Re: Windows (Trusted) Authentication and SQL Server

From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/07/02 

From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com>
Date: Sun, 7 Jul 2002 12:06:38 -0400

The best documentation on the subject (that I've seen) is in "Designing
Secure Web Based Applications for Windows 2000", by Michael Howard.
Microsoft Press.

As I recall, here's what you need:
Active Directory accounts;
Integrated Windows authentication on the front end (using Kerberos, not
NTLM)
The account whose credentials are being delegated must be a domain account
and must not be marked as "sensitive" in Active Directory (sensitive - not
allowed to be delegated). By default, accounts are not marked as sensitive.
The computer on which the delegation takes place (e.g., the IIS server) must
be marked in Active Directory as trusted for delegation. (This is NOT set
by default.) Note that the final computer in the chain (e.g., the SQL
Server) does not need to be marked as trusted.
The process that is *doing* the delegation (e.g., a COM+ application on a
middle tier server) runs as a particular user account. *That* account must
either be local system on a trusted computer, or must be a domain account
that is marked as trusted for delegation in AD. (This is NOT set by
default.)

The determination as to whether credentials can be delegated is made when
the connection is made to the server. The user's token can then be passed
to other processes (running as other users) on the same server without
changing the delegatability of the credentials. One place where this comes
in to play is when an IE client connects to a web server. The web server
(IIS) is running as Local System. If the web server is trusted, the
credentials can be delegated. Delegation still works even if the user token
gets passed to a process running as the local IUSR_machine or ASPNET
accounts, which makes the remote connection (as the caller) to SQL Server.

"Leslie R. Thomas" <news@tsoftware.iwarp.com> wrote in message
news:ZWXV8.44176$eF5.1593579@twister.austin.rr.com...
> Could you possibly provide information on a knowledge base article that
> outlines delegation in this respect?
>
>
> "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> news:uc8mVfXJCHA.1632@tkmsftngp10...
> > The client authenticates to IIS using NTLM or Kerberos. The user's
> > credentials cannot be used by IIS to authenticate to a remote server
> unless
> > delegation is enabled. (This requires the use of Kerberos and Active
> > Directory accounts; also, delegation is not enabled by default.)
Because
> > the code is running without network credentials, "ANONYMOUS LOGON" is
used
> > for any network requests.
> >
> > If you use Basic authentication, it will work. By default, Basic
creates
> a
> > local logon on the web server; the credentials can be used to
authenticate
> > to a remote server (one hop only without delegation).
> >
> >
> > "Garth Williams" <garth.williams@iq-systems.co.uk> wrote in message
> > news:#maI$IBJCHA.2648@tkmsftngp11...
> > > Hi,
> > >
> > > I'm trying to use trusted authentication with an ASP.NET application
and
> > SQL
> > > Server. The application is configured as follows:
> > >
> > > * IIS is configured to use integrated windows authentication only
> > > * web.config has the following lines:
> > > <authentication mode="Windows" />
> > >
> > > <identity impersonate="true" />
> > >
> > > * SQL Server is configured to use trusted.
> > >
> > > This works very nicely when running the application locally (on the
> > > development machine, or directly on the live server), but when you try
> to
> > > run it from a remote machine I get an error saying:
> > >
> > > Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
> > >
> > > together with a stack trace that indicates that the failure happened
> when
> > > opening the connection to the database.
> > >
> > > It almost seems as though the web server is using trusted when you run
> ie
> > > from the server and anonymous when you run ie from another machine.
> This
> > > works fine for old asp applications that access SQL Server, but not
for
> > > ASP.NET
> > >
> > > This has been puzzling me for a couple of days, so any ideas would be
> > > gratefully received.
> > >
> > > Thanks.
> > >
> > > Garth.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: 2003 Server Client/Delegation and Data Issues
    ... Did you also use F5 to update the AD UC console on the 2003, ... Win23K server to look for a unstarted services that may be needed, ... - Checked the delegation permissions on the OU ... I noticed that in the administrator account the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • IIS 6 Directory Services Mapping ACL Problems
    ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Access denied ( From one site to another, that is in another server)
    ... You are running into a delegation issue here. ... remote resources on behalf of the client. ... from a one server to get to another server, the account credentials must be ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: CA web component problems
    ... Could you please confirm that the Enterprise Admin account you are using is ... > for delegation via the ADUC check box. ... is there a way to install the Web enrollment pages ... >>> enabled the web server for delegation via ADUC and rebooted the ...
    (microsoft.public.win2000.security)