Hello all, would really appreciate guidance on this, i've been going in circles for some time.
Setup:
I'm using Django 1.11.9 with IIS 10 on Windows server 2016 datacenter edition via wfastcgi 3.0. Django talks to MS SQL via django-pyodbc-azure. The Application Pool identity uses a limited rights AD user (not msa or gmsa). Kerberos is set up and working. django-pyodbc-azure allows pass-through authentication, and that is working too.
Diagram:
IIS -> FastCGI -> python -> wfastcgi -> django -> django-pyodbc-azure -> pyodbc -> ms sql
At present, the incoming user at ms sql is the same as the application pool user.
Goal:
I would like db calls to be initiated *as the domain user that made them*, and not the IIS App Pool identity user. The db is a legacy db that relies on the incoming connections being made using the originating user credentials for authorisation and auditing purposes.
Attempted:
After much unsuccessful fiddling of my own, I asked the PTVS team since i imagined that wfastcgi might need to handle this (https://github.com/Microsoft/PTVS/issues/4018) and zooba suggested that the IIS team might have a better idea about this.
"I believe this would need to be a configuration option in the FastCGI module, rather than wfastcgi, as it needs to be applied before starting the worker process. wfastcgi only applies after the process is started, so there's not a lot we can do by then.
You may want to ask this on an IIS forum. We are not IIS experts here, and the people who know are unlikely to drop by."
Any idea about how to accomplish this with IIS / Django would be highly appreciated.