubs -o c:\test\AuthorsOutput5.txt -Q "SELECT TOP 5 * FROM Authors" -U test -P testpass

     

    But I can’t seem to find a way to impersonate a Windows account.

  • I would look at the runas command, I can't figure out how to give it a password programaticaly maybe you will have more luck.

    Note: I have not needed to ever [give it a password] .

    Tim S

    Look at this link:

    http://www.tek-tips.com/faqs.cfm?fid=2760

  • I'm not sure you'll be able to do it. Windows Authetication is just that. It authenticates via Windows. SQL Server doesn't know or trust the application.

    -SQLBill

  • you could probably run the osql with the runas command and then use the required windows id


    Everything you can imagine is real.

  • Take a look at this:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp

    Describes how tom impersonate another account, programmatically.

  • i was thinking along the same lines but then he had said the app is a legacy app. I wonder, could you tell us what language is used for the legacy app.


    Everything you can imagine is real.

  • Thanks to all of you for your help. I’ve learned from all of you. The runas fixes seem more complicated than I anticipated: both to implement and (especially) to maintain. I don’t think I want to go there.

     

    One more part of the picture.  The application has both a client component and a server component.  The server side of the application starts as a service on an application server.  The application server is not on the same box as the sql server. Right now, the application server service runs as the system account. It’s been suggested to me to make the application’s service  start as a domain user account on this server.  Then, so I’ve been told, a connection from that application server to a SQL server will always use the associated domain account for the connection. I don’t think it’s that simple, but I’m going to look into this some more.  I’ve seen the associated articles on the ASP.net service account, but haven’t seen a more general discussion of application service accounts.  Any pointers would be welcome.

     

  • OK, so is it the service that executes/needs to execute the command?

    If so, then if your service uses a domain account and that domain account uses a "trusted" connection to the SQL Server and if the SQL Server allows access to that account, then I think it'll work that way. That's a lot of if's though...

  • I don’t know all the details about their app. Surprisingly, their developers don’t either.  I’m going fishing in Costa Rica next week and won’t know much ‘til I get back. I am NOT bringing a laptop with me.  However, I did set up a couple of test boxes and test databases for them to play with when I’m gone. I’ll post results when I get back.

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply