Search code examples
c#sharepointweb-applicationsapplication-poolelevated-privileges

SharePoint List access across Application Pools

I have a requirement where I need to be able to access a list which sits in Central Administration from an Application Page which sits on my Web Front End (WFE). The issue I have is that the Application Pool User for my WFE does not have access to the SharePoint_AdminContent database so I get access denied, they both have their own App Pools

In the logs it shows the following:

  • Reverting to process identity
  • Current user before SqlConnection.Open: Name: SharePointDemo\SPContentPool SID: S-1-5-20 ImpersonationLevel: None
  • Current user after SqlConnection.Open: Name: SharePointDemo\SPContentPool: S-1-5-20 ImpersonationLevel: None
  • Insufficient SQL database permissions for user 'SPContentPool' in database 'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275' on SQL Server instance 'SPNSQL'. Additional error information from SQL Server is included below. The EXECUTE permission was denied on the object 'proc_EnumLists', database 'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275', schema 'dbo'.

I have tried to runwithelevatedprivileges as well as trying Daniel Larsons method (http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry) which uses the SharePoint\System user token but it only seems to elevate as high as the Application Pool.

I am hoping there is an easy way to impersonate the Application Pool of the Admin Web Application but have been unable to find a way to do so yet... Or change the process identity to one which has access

Any thoughts, ideas or solutions are thankfully received!

Phill

Solution

  • The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.

    Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.

    This can be done using the Service Accounts screen at:

    http:///_admin/FarmCredentialManagement.aspx

    If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.