Please help me with Azure Sql Windows impersonation question
There is three-tier application that uses impersonation on service tier to connect to the MS SQL as user that has started the client application.
Kerberos ticket is used to impersonate client user on service like below:
SECURITY_HANDLE serverContext;
AcceptSecurityContext(ref inbound, ref serverContext, ref ClientToken, APIReference.ContextAttr, APIReference.SECURITY_NATIVE_DREP, out serverContext, out ServerToken, out uNewContextAttr, out NewLifeTime); // final handshake leg
ImpersonateSecurityContext(ref serverContext); //secur32.Dll
SqlConnection conn = new SqlConnection("Integrated Security=True") // works on MS SQL on premises
SqlConnection conn = new SqlConnection("Authentication=Active Directory Integrated"); // fails with Azure SQL (no impersonation is actually made)
RevertSecurityContext(ref _context); //secur32.Dll
However no user impersonation is made when Kerberos ticket is used for impersonation on Azure SQL (and works with MSSQL on premises). The problem is that SQL queries are executed on AzureSQL under service user account instead of client user account.
Is it possible to get Kerberos ticket impersonation works with Azure SQL ?
I know that there is EXECUTE AS LOGIN functionality that can be used to impersonate user on Sql server. But I would like to get Kerberos impersonation working if it is possible.
UPD: I've used adal.dll on service to connect the AzureSQL
I wrote c# code that impersonates on AzureSQL with LogonUser token and WindowsIdentity.Impersonate() combination. However I'd like to use Kerberos delegation if it is possible
Upd
I did not find a way to impersonate user with Kerberos and to connect to the Azure SQL when service impersonated as user.
However I've user T-SQL execute as user= and revert commands to do database "impersonation"