Important: I need to use ONLY Windows authentication for this connection.
I’m trying to connect to a SQL Server database hosted on abc.network1.local using credentials from network1\<userId>, but my current Windows login belongs to a different domain network2\<userId>.
I can successfully access the database through SQL Server Management Studio by using this command: runas /netonly /user:'network1\<userId>' "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe". However, I need to establish this same connection from my .NET application code and test it via POSTMAN.
Here’s my current connection string configuration:
{
"DatabaseConnections": {
"MainDbConnection": "Server=abc.network1.local; Database=myDatabase; Trusted_Connection=True; MultipleActiveResultSets=true"
}
}
Can this cross-domain Windows authentication scenario actually work programmatically?
Cross-domain Windows authentication through code is significantly more complex than simply using ‘runas’ with SQL Server Management Studio (SSMS). Your current connection string is leveraging the security context of the process, which belongs to network2 and does not possess the necessary permissions for the target database.
One viable programmatic solution involves using Windows impersonation with WindowsIdentity.Impersonate. This requires authenticating against network1 through LogonUser API calls, securing a token, and executing your database operations under this impersonated context. However, this method necessitates storing credentials within your application, somewhat contradicting the essence of Windows authentication.
Alternatively, consider configuring your application service to operate under a service account that has established cross-domain trust relationships. This approach eliminates the need for runtime impersonation, although it may involve making notable infrastructure adjustments. Additionally, you can set up IIS application pools to execute under specific service accounts that are configured to work across domains.
yeah, runas is tricky in app. it runs under current user context. try impersonation or think about domain trust for easier cross-domain access. good luck!
have u thought about using kerb delegation? maybe ur network admins can help set up constrained delegation between the domains. also, what error messages pop up when trying impersonation? those might shed light on what’s blocking ur connection.