Impersonation on remote service says Login failed for user 'NT Authority\Anonymous Logon'
I have a service that I want to when accessing databases I want to access databases to use the calling identities credentials.
Before I access a particular database I do an impersonation by
var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database
ctx.Undo();
This scenario works fine when the service runs locally on my PC. However when deployed on another remote PC I get the error:
Login failed for user 'NT Authority\Anonymous Logon"
as soon as it tries to access the database.
I have been told by DBAdmin that the SQL Server has an SPN.
The account under which the service runs under is a domain account.
Answer
The problem you most likely experiencing is Delegation as opposed Impersonation.
I assume in your production environment you actually have your Web Browser, your IIS Server and SQL Server are all on different machines.
Simple Impersonation does not support Multi-Hop.
To support Multi-Hop you need to setup Kerberos with Delegation. You are going to have to setup the SPN records on your Active Directory. Once that is done, you also need to enable Delgation for the IIS machine on your AD.
In short, Delegation is a HUGE can of worms.