Re: Windows (Trusted) Authentication and SQL Server

From: Garth Williams (garth.williams@iq-systems.co.uk)
Date: 07/08/02 

From: "Garth Williams" <garth.williams@iq-systems.co.uk>
Date: Mon, 8 Jul 2002 09:32:10 +0100

Leslie,

I have tried the making all the configuration changes that you suggested,
but it hasn't made any difference. The .NET framework is still trying to use
anonymous login to the database.

I can still run the application when logged in locally to the IIS machine,
but not from a remote machine. Surely it shouldn't make a difference which
machine I log into, because IIS will not run as the currently logged in
user.

Before .NET this used to be so simple, and was just a case of 1 tick box in
IIS in order to use trusted authentication, I find it hard to believe that
this is no longer possible with .NET.

Garth.

"Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
news:e8QF8CdJCHA.1632@tkmsftngp10...
> The best documentation on the subject (that I've seen) is in "Designing
> Secure Web Based Applications for Windows 2000", by Michael Howard.
> Microsoft Press.
>
> As I recall, here's what you need:
> Active Directory accounts;
> Integrated Windows authentication on the front end (using Kerberos, not
> NTLM)
> The account whose credentials are being delegated must be a domain account
> and must not be marked as "sensitive" in Active Directory (sensitive - not
> allowed to be delegated). By default, accounts are not marked as
sensitive.
> The computer on which the delegation takes place (e.g., the IIS server)
must
> be marked in Active Directory as trusted for delegation. (This is NOT set
> by default.) Note that the final computer in the chain (e.g., the SQL
> Server) does not need to be marked as trusted.
> The process that is *doing* the delegation (e.g., a COM+ application on a
> middle tier server) runs as a particular user account. *That* account
must
> either be local system on a trusted computer, or must be a domain account
> that is marked as trusted for delegation in AD. (This is NOT set by
> default.)
>
> The determination as to whether credentials can be delegated is made when
> the connection is made to the server. The user's token can then be passed
> to other processes (running as other users) on the same server without
> changing the delegatability of the credentials. One place where this
comes
> in to play is when an IE client connects to a web server. The web server
> (IIS) is running as Local System. If the web server is trusted, the
> credentials can be delegated. Delegation still works even if the user
token
> gets passed to a process running as the local IUSR_machine or ASPNET
> accounts, which makes the remote connection (as the caller) to SQL Server.
>
>
>
> "Leslie R. Thomas" <news@tsoftware.iwarp.com> wrote in message
> news:ZWXV8.44176$eF5.1593579@twister.austin.rr.com...
> > Could you possibly provide information on a knowledge base article that
> > outlines delegation in this respect?
> >
> >
> > "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> > news:uc8mVfXJCHA.1632@tkmsftngp10...
> > > The client authenticates to IIS using NTLM or Kerberos. The user's
> > > credentials cannot be used by IIS to authenticate to a remote server
> > unless
> > > delegation is enabled. (This requires the use of Kerberos and Active
> > > Directory accounts; also, delegation is not enabled by default.)
> Because
> > > the code is running without network credentials, "ANONYMOUS LOGON" is
> used
> > > for any network requests.
> > >
> > > If you use Basic authentication, it will work. By default, Basic
> creates
> > a
> > > local logon on the web server; the credentials can be used to
> authenticate
> > > to a remote server (one hop only without delegation).
> > >
> > >
> > > "Garth Williams" <garth.williams@iq-systems.co.uk> wrote in message
> > > news:#maI$IBJCHA.2648@tkmsftngp11...
> > > > Hi,
> > > >
> > > > I'm trying to use trusted authentication with an ASP.NET application
> and
> > > SQL
> > > > Server. The application is configured as follows:
> > > >
> > > > * IIS is configured to use integrated windows authentication only
> > > > * web.config has the following lines:
> > > > <authentication mode="Windows" />
> > > >
> > > > <identity impersonate="true" />
> > > >
> > > > * SQL Server is configured to use trusted.
> > > >
> > > > This works very nicely when running the application locally (on the
> > > > development machine, or directly on the live server), but when you
try
> > to
> > > > run it from a remote machine I get an error saying:
> > > >
> > > > Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
> > > >
> > > > together with a stack trace that indicates that the failure happened
> > when
> > > > opening the connection to the database.
> > > >
> > > > It almost seems as though the web server is using trusted when you
run
> > ie
> > > > from the server and anonymous when you run ie from another machine.
> > This
> > > > works fine for old asp applications that access SQL Server, but not
> for
> > > > ASP.NET
> > > >
> > > > This has been puzzling me for a couple of days, so any ideas would
be
> > > > gratefully received.
> > > >
> > > > Thanks.
> > > >
> > > > Garth.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • Re: 2003 Server Client/Delegation and Data Issues
    ... Did you also use F5 to update the AD UC console on the 2003, ... Win23K server to look for a unstarted services that may be needed, ... - Checked the delegation permissions on the OU ... I noticed that in the administrator account the ...
    (microsoft.public.windows.server.active_directory)
  • RE: Access denied ( From one site to another, that is in another server)
    ... You are running into a delegation issue here. ... remote resources on behalf of the client. ... from a one server to get to another server, the account credentials must be ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Anybody seen this error?
    ... This error is caused when the IIS common files fail when making ADSI calls ... account doesn't have the correct access to the IIS metabase. ... I (Admin) have a separate administrative account with all rights. ... | Active Directory Services cannot find the web server. ...
    (microsoft.public.dotnet.framework.aspnet)