I'm facing a strangest problem where client applications can access filestream as long as client app is not running on same machine as SQL Server.
Setup:
- SERVER1 running Windows 2008 R2 and member of domain DOMAINX.
- SERVER1 has SQL Server 2008 R2 64bit with filestream enabled.
- SQL Server has a local account SERVER1\FSCLIENT which is only windows account with access to FileStream
Normal use case which works perfectly:
- User logs to his/hers workstation by using domain account (DOMAINX\User1)
- User opens up our application and accesses a document in SQL Server.
- Client app impersonates logon by using SERVER1\FSCLIENT credentials
This works perfectly.
However, SERVER1 is also a terminal server and users can log directly to it and use client app on SERVER1.
Users log into SERVER1 through RDP session by using their domain account.
Weird things start happening when user logs to SERVER1 by using domain account.
Now impersonation fails and says "User DOMAINX\User1 does not have access to database XYZ"
So it looks like impersonation does not kick in at all??
Combinations that have been tested so far
- Log on to SERVER2 with local SERVER2 account --> Access OK
- Log on to SERVER2 with domain account --> Access OK
- Log on to any WORKSTATION with domain account --> Access OK
- Log on to SERVER1 with domain account -> Fail "Account [DOMAIN ACCOUNT] does not have access to database"
- Log on to SERVER1 with local account -> Fail "Account [SERVER1\ACCOUNT] does not have access to database"
We have a sandbox domain with similar Windows 2008 R2 / SQL Server 2008 R2 setup and in this test environment everything works fine even locally.
I have absolutely no idea what to check next?