Re: LogonUser API Help
From: Andrea D'Onofrio [MSFT] (andreado_at_online.microsoft.com)
Date: 12/31/03
- Previous message: Andrea D'Onofrio [MSFT]: "Re: Passing windows credentials from server to server."
- In reply to: Gabriel: "LogonUser API Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Dec 2003 10:19:17 +0100
Hi Gabriel,
fisrt of all I suppose that IIS and SQL server are in separate machines in
the same domain.
If I have understood well, in your scenario probably the best solution is to
use the basic authentication in IIS (this will prompt the username and
password dialog box) via HTTPS, set the impersonate=true in web.config file
and then simply connect to SQL server using "Windows NT integrated
security". i.e. the connection string could be:
Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=dbname;Data Source=sqlservername
But if you want to omit the network username and password dialog box, you
must enable Anonymous authentication in IIS, set the form authentication in
the web.config file, impersonate via code (LogonUser API) the domain
credential inserted in a custom authentication form and then simply connect
to SQL server using "Windows NT integrated security".
In these scenarios, the users must be flagged for delegate because of the
double hop (the IIS server must use the client credential for another
authentication on SQL server).
In these articles you will find more details:
283201 HOWTO: Use Delegation in Windows 2000 with COM+
http://support.microsoft.com/?id=283201
287537 Using Basic Authentication to Generate Kerberos Tokens
http://support.microsoft.com/?id=287537
HtH,
Andrea
-- This posting is provided "AS IS" with no warranties, and confers no rights. "Gabriel" <gabrielr@robinsonsteel.com> wrote in message news:01d301c3cf1a$f1dce1f0$a501280a@phx.gbl... > Hello, > > I am trying to authenticate a windows user using > LogonUser API on our website. I am able to authenticate > and impersonate the user just fine but I need to validate > these credentials to our SQL Server connections as well. > I'm using a DSN on my server with WindowsNT > authentication using network login ID. Is it possible to > pass on the credentials to an ODBC datasource using the > LogonUser API. I have to log into our SQL Server using > the windows account I used with the LogonUser API. I > know I could use a standard SQL Server Authentication to > pass the credentials using a DSN-less string but that is > not an option for me right now. I'm trying to log into > our website using windows authentication and I want to > omit the network username and password dialog box all > together and use a form to supply the windows > credentials. So far the LogonUser API has done the trick > but it doesn't seem to be authenticating throughout the > network. Any help would be appreciated.
- Previous message: Andrea D'Onofrio [MSFT]: "Re: Passing windows credentials from server to server."
- In reply to: Gabriel: "LogonUser API Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
