EF Code First Connection String during Runtime with Impersonated Windows Service Account
Question
I am required to create separate windows service accounts for each environment (dev, acceptance, and production) that my desktop application uses to connect to one of our internal databases.
A global group has been added to these accounts to provide access thereby requiring access by windows authentication using impersonation.
The connection string data is encrypted and stored on a network, accessed by class library for security.
If I don't impersonate, and use the base constructor for the DbContext base class that accepts a connection string, it works because my personal account is assigned to the same global group. But when I encapsulate the instantiation of the DbContext object to impersonate, it fails with an internal exception stating catastrophic failure while the outer exception states
The provider did not return a
ProviderManifestinstance.
For example:
Console.WriteLine(Environment.UserName); //This shows me! So no impersonation yet!
using (new Impersonator("AppUser", "mydomain", "notapassword"))
{
Console.WriteLine(Environment.UserName); //This shows as AppUSER! So it works!
using (BillMarkContext dbContext = new BillMarkContext())
{
//Read each bill mark object
foreach (BillMarkCode code in dbContext.BillMarkCodes.AsEnumerable<BillMarkCode>())
Console.WriteLine(code.Code);
}
}
public partial class BillMarkContext : DbContext
{
private static string _connection = "Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=DBServer";
public BillMarkContext()
: base(_connection)
{}
public virtual DbSet<BillMarkCode> BillMarkCodes { get; set; }
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{}
}
Then I tried to hard-code the connection information by creating my own DbConfiguration object, but that results in an error where it's evidently trying to do more than establish a readable connection. It's trying to create the database instead to which I do not have the rights.
Example:
[DbConfigurationType(typeof(MyDbConfiguration))]
public partial class BillMarkContext : DbContext
{
public BillMarkContext()
{}
public virtual DbSet<BillMarkCode> BillMarkCodes { get; set; }
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{}
}
public class MyDbConfiguration : DbConfiguration
{
public MyDbConfiguration()
{
SetProviderServices("System.Data.SqlClient", SqlProviderServices.Instance);
SetDefaultConnectionFactory(new SqlConnectionFactory("Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=DBServer"));
}
}
This is Code-First and I can only find very simple statements and super-high level examples using DbConfiguration . And with regards to a runtime definition of connection/provider information, info always seems to be directed at a model-based approach or neglects the provider all the way around.
How do I programmatically configure EF Code-First approach to accessing a database while impersonating an application's windows service account and not get these errors?
1 answers
solution1
0 ACCPTED 2018-02-15 21:08:02
So, I think I have finally got this worked out. It's been quite an adventure through and around many rabbit holes reading a ton of MSDN articles and many individual blogs. And in the process of working this out, I've also discovered issues in how our DB access roles were layed out. This part only goes to show that it's equally important to make sure and verify that your roles are setup correctly. Don't just take their word for it. We've got them fixed now, but probably have more controls to put in place and make sure they remain managed in the most appropriate manner. I wanted to provide my example to help someone else in the same situation as well as offer something for the veterans to comment on if they see some improvement opportunities. The sample below is still a bit naive in the since that I could probably do more around SecureString, but I figure that's not the core of the issue. So, here goes...
Consumer:
[STAThread]
static void Main(string[] args)
{
try
{
string domain = "myDomain";
string userName = "myUserName";
string password = "NotAPassword"
//Using NEW_CREDENTIALS is the same as RunAs with the /netonly switch set. Local computer login is based on the
//current user. While the impersonated account will be used for remote access to resources on the network.
//Therefore authentication across the domain.
//Per MSDN, NEW_CREDENTIALS should only work with the WINNT50 provider type. However, I have verified this to work with Default.
//I'm just not sure of the long-term implications since MS made a point to specify this.
using (Impersonator.LogonUser(domain, userName, password, LogonType.NEW_CREDENTIALS, LogonProvider.LOGON32_PROVIDER_WINNT50))
{
//This will show the currently logged on user (machine), because NEW_CREDENTIALS doesn't alter this, only remote access
Console.WriteLine("Current user...{0}", WindowsIdentity.GetCurrent().Name);
using (BillMarkContext dbContext = new BillMarkContext())
{
//Read each bill mark object
foreach (BillMarkCode code in dbContext.BillMarkCodes.AsEnumerable<BillMarkCode>())
{
Console.WriteLine(code.Code);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
Console.ReadLine();
}
Context:
Obviously a real-world implementation will not store the connection string in a static field.
