Assume that there is a certificate created in database
create certificate certName
with subject = 'subj';
GO
And a user mapped to this certificate
create user userName
from certificate certName;
GO
Trying to impersonate this user directly
execute as user = 'userName';
GO
or specifying user in the execute as
clause of the module
create procedure procName
with execute as 'userName'
as
set nocount on;
GO
returns error
Msg 15517, Level 16, State 1 …
Cannot execute as the database
principal because the principal "userName" does not exist, this type
of principal cannot be impersonated, or you do not have permission.
However, I was not able to find this restriction mentioned in documentation (here and here), where the only relevant statement seems is
user_name must exist in the current database and must be a singleton
account. user_name cannot be a group, role, certificate, key, or
built-in account, such as NT AUTHORITY\LocalService, NT
AUTHORITY\NetworkService, or NT AUTHORITY\LocalSystem.
Is it possible to impersonate user (or login) mapped to certificate or not?
Best Answer
Logins and Users created from Certificates and Asymmetric Keys cannot be impersonated. They are merely proxies for a set of permissions that will be added to any module that is signed with the same Certificate or Asymmetric Key.
Also, it doesn't really make much sense to impersonate these Logins and Users because:
EXECUTE AS
clause of theCREATE
statement) is used to create the signature. If the text changes, then the signature won't match.In the end, using Logins and/or Users created from Asymmetric Keys and Certificates replace the need for Impersonation.
Still, if looking for a more official indicator, the MSDN page for CREATE USER states:
However, not being able to login/authenticate does not mean "cannot impersonate", given that Users without a login are in that list, and you can do
EXECUTE AS USER='{user_without_login}';
.The MSDN page for CREATE LOGIN states:
While the second sentence repeats what the
CREATE USER
documentation says, the first sentence is a bit more specific: they are only for code signing.Finally, the statement of restrictions that you found in the documentation for both EXECUTE AS and the EXECUTE AS clause are correct, even though they are worded in a confusing manner. They state (bold emphasis added):
That quote was taken from the
EXECUTE AS
documentation, and theEXECUTE AS Clause
documentation (nearly the same wording) is quoted in the question. While both of those pages do use the terms "certificate" and "key", they are really meaning "Certificate-based Login/User" and "Asymmetric Key-based Login/User" respectively. I am assuming this based on the fact that the list of principal types given are all found insys.server_principals
(for Logins) andsys.database_principals
(for Users), and neither Certificates nor Asymmetric Keys would be listed in either of those system catalog views.