Re: SQL server acess from ASP.NET
From: Li-Yan Zhang [MS] (lyzh@online.microsoft.com)
Date: 09/14/02
- Next message: Mark Johnson: "Re: I don't really understand windows security...I need help"
- Previous message: Tony Chow: "Re: Problems implementing Logonuser() in a Windows service--I got it"
- In reply to: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Next in thread: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Reply: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: lyzh@online.microsoft.com (Li-Yan Zhang [MS]) Date: Sat, 14 Sep 2002 15:18:06 GMT
Eugene,
When you try to leave the machine with an impersonated identity, another
concept known as delegation comes into play. You only leave the machine as
that identity if the token has network credentials . Otherwise, you leave
the machine as the anonymous user (NT AUTHORITY\ANONYMOUS LOGON).
Delegation is supported in Windows 2000 + , and only when the Kerberos
authentication protocol is used, which requires Active Directory.
Unconstrained delegation is inherently dangerous: it gives the server the
right to act as the authenticated user anywhere they have access on the
network. For that reason, many corporations don¡¯t have accounts and
machines configured in AD as trusted for delegation on corporate networks.
Roughly speaking, the following three steps are required to support
delegation:
Step 1: Verify that the user's account can be delegated in AD.The client
identity must not be marked as "Account is sensitive and cannot be
delegated" in the Active Directory Service.
Step 2: If you're running a service or application under an account other
than LocalSystem, you need to verify that the account is permitted to act
as a delegate.The server identity must be marked as "Trusted for
delegation" in the Active Directory Service.
Step 3: You also need to make sure that all computers used within the
distributed application are trusted for delegation. Check the "Computer Is
Trusted For Delegation" option for more information.
Please also take care the NTLM authentication protocol in Integrated
Windows Auth mode of IIS is not delegatable. Make sure Kerberos is used in
place.
With regard to SQL server, please also check out the URL below:
Security Account Delegation
http://msdn.microsoft.com/library/en-us/adminsql/ad_security_2gmm.asp
Well, looking back, to make delegation works, there is really a long way to
go. :-(
I might miss some points here,however, a good recommendation is to take a
look at the good book below:
Designing Secure Web Applications on Windows 2000
http://www.amazon.com/exec/obidos/ASIN/0735609950
Good luck in your project!
Thanks,
Li-Yan Zhang
VS.NET, Visual C++
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Got .Net? http://www.gotdotnet.com
- Next message: Mark Johnson: "Re: I don't really understand windows security...I need help"
- Previous message: Tony Chow: "Re: Problems implementing Logonuser() in a Windows service--I got it"
- In reply to: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Next in thread: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Reply: Eugene N Agafonov: "Re: SQL server acess from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
