I need to pass the credentials (Integrated Windows Authentication) from a django website on IIS onto a backend SQL server so that it runs under the proper user context.
This is how my setup looks so far:
- Running SQL Server on
sql_sever.domain.com
under a service accountdomain\svc_sqlserver
- Running Django website on
app_server.domain.com
using IIS under a service accountdomain\svc_appserver
with Windows authentication and ASP.Net Impersonation (Providers is set toNegotiate:Kerberos -> Negotiate -> NTLM
) withuseAppPoolCredentials=True
- Connecting to SQL server from django using Windows authentication by setting
Trusted_Connection=yes
in the connection Configured SPNs for Kerberos authentication both for
domain\svc_sqlserver
anddomain\svc_appserver
as follows:setspn -a HTTP/app_server domain\svc_appserver setspn -a HTTP/app_server.domain.com domain\svc_appserver setspn -a MSSQLSvc/sql_server.domain.com:PORT domain\svc_sqlserver setspn -a MSSQLSvc/sql_server.domain.com:INSTANCE domain\svc_sqlserver setspn -a MSSQLSvc/sql_server.domain.com domain\svc_sqlserver
Trusted both
svc_sqlserver
andsvc_appserver
for delegation toMSSQLSvc
services and additionally fordomain\svc_appserver
I addedHTTP
services too (from the above list)
Result:
- Kerberos authentication works on SQL Server. Confirmed by looking at auth scheme of connected users
- Kerberos authentication works on Django website. Confirmed by inspecting
WWW-Authenticate
response header andAuthorization
request header (Negotiate
is being correctly used) - Sql server runs only under the context of
domain\svc_appserver
when it should be running underdomain\remote_user
I've been working on this for more than a week now but for the life of me, I can't figure out how to pass authenticated user's context from IIS to SQL Server. I went through hundreds of links I found online and I'm not sure what to do at this point.
Is there anything else that I'm missing? Is there any way in Django to set the user's context before establishing connection to database? If anyone can help, I'd really appreciate. Thanks!
I'm using:
- django 2.0.7
- django-pyodbc-azure
- Python 3.6.5
- IIS 10, SQL Server 2014