Hi,

I'm using NHibernate 1.2 GA. I am using it in a website which requires asp.net impersonation.

My question is, is there an easy way to get the NHibernate proxies to impersonate a specific windows domain account user with configuration?

The issue I am having is this: I can control the impersonated user when I specifically do something with a persistent object using advapi.LogonUser() but when I drop out of that context back to the user's context and do stuff with the nhibernate proxy objects and they try to contact the database then the db-context I need to get to the database doesn't exist any more and I get an error because the user's context does not have rights to access the database.

One way around this is to set up the db connection using a sql2005 login acount, but my network admins want the connection to use a domain account. So - I have to wrap the proxy objects in an impersonation context whenever they talk to the db.

I haven't dug into the nhibernate source code yet - I'm hoping there is hook I can set to switch my impersonation context whenever database access happens. Any hints as to what to look at would help greatly.

Thanks.

Well, we're imperosnating a domain account like this:
<identity impersonate="true" userName="somedomain\somedomainuser" password="somepassword" />

And then it has lots of privileges in the database and can do all operations that NHibernate tells it to.

Do you have other requirements?

Yes, sorry I didn't explain it better at the beginning.

I'm required to do this: <identity impersonate="true" />

So the context is the user logged into the site - and this user does not have access to the database.

I can roll back to the worker process context when I make specific calls to the ISession like this:

Dim ctx As System.Security.Principal.WindowsImpersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(IntPtr.Zero)

Dim account as Account = session.Load<Account>(id)

ctx.Undo()

But when I access properties on Account which load/save/update to the database, the ctx is gone, so the session is getting an exception the user does not have access:

System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> NHibernate.ADOException: cannot open connection ---> System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

I think a good solution for this, and I haven't looked at it yet, is for me to examine the DriverConnectionProvider to see how I can Impersonate my domain user before the connection is made. I say this because the above exception is coming from:

at System.Data.SqlClient.SqlConnection.Open()
at NHibernate.Connection.DriverConnectionProvider.GetConnection()
at NHibernate.Impl.SessionFactoryImpl.OpenConnection()

Does that sound like a good approach?

Let me try to get your idea.

Requirements are:

1) Process must run with user identity (hence the impersonation)
2) Database access must NOT be done with user identity but with applicational user instead
3) Applicational user MUST NOT be a database user but instead a domain user with appropriate database rights
4) BUT the whole process cannot run with the applicational user credentials all the time because of <SOME REASON>

Is this it?

Tricky.

Yes, you have the requirements correct. The "some reason" is because we don't want to have to provision access to the database to each user account. This results in less maintenance for each user account instance.

Ok, the reasons for these requirements are clear:
2) Database access must NOT be done with user identity but with applicational user instead - BECAUSE you don't want to handle al those user permissions on the database

and

3) Applicational user MUST NOT be a database user but instead a domain user with appropriate database rights - BECAUSE your network admins want that

BUT why can't the process run all the time with the applicational user credentials? If you need to know who is the guy that asked for the page you still get that information, despite the fact that the process is running with an application account.

Do you need to access other resouces that require you to rnu with the user account?

Because if not then I guess you have no problem at all.

> Do you need to access other resouces that require you to rnu with the user account?

Yes, this is the issue - the asp.net application is provisioned by the user account.

There are other ways to address this - but I'd like to first see if I can get the NHibernate DriverConnectionProvider to do the impersonation. If not, my fallback is to use the sql login account instead of a domain account because that is the least amount of work (for me - the admins have a different perspective of course).

Well I'd probably go for the db account.

All that context switching might incur in a performance penalty. I'd check what the overhead for that is.

Good luck!

As I understand your situation, you are allowing NHibernate to do the connection management. Have you tried providing your own connection. That is, switch to the context that has DB rights, create and open an IDbConnection, call ISessionFactory.OpenSession(IDbConnection conn), and then revert to the user's context. You would be responsible for managing the connection, i.e., closing it when you are finished with the request, etc., but it will have been opened with an identity that has the DB rights you want.