Within a domain, impersonate the incoming user via fastcgi (IIS 10, python, django, wfastcgi, ms sql)RSS

1 reply

Last post Apr 14, 2018 08:10 PM by lextm

  • Within a domain, impersonate the incoming user via fastcgi (IIS 10, python, django, wfastcgi, ms...

    Apr 14, 2018 03:00 AM|fzzylogic|LINK

    Hello all, would really appreciate guidance on this, i've been going in circles for some time.

    Setup:

    I'm using Django 1.11.9 with IIS 10 on Windows server 2016 datacenter edition via wfastcgi 3.0. Django talks to MS SQL via django-pyodbc-azure. The Application Pool identity uses a limited rights AD user (not msa or gmsa). Kerberos is set up and working. django-pyodbc-azure allows pass-through authentication, and that is working too.

    Diagram:

    IIS -> FastCGI -> python -> wfastcgi -> django -> django-pyodbc-azure -> pyodbc -> ms sql

    At present, the incoming user at ms sql is the same as the application pool user.

    Goal:

    I would like db calls to be initiated *as the domain user that made them*, and not the IIS App Pool identity user. The db is a legacy db that relies on the incoming connections being made using the originating user credentials for authorisation and auditing purposes.

    Attempted:

    After much unsuccessful fiddling of my own, I asked the PTVS team since i imagined that wfastcgi might need to handle this (https://github.com/Microsoft/PTVS/issues/4018) and zooba suggested that the IIS team might have a better idea about this.

    "I believe this would need to be a configuration option in the FastCGI module, rather than wfastcgi, as it needs to be applied before starting the worker process. wfastcgi only applies after the process is started, so there's not a lot we can do by then.

    You may want to ask this on an IIS forum. We are not IIS experts here, and the people who know are unlikely to drop by."

    Any idea about how to accomplish this with IIS / Django would be highly appreciated.

  • Re: Within a domain, impersonate the incoming user via fastcgi (IIS 10, python, django, wfastcgi,...

    Apr 14, 2018 08:10 PM|lextm|LINK

    Impersonation won't come automatically. Even ASP.NET Core cannot achieve such impersonation easily https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.1&tabs=aspnetcore2x#impersonation

    In your case, it would be Django/Python to connect to the database, where impersonation can only be done there. Even if IIS builds up the impersonation context (like ASP.NET 4.x), that context is locked in w3wp.exe, and cannot jump over FastCGI to the Python part.

    Like ASP.NET Core shows, certain API can carry out impersonation, but Python might never implement such for you.

    As you own the whole application, there can be other ways to audit logged users and their actions on database, even if you use a single service account to connect to the database, which you should consider.

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.