asp.netsql-serveriisasp.net-corewindows-authentication

IIS fails to pass windows credentials through to SQL Server for ASP.NET Core app


I work for a large company with an intranet and Windows AD logins for everyone. We have a number of internal SQL Server databases which allow us to log in using Windows authentication, one of which I'm trying to connect to through an ASP.NET Core application. I can connect to this database through SQL Server Management Studio and query the tables fine.

I've followed the tutorial for an ASP.NET Core app using an existing database as closely as I possibly could, and created a single model class to test with to see if I could read data from the database. When debugging with IIS Express in Visual Studio, I can read data from the database when accessing the auto-generated controller and views.

Everything seems fine when debugging, but when publishing to IIS, I receive the following error:

SqlException: Login failed for user '<DOMAIN>\<COMPUTERNAME>$'.

Where domain is my domain and computername is my computer's name. This is expected, since my computer itself doesn't have access to the database. But it shouldn't be trying to connect using that system account (with the dollar sign), it should be trying to connect with my windows account: <DOMAIN>\<USERNAME>.

What's weirder, the app does seem to recognize my Windows credentials in some capacity - when I access the home page, I get the familiar "Hello, <DOMAIN>\<USERNAME>!" message in the nav bar. So the Windows credentials are definitely getting passed through to the app, but for some reason not getting passed through when trying to connect to the database through DbContext.

Am I missing something obvious here?

My Code

I started with Visual Studio's ASP.NET Core Web Application template.

In launchSettings.json, I have:

  "iisSettings": {
    "windowsAuthentication": true, 
    "anonymousAuthentication": false, 
    "iisExpress": {
      "applicationUrl": "http://localhost:60686",
      "sslPort": 44336
    }
  },

In appsettings.json, I have:

  "ConnectionStrings": {
    "MyDB": "Server=<servername>;Database=<dbname>;Trusted_Connection=True;"
  },

In Startup.cs, I have the following line in ConfigureServices

            services.AddDbContext<MyContext>(options => {
                options.UseSqlServer(Configuration.GetConnectionString("MyDB"));
            });

And from there, I have scaffolded an MVC controller with views using Entity Framework.

IIS has Windows authentication set to Yes and anonymous authentication set to No. My application pool is set to No Managed Code with ApplicationPoolIdentity.

Edit: The problem

To state the actual problem I'm trying to solve, I have a SQL Server database on a remote intranet server which allows access to a subset of the whole company via Windows authentication. If I want to create an ASP.NET application to provide an API to that database, hosted by IIS, what's the best way to do this? Assuming:

  1. I don't want to have to manage permissions myself or have to duplicate them in some way
  2. The people who have access to the database directly should have access to the API, the people who don't should not.
  3. If they're accessing it from within the intranet while logged in to Windows, they shouldn't have to log in again.

I assumed I could just pass their windows credentials from IIS through the app to SQL server but I'm starting to wonder if that's actually the case.


Solution

  • After learning more about .NET and what Windows auth actually does on IIS, I'm going to say that what I was trying to do is not recommended. There is a difference between passing windows credentials to a .NET app in order to read from them, vs. actually executing a secondary process as that user. The latter case is what I was trying to do, but instead should set up my app pool in IIS with a user who can log in to the database, and use the windows credentials to verify against the list of users who have access.