Bryant Likes's Blog

Single Sign-On, Impersonation, and SqlConnections

This morning I came across this article: Impersonation, Single Sign-on, and SPS. It is a very interesting article that lays out how to use Single Sign-on with impersonation. So the first thing I did was to get Single Sign-On setup using this MSDN article which was linked in the article. Wow! That was pretty easy. I actually have SSO working for the first time and now it seems pretty simple.

The next step for me was to take the sample code and try it out. I created a new WebPart library and created my new SSO sample webpart. Everything was setup just like the article (I think) but when I ran it I got the dreaded:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.

Ok. So why doesn't this work. Well after doing some testing myself (using Page.User.Identity and WindowsIdentity.GetCurrent().Name) I came to the conclusion that something doesn't work, although I'm not sure what it is. It must work in some situations because Jay Nathan has done a lot of work on this (here and here), this article references it, and so does Barry's Blog here on January 24, 2005 (could we get a permalink Barry?). So these guys must be using it and it must be working.

Patrick seems to come to a different conclusion here. He seems to be saying that impersonation doesn't work and that it is easier to just use COM+ instead. A third example of impersonation can be found at this MSDN article. All three of these examples do the same thing, and in all three cases I get the same error message above when I try to connect to the database using a trusted connection.

I can solve Patrick's problem by creating a new WindowsPrincipal object and assigning it to the current context (after making a copy of the current IPrincipal in order to return things on undo). Here is an example of how to do this.

1) First you will need to change the Impersonate method on the Impersonator class:

public WindowsIdentity Impersonate()
{
    // authenticates the domain user account and begins impersonating it
    WindowsIdentity id = this.Logon();
    this.impersonationContext = id.Impersonate();
    return id;
}

2) Next you will need to store the current Principal and then set the new one.

IPrincipal p = base.Context.User;

WindowsPrincipal wp = new WindowsPrincipal(Impersonater.Impersonate());
base.Context.User = wp;

3) You can then do stuff using the SharePoint object model since the Context.User has now been replaced with the impersonated user. When you're done you put back the orginal user.

Impersonater.Undo();
base.Context.User = p;

Using this code both the WindowsIdentity.GetCurrent().Name and Context.User.Identity.Name return the name of the impersonated user.

All this to say that it still doesn't seem to accomplish what I need to accomplish. I still get that error and I'm really not sure why. Any ideas?