Blazor hosting in IIS use system account to connect SQL Server? How to impersonate?

0
votes

I published a Blazor (Server side) application with Windows Authentication to IIS. I disabled "Anonymous Authentication" and enabled "Windows Authentication".

The application can display the login information ("Hello, Domain\Username!") correctly. The application connects to SQL Server using Windows integrate mode.

"ConnectionStrings": {
  "MyDatabase": "Server=DBServer;Database=DB1;Trusted_Connection=True"
}

However, it uses the system account (which is used to run IIS?) to connect the SQL Server.

Login failed for user 'Domain\IISMachineName$'.

I tried to enable "ASP.NET Impersonation" for the IIS site and it gets the 500.24 error.

HTTP Error 500.24 - Internal Server Error

An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

Most likely causes:

• system.web/identity@impersonate is set to true.

1
asp.netasp.net-coreiisblazor
Did you try setting app pool's pipeline mode to classic?Eldar
I didn't do anything about pipeline mode. Where can I set the pool mode?ca9163d9
In IIS Manager Application pools snap in -> Basic Settings -> Managed Pipeline Mode dropdown thEldar
Well i have to state impersonation is totally a pain. If you managed to pass this step there will be more errors. And the question is why you need to connect to db on behalf of users? Basically you have to grant access to every user that uses your application or entire AD Group that contains users of your application.Eldar
hmm. Maybe I shouldn't impersonate user and control the permission in the application.ca9163d9

1 Answers

1
votes

It depends on your hosting and the location of your SQL server, as you say you host in IIS it takes the application pool like any other webservice hosted in IIS.

If SQL Server is on the same server then you can assign the application pool. You can add the application pool to your SQL Database as a Login and user.

CREATE LOGIN [IIS APPPOOL\MyBlazorAppPool] FROM WINDOWS;
CREATE USER MyBlazorAppPool FOR LOGIN [IIS APPPOOL\MyBlazorAppPool];

On a defend machine you can simply create the machine hosting your blazor app as a user.

CREATE LOGIN [computername$] FROM WINDOWS;