Problem with WindowsIdentity impersonation RRS feed

  • Question

  • We are trying to setup the infrastructure in a way that our service (WorkflowServiceBackend):

        1. Obtains Windows Identity using Microsoft.IdentityModel.WindowsTokenService.S4UClient (UpnLogon method)
        2. Impersonates obtained WindowsIdentity (Impersonate())
        3. Executes SQL query on (remote) instance of SQL Server using integrated security (technically the delegation of impersonated identity).

    We expect that query is executed under the user account of obtained initially WindowsIdentity.
    PoC code:

    var imp = Microsoft.IdentityModel.WindowsTokenService.S4UClient.UpnLogon(upn);

    using (WindowsImpersonationContext ctx = imp.Impersonate())


        using (var connection = new SqlConnection(connectionString))



            var command = new SqlCommand("select SYSTEM_USER", connection);

            var name = Convert.ToString(command.ExecuteScalar());


            return string.Format("Delegated identity: {0}", name);



    We must operate in domains without Kerberos, just pure NTLM authentication.

    To make it happen we have configured SPNs for the user who is running the service and enabled delegation trust on the machine where mentioned service is running.

    When we try to authenticate in SQL server using this chain, the response is:
    “System.Data.SqlClient.SqlException (0x80131904): The target principal name is incorrect.  Cannot generate SSPI context.”

    What are we doing wrong?

    Sunday, November 23, 2014 7:37 PM