Hi,

I want my webservice to open a database connection, in this case an
AdoMDConnection, using the user credentials via Kerberos delegation. Now I am
wondering, if I need to code any impersonation into the service before
opening the connection, or if that is done automatically?

To elaborate on that... these are the identities of the ServiceAccount and
the User querying the service: System.Security.Principal.WindowsIdentity
(Name: BC\ServiceAccount,AuthenticationType: Kerberos,ImpersonationLevel:
None)
Thread.CurrentPrincipal.Identity (Name: BC\User,AuthenticationType:
Kerberos,ImpersonationLevel: Identification)

If I would simply open the connection without impersonation, the connection
would be opened with the ServiceAccount identity, which is not what I want.
On the other hand mayby the ConnectionString attribute "Impersonation
Level=Delegate" would make impersonation unnecessary...

I am experimenting with the following ConnectionString parameters:
"...Integrated Security=SSPI;SSPI = Kerberos;Impersonation Level=Delegate..."

The delegation settings and SPNs are all defined in AD, I believe 8-}

Any help appreciated here.