public partial class BillMarkContext : DbContext
{
private static string _connection4 = "Integrated Security=True;Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer";
public BillMarkContext()
: base(_connection4)
{
//Since we're read-only
Database.SetInitializer<BillMarkContext>(null);
}
//View property setup since we're read-only
protected virtual DbSet<BillMarkCode> _billMarkCodes { get; set; }
public DbQuery<BillMarkCode> BillMarkCodes
{
get { return Set<BillMarkCode>().AsNoTracking(); }
}
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{ }
}
Impersonator & supporting classes/enums:
[PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
internal sealed class Impersonator : IDisposable
{
#region Properties
private SafeTokenHandle _handle;
private WindowsImpersonationContext _context;
private bool _isDisposed;
public bool IsDisposed
{
get { return _isDisposed; }
private set { _isDisposed = value; }
}
#endregion
#region Constructors / Factory Methods
private Impersonator(string domain, string userName, string password, LogonType logonType, LogonProvider provider)
{
bool gotTokenHandle = NativeLoginMethods.LogonUser(userName, domain, password, (int)logonType, (int)provider, out _handle);
if (!gotTokenHandle || _handle.IsInvalid)
{
int errorCode = Marshal.GetLastWin32Error();
throw new System.ComponentModel.Win32Exception(errorCode);
}
}
public static Impersonator LogonUser(string domain, string userName, string password, LogonType logonType, LogonProvider provider)
{
Impersonator impersonator = new Impersonator(domain, userName, password, logonType, provider);
impersonator._context = WindowsIdentity.Impersonate(impersonator._handle.DangerousGetHandle());
return impersonator;
}
#endregion
#region Dispose Pattern Methods
private void Dispose(bool disposing)
{
//Allow the Dispose() to be called more than once
if (this.IsDisposed)
return;
if (disposing)
{
// Cleanup managed wrappers
if (_context != null)
_context.Dispose();
if (_handle != null && !_handle.IsClosed)
_handle.Dispose();
//Suppress future calls if successful
this.IsDisposed = true;
}
}
public void Dispose()
{
//Dispose the resource
Dispose(true);
GC.SuppressFinalize(this);
}
#endregion
internal class NativeLoginMethods
{
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);
[DllImport("kernel32.dll")]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[SuppressUnmanagedCodeSecurity]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool CloseHandle(IntPtr handle);
}
internal sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
{
#region Constructors
internal SafeTokenHandle()
: base(true)
{ }
#endregion
#region Support Methods
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
protected override bool ReleaseHandle()
{
return NativeLoginMethods.CloseHandle(base.handle);
}
#endregion
}
/// <summary>
/// Logon Type enum
/// </summary>
internal enum LogonType : int
{
/// <summary>
/// This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
/// </summary>
INTERACTIVE = 2,
/// <summary>
/// This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.
/// </summary>
NETWORK = 3,
/// <summary>
/// This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
/// </summary>
BATCH = 4,
/// <summary>
/// Indicates a service-type logon. The account provided must have the service privilege enabled.
/// </summary>
SERVICE = 5,
/// <summary>
/// GINAs are no longer supported. Windows Server 2003 and Windows XP: This logon type is for GINA DLLs that log on users who will be interactively using the computer. This logon type can generate a unique audit record that shows when the workstation was unlocked.
/// </summary>
UNLOCK = 7,
/// <summary>
/// This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network servers while impersonating the client. A server can accept plaintext credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
/// </summary>
NETWORK_CLEARTEXT = 8,
/// <summary>
/// This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections. This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.
/// </summary>
NEW_CREDENTIALS = 9
}
internal enum LogonProvider : int
{
/// <summary>
/// Use the standard logon provider for the system. The default security provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case, the default provider is NTLM.
/// </summary>
LOGON32_PROVIDER_DEFAULT = 0,
/// <summary>
/// Use the Windows NT 3.5 logon provider.
/// </summary>
LOGON32_PROVIDER_WINNT35 = 1,
/// <summary>
/// Use the NTLM logon provider.
/// </summary>
LOGON32_PROVIDER_WINNT40 = 2,
/// <summary>
/// Use the negotiate logon provider.
/// </summary>
LOGON32_PROVIDER_WINNT50 = 3
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.