Re: ASP.NET to SQL Server Int Security

From: Willy Denoyette [MVP] (willy.denoyette@pandora.be)
Date: 09/03/02 

From: "Willy Denoyette [MVP]" <willy.denoyette@pandora.be>
Date: Tue, 3 Sep 2002 22:35:25 +0200

If the SQL and IIS server are separate boxes, you can't authenticate a browser client without Kerberos delegation setup correctly.
This requires an AD domain, and IE 5.x or higher clients.
The domain accounts must have Delegation enabled, and the IIS server machine account must be "trusted for delegation". You also
have to register SQL server in the AD (see Books online).
Note that
- IIS may not run on a DC, as a DC cannot be trusted for delegation.
- you throw away SQL connection pooling, as connections must carry the same credentials for pooling to work.

I would suggest to install your application as a COM+ application using fixed credentials to connect to SQL, and implement role
based security at the application level.

Willy.

"Paul Lyons" <ms.news@the-lyons.com> wrote in message news:daec01c2535a$a72cfa60$9ae62ecf@tkmsftngxa02...
> Hi
>
> I'm creating a suite of applications for my corporate
> Intranet & I've been running into problems getting my
> Windows Login to carry though from the pages I access to
> SQL Server.
> I'm certain that I've missed something simple, but I just
> can't seem to see it!
>
> I'm on XP clients with W2K servers, running SQL 2000.
> * In IIS I've disabled Anonymous Access and checked
> Integrated Windows Authentication.
> * In my web.config file I have the following options set:
> <authentication mode="Windows" />
> <identity impersonate="true" />
> * My connection string specifies "SSPI"
> * I have a valid account on the SQL Server (Server Admin!)
>
> When I try to connect to the data source the I get the
> error:
> "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'",
> which is strange becuse the entry in my IIS Logs with the
> 500 error seems to have my Domain & user name listed.
>
> Has anyone encountered anything similar. Any help or
> suggestions would be gratefully received.
>
> Thanks..Paul
>
>

Relevant Pages

  • FW: Microsoft Security Advisory MS 03-007
    ... am trying to find a vulnerability tester/script and I could test it out ... Department of the Army server that had been compromised and that this ... announcement covers IIS 5.1 but not IIS 6, ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
    (Focus-Microsoft)
  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... uses NT group based permissons on the SQL Server, ... > transfered to the IIS box and IIS does a local logon. ... > delegation for all accounts. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
    (microsoft.public.inetserver.iis.security)
  • RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
    ... MS patch-scanner for Win-NT, 2K, IIS, SQL ... XML file from the following location - mssecure.xml Possible ... and on a NT 4 Server, but the scanner works fine on a W2K Server ...
    (Focus-Microsoft)