000015126 - AXM- Error with Using impersonation and Delegation with ASP.NET and WINDOWS SSO

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015126
Applies ToAccess Manager 4.x agent for IIS 6.0
Protocol Transition
Kerberos Ticket
Impersonation and Delegation in ASP.NET
IssueAXM- Error with Using impersonation and Delegation with ASP.NET and WINDOWS SSO

ASPX Application using impersonation and user from protocol transition token to access MS SQL database receives exception on connect.

ERROR: System.Data.SqlClient.SqlException: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)

The connection string in use in the web.config file was:

  <add name="CSS" connectionString="Data Source=EMCTEST,1433;Initial Catalog=TESTDB;Integrated Security=SSPI;" providerName="System.Data.SqlClient"/>

Windows Event log reports the following:

Event Type:        Information
Event Source:    MSSQL$SQLDEV18
Event Category:                (4)
Event ID:              17055
Date:                     12/10/2009
Time:                     2:48:46 PM
User:                     N/A
Computer:          XXXXXXXXXX
The description for Event ID ( 17055 ) in Source ( MSSQL$XXXXXXXXXX ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s 18452, Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.

0000: 14 48 00 00 0e 00 00 00   .H......
0030: 00 00 07 00 00 00 6d 00   ......m.
0038: 61 00 73 00 74 00 65 00   a.s.t.e.
0040: 72 00 00 00               r...   


 In ActiveDirectory this will require that the computer object that is hosting the IIS server must be be allowed to delegate.  In "Active Directory Users and Computers", select under computers the computer object the IIS server is located on.  Right click on the computer object of that server and select "Properties". Select the "Delegations" tab.  Select the radio button "Trust this computer for delegation to specified services only".  Hit the add button and select the MSSQLSvc service type for the server that the MS SQL Server is located.

One could also use "Trust this computer for delegation to any service (Kerberos only) , but this would be  less secure.  


To allow ASP.NET to impersonate the incoming user when trying to communicate with SQL instances which are on another machine you need to add the following lines of code to your web.config file:

            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
 <authentication mode="Windows"/>
    <identity impersonate="true" />

Legacy Article IDa49032