Description of my problem sounds somewhat complicated, what makes me think that my approach is flawed, so I will also appreciate any better idea.
Short description:
Given connection string to MSSQL 2008 DB and website name deployed on IIS6, I want to verify programatically whether website is able to connect to database.
Long description:
portal_db
. portal
. I can access it by url http://localhost/portal
. In Web.config file I specified connection string to my database, which look like: "server=(local)\\SQLEXPRESS;trusted_connection=yes;database=portal_db"
System.Data.SqlClient.SqlConnection
, without any wrappers, ORMs, mappings, anything. PortalAppPool
. It's using ApplicationPoolIdentity
as a security context. When my web application tries to connect to database it either succeeds or fails, depending on whether user IIS APPPOOL\\PortalAppPool
is configured in MSSQL database. That's a part which I understand, but when deploying my app I often forget to create new user/login in db for apppool virtual account. So what I want to do, is to verify from separate, standalone, console app (preferably written in C#, but not necessarily), whether my web application can access database, in following way:
Web.config
SqlConnection
with connection string read from Web.config
It boils down to following snippet:
using (new Impersonator("IIS APPPOOL\\PortalAppPool", "", ""))
{
SqlConnection conn = new SqlConnection(databaseConnectString);
conn.Open();
}
Everything works very well, when my app pool security context is set to any other value than AppPoolIdentity
- specific user, local system, etc. When I change credentials passed to Impersonator
to my user's name and password, I get desired result (exception when I have no login mapping in database, and everything is OK when I add one). But I just seem to not be able to impersonate IIS APPPOOLS\\PortalAppPool
virtual account - just have no idea what parameters should be passed to LogonUser
- I would not be surprised if it would not be even possible. Maybe I am focused on impersonation approach too much (I am using it to access registry keys and services of other users and it works good), and maybe there is some better way.
If you have any other, better ideas, or need some more explanation to this problem, please let me know.
I don't think you can impersonate a virtual account (IIS service account). They are special service accounts setup mainly for IIS security. They are for local services only and cannot be attached to any domains. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
You cannot "Log into" a virtual account, they are used by windows for security purposes:
Some light reading if you have time:
To solve your original problem, you could build an app that could do the same logic but check the sql server if it has the correct users setup instead of simply trying to login with the account.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.