Impersonation, Delegation & SQL Server

From: Rob Edwards (RobEdwards_at_Landam.com)
Date: 11/20/03

Next message: anonymous_at_discussions.microsoft.com: "RE: annoying error"
Previous message: Philbert: "Forms authentication on a business WAN"
Next in thread: Jim Cheshire [MSFT]: "RE: Impersonation, Delegation & SQL Server"
Reply: Jim Cheshire [MSFT]: "RE: Impersonation, Delegation & SQL Server"
Reply: Vinay R. Indoria: "Impersonation, Delegation & SQL Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 20 Nov 2003 10:28:33 -0500

I bailed on this before and just went to Basic Authentication and told the
users they would have to live with signing on again.... but now I need to
get it working...

Domain: Windows 2003
Web Server: Windows 2003
SQL Server: Windows 2000

The web server and the SQL server are trusted for delegation.
The user accounts are trusted for delegation.

The web page has <Identity Impersonate="true"> and <Authentication mode
="Windows">

I'm running into the same "double-hop" problem.. even though everything
should be using Kerberos.

A user (running XP) opens a page on the web server.. the web server then
tries to access the SQL Server database.. but returns:

The web server has Anonymous access turned off.
The web server has Integrated Windows authentication turned on.

IIS is running under the local system account.

The web server has been added to the SQL Server database
\\DomainName\ServerName$

I've gone round-and-round with this issue before and was never able to come
up with the solution.

Can anyone help?

Next message: anonymous_at_discussions.microsoft.com: "RE: annoying error"
Previous message: Philbert: "Forms authentication on a business WAN"
Next in thread: Jim Cheshire [MSFT]: "RE: Impersonation, Delegation & SQL Server"
Reply: Jim Cheshire [MSFT]: "RE: Impersonation, Delegation & SQL Server"
Reply: Vinay R. Indoria: "Impersonation, Delegation & SQL Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Windows Authentication in asp.net 2005 to SQL Server?
... I've seen out there are usually for the IIS and SQL Server to be on the same ... web server are on separate machines and are on different domains also. ... strings and not Windows authentication because of the double hop, ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Loading windows xp...
... To see what NT services are rolled up into each instance of svchost, you need to use Process Explorer from SysInternals. ... You only need to have this NT service enabled and running if you use the firewall included in Windows or you run ICS. ... You might be able to use msconfig.exe or AutoRuns to find a startup entry for this. ... I have to wonder why you cannot decipher your own startup and running processes if you have the wherewithall to manage a web server and its pages. ...
(microsoft.public.windowsxp.help_and_support)
Re: SERVER ERROR
... Windows XP Home, then no MS Web server is supported. ... remove FP98 and the PWS and then install IIS via Add/Remove Window Components, ... I can open and edit from my website ...
(microsoft.public.frontpage.client)
Re: Alternative process termination notification in a GUI
... I guess we all know that Windows is an asynchronous universe but most ... guts of an Apache web server or the like simply does not. ... The topic for this thread is another solution that fits another size ...
(alt.lang.asm)
Re: windows 2003 domain controller, mod_auth_kerb in linux, issuewitt kerberos
... Windows AD accounts require "allow this account to be trusted for delegation" to have Internet Explore actually delegate credentials to the web server Try turning this off and see if it does what you want. ...
(comp.protocols.kerberos)