Impersonating IIS DefaultAppPool in standalone application

Question

Description of my problem sounds somewhat complicated, what makes me think that my approach is flawed, so I will also appreciate any better idea.

Short description:

Given connection string to MSSQL 2008 DB and website name deployed on IIS6, I want to verify programatically whether website is able to connect to database.

Long description:

1. I have MSSQL Server database, let's call it portal_db .
2. I have an application deployed on IIS6, called portal . I can access it by url http://localhost/portal . In Web.config file I specified connection string to my database, which look like: "server=(local)\\SQLEXPRESS;trusted_connection=yes;database=portal_db"
3. Web application is accessing database using System.Data.SqlClient.SqlConnection , without any wrappers, ORMs, mappings, anything.
4. Website is configured to run in appool PortalAppPool . It's using ApplicationPoolIdentity as a security context.
5. It is not possible to easily modify web application code (particularly the way it accesses database)

When my web application tries to connect to database it either succeeds or fails, depending on whether user IIS APPPOOL\\PortalAppPool is configured in MSSQL database. That's a part which I understand, but when deploying my app I often forget to create new user/login in db for apppool virtual account. So what I want to do, is to verify from separate, standalone, console app (preferably written in C#, but not necessarily), whether my web application can access database, in following way:

1. Read connection string from Web.config
2. Read app pool identity settings (managed to do this by Directory Services API)
3. Impersonate identity with credentials defined on app pool (using impersonation class I found here: http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/ which uses ideas found in many other places, including MSDN)
4. Open SqlConnection with connection string read from Web.config

It boils down to following snippet:

using (new Impersonator("IIS APPPOOL\\PortalAppPool", "", ""))
{
    SqlConnection conn = new SqlConnection(databaseConnectString);
    conn.Open();
}

Everything works very well, when my app pool security context is set to any other value than AppPoolIdentity - specific user, local system, etc. When I change credentials passed to Impersonator to my user's name and password, I get desired result (exception when I have no login mapping in database, and everything is OK when I add one). But I just seem to not be able to impersonate IIS APPPOOLS\\PortalAppPool virtual account - just have no idea what parameters should be passed to LogonUser - I would not be surprised if it would not be even possible. Maybe I am focused on impersonation approach too much (I am using it to access registry keys and services of other users and it works good), and maybe there is some better way.

If you have any other, better ideas, or need some more explanation to this problem, please let me know.

Answer 1

I don't think you can impersonate a virtual account (IIS service account). They are special service accounts setup mainly for IIS security. They are for local services only and cannot be attached to any domains. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:

• No password management is required.
• The ability to access the network with a computer identity in a domain environment.

You cannot "Log into" a virtual account, they are used by windows for security purposes:

Some light reading if you have time:

• This gives a brief overview of MSAs and Virtual Accounts
• The differences between MSAs and Virtual Accounts
• The dirty details on each and how to manage them

To solve your original problem, you could build an app that could do the same logic but check the sql server if it has the correct users setup instead of simply trying to login with the account.