Re: Passthrough authenication w/ SQL trusted connection

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 12:40:50 +1100

a) if you do this, you will lose the benefits of connection pooling, as a
separate connection will be used for each security context (each user
account will have it's own pool). So, this solution will not scale to a
large number of users. It's OK if you have a small number of users

b) the problem is double-hop authentication. When using IWA, the webserver
does not have the user's password. It just gets a token from the DC, but the
token does not have permission to logon to network resources.

Options:
a) if you are using a Windows 2000 Domain, you can enable delegation. This
allows the IIS server to impersonate the Windows account, and logon to the
backend SQL Server. You need to use Kerberos authentication for this (not
NTLM v2)

b) if you are using a Windows 2003 Domain, when you enable constrained
delegation, you can use Protocol Transition. This allows the user to
authenticate using any of a number of mechanisms to the IIS server (eg
Digest, or NTLM), and the webserver can still get an Kerberos token to logon
to the SQL Server.

Here are a few articles to get you started:

IMPORTANT:
Read chapter 12 from the Building Secure ASP.Net Application Book - it has
very good information about building scalable, secure ASP.Net applications
(eg using a trusted subsystem model):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

http://support.microsoft.com/?id=319723
INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
on server clusters

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

http://support.microsoft.com/?id=294382

Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name

http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/se_con_del_computer.asp
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)

Windows 2003 Protocol Transition
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx

Cheers
Ken

"Steve Kallal" <stevekallal@newsgroups.nospam> wrote in message
news:B89270A2-3362-4F46-B911-C47D852F7394@microsoft.com...
: I have been searching for an answer to this in vain. Currently we have a
hard coded SQL account for all of our ASP .NET applications. We want to use
an SQL Server trusted connection instead. In the documentation I find that I
can map all users to a single domain user such as the following:
:
: <identity impersonate="true" userName="domain\username"
password="password"/>
:
: However this is not what I want. For example, if domain\janedoe is using
the web app, then I would want domain\janedoe to be passed to SQL Server
using a trusted connection. It is not acceptable to have all users mapped to
a single domain account.
:
: I am currently using Windows Authentication in the Web App. Anonymous
access is turned OFF for the app in IIS.
:
: Thanks in Advance!
:

Relevant Pages

  • Re: Cannot connect to the Internet
    ... My Windows 2000 pro PC is connected to the internet (Local Area ... Connection 2 Status icon shows "Connected" with a speed of 10.0 ... Posted via a free Usenet account from http://www.teranews.com ... user account which is interfering with the PC. ...
    (microsoft.public.mac.virtualpc)
  • Re: Cannot connect to the Internet
    ... My Windows 2000 pro PC is connected to the internet (Local Area ... Connection 2 Status icon shows "Connected" with a speed of 10..0 ... The master browser has received a server announcement from ... Posted via a free Usenet account from http://www.teranews.com ...
    (microsoft.public.mac.virtualpc)
  • Getting to the bottom of MSDE network connection problems ...
    ... but other than that it is MSDE 2000 with sp3a already applied. ... I've finally figured out the connection problems associated with this, ... and it seems the problems are due to Windows XP and not MSDE. ... the enterprise/standard versions of SQL server won't install ...
    (microsoft.public.sqlserver.msde)
  • Re: Remote connection failed
    ... If you are going over a remote connection or are not logging ... into the domain where SQL Server is then no, Windows ... authentication won't work. ...
    (microsoft.public.sqlserver.connect)
  • Re: Restrict Wireless to default signal?
    ... If any of the sub keys under Policies, Microsoft, Windows does not exist, right click in a blank area of the right pane and select New, Key and add the key. ... If you don't have direct access to the user's account, see www.dougknox.com, Win XP Tips, Advanced Registry Editing for information on how to change the Registry without logging into the user account. ... Non-administrators don't have access to LAN connection properties anyway. ...
    (microsoft.public.windowsxp.newusers)