Question : Problem executing SSIS packages via an ASP.NET web service using delegated domain accounts.

We are currently experiencing difficulties in implementing a solution which utilizes IIS 6.0 running under Windows 2003 Service Pack 1, SQL Server 2005 + Integration services and a customer .Net web service running under the .NET frame work 2.0.  

We have a Windows .NET forms application connecting to a Web Service on IIs 6.0 which then runs a SSIS package stored in the msdb of SSIS on a SQL Server 2005 machine.  The package name and all applicable parameters are sent to the SSIS package via the Web Service.

Setting the Web.config options and
allows the web service to run the SSIS packages as required.  When we do not use this username and password and rely solely on the delegation (impersonate=”true”), the web service no longer has access and we receive the following error: “Server was unable to process request. Connection to SSIS service on ‘SQLServerName’.  Access is denied”.  We have setup the which matches the instructions in the forums to fix this, however following all the different forums advice, the Web service still won’t connect unless it uses the hard coded username and password of the service account we created to temporarily allow the application to run for testing as shown above.  In doing th

The Client application has no problem in connecting to the Web Service or the DB directly.  The problem seems to lie with IIS not passing the delegated credentials of the client user through to SSIS, but could lie anywhere between the client and SSIS.

The goal is to have the Windows user credentials (which are in Active Directory) used to run the SSIS package via the Web Service, which means having the Web Service run under the same credentials.

We have followed an MSDN article entitled “How To Use Protocol Transition and Constrained Delegation in ASP.NET 2.0” which guided us through creating a service principal name for the SQL Server and allowing the IIS service to pass the user credentials through to the SQL Server however, this has not resolved the issue.  

The SQL Server 2005 instance and SSIS are currently running on them same machines and operate under the same services account. The domain accounts of the users have been grouped, and granted access to the SQL Server.  The group had been assign to the ‘db_owner’ role in the applications database.  The group has also been granted access to the ‘msdb’ database and assign the to the ‘db_dtsoperator’ role.  In SSIS, the reader and writer roles are set to ‘db_dtsoperator’ and ‘db_dtsadmin’ respectively.

The Web Service has been installed to a virtual directory located in the Default Website, and is assigned to the Default Application Pool.  The Default Application Pool is configure to run using the Network Service account.  The authentication and access control setting on both the virtual directory in which the web service resides  and the web service file have been set to ‘enable anonymous access’, (using the ‘ IUSR_Machine’ account) and Integrrated Winows Authentication.  

Kind Regards,

Answer : Problem executing SSIS packages via an ASP.NET web service using delegated domain accounts.

I don't know if this relates or not, but I have been able to force .aspx pages to authenticate the user by rejecting anonymous requests with error 30?, "Not Authorized." I include the following code at the beginning of the Page_Load event handler:

if (!Request.IsAuthenticated)
                  {
                        Response.StatusCode = 401;      //Not authorized
                        Response.StatusDescription = "HTTP 401 Not Authorized";
                        Response.End();
                        return;
                  }