Impersonation on remote service says Login failed for user 'NT Authority\Anonymous Logon'

Question

I have a service that I want to when accessing databases I want to access databases to use the calling identities credentials.

Before I access a particular database I do an impersonation by

var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database
ctx.Undo();

This scenario works fine when the service runs locally on my PC. However when deployed on another remote PC I get the error:

Login failed for user 'NT Authority\Anonymous Logon"

as soon as it tries to access the database.

I have been told by DBAdmin that the SQL Server has an SPN.

The account under which the service runs under is a domain account.

Answer 1

The problem you most likely experiencing is Delegation as opposed Impersonation.

I assume in your production environment you actually have your Web Browser, your IIS Server and SQL Server are all on different machines.

Simple Impersonation does not support Multi-Hop.

To support Multi-Hop you need to setup Kerberos with Delegation. You are going to have to setup the SPN records on your Active Directory. Once that is done, you also need to enable Delgation for the IIS machine on your AD.

In short, Delegation is a HUGE can of worms.

Answer 2

You have to make sure IIS offers "Windows Authentication" authentication and it is enabled. By default the WindowsAuthenticationModule is not installed and Anonymous Authentication is used.

To setup Windows Authentication use the Web Platform Installer and search for "Windows Authentication". After the installation completed, enable the "Windows Authentication" authentication for your site.

See Configure Windows Authentication (IIS 7) for more information.

You might also take a look at the related questions on the right, especially SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application