IIS 7 and Above
Within a domain, impersonate the incoming user via fastcgi (IIS 10, p...
Last post Apr 14, 2018 08:10 PM by lextm
Apr 14, 2018 03:00 AM|fzzylogic|LINK
Hello all, would really appreciate guidance on this, i've been going in circles for some time.
I'm using Django 1.11.9 with IIS 10 on Windows server 2016 datacenter edition via wfastcgi 3.0. Django talks to MS SQL via django-pyodbc-azure. The Application Pool identity uses a limited rights AD user (not msa or gmsa). Kerberos is set up and working.
django-pyodbc-azure allows pass-through authentication, and that is working too.
IIS -> FastCGI -> python -> wfastcgi -> django -> django-pyodbc-azure -> pyodbc -> ms sql
At present, the incoming user at ms sql is the same as the application pool user.
I would like db calls to be initiated *as the domain user that made them*, and not the IIS App Pool identity user. The db is a legacy db that relies on the incoming connections being made using the originating user credentials for authorisation and auditing
After much unsuccessful fiddling of my own, I asked the PTVS team since i imagined that wfastcgi might need to handle this (https://github.com/Microsoft/PTVS/issues/4018) and zooba suggested that the IIS team might have a better idea about this.
"I believe this would need to be a configuration option in the FastCGI module, rather than wfastcgi, as it needs to be applied before starting the worker process. wfastcgi only applies after the process is started, so there's not a lot we can do by then.
You may want to ask this on an IIS forum. We are not IIS experts here, and the people who know are unlikely to drop by."
Any idea about how to accomplish this with IIS / Django would be highly appreciated.
Apr 14, 2018 08:10 PM|lextm|LINK
Impersonation won't come automatically. Even ASP.NET Core cannot achieve such impersonation easily https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.1&tabs=aspnetcore2x#impersonation
In your case, it would be Django/Python to connect to the database, where impersonation can only be done there. Even if IIS builds up the impersonation context (like ASP.NET 4.x), that context is locked in w3wp.exe, and cannot jump over FastCGI to the Python
Like ASP.NET Core shows, certain API can carry out impersonation, but Python might never implement such for you.
As you own the whole application, there can be other ways to audit logged users and their actions on database, even if you use a single service account to connect to the database, which you should consider.