Database.TrustedUser and web applications

Background

When building a client side SDK application authentication is rarely anissue, you simply connect your database and allow it to connect using the user's credentials.  Server side applications can be a little more complex and require some form of impersonation.

.Net impersonation

In the past when we have built web application or web services we have sometimes relied on .Net impersonation.  This allows us to impersonate the credentials used by the browser (assuming authentication is enabled in IIS but has a few issues, including:

  • challenges when using multiple domains,
  • inability to plug in 3rd party authentication providers, and
  • without careful design a requirement to allow all impersonated users access to the server operating system.

Database.ConnectAs()

The Database object has a method called ConnectAs(), which due to the fact that you must pass the username and password is of limited value.

Database.SpawnImpersonatedDatabase()

To the best of my knowledge this exists only for backwards compatibility, I do not recommend using it.

Database.TrustedUser

This is where you should be if you are creating a server side application, such as a web site or web service.  TrustedUser requires that the credentials used to run the application have permission to impersonate other users, there are two ways for a user account to have this permission, if it is:

  • the same account used to run the workgroup server, or
  • an account registered in 'trusted server accounts' in Enterprise Studio.

For an IIS web application that user that must have this permission is the Identity used by the Application Pool attached to the IIS application.

Once you are running as one of these users then you can impersonate any RM user like this:

using (Database database = new Database())
{
    database.Id = "H1";
    database.WorkgroupServerName = "local";
    database.TrustedUser = "PersonA";
    database.Connect();
}


Written on September 23, 2015