Re: Login failed for user '(null)'. Reason: Not associated with a
From: Paul (Paul_at_discussions.microsoft.com)
Date: 10/24/04
- Next message: Sweet_Eliza: "user account"
- Previous message: Paul: "RE: Login failed for user 'MachineName\ASPNET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 23 Oct 2004 23:25:01 -0700
Following info might help:
ms-help://MS.MSDNQTR.2003FEB.1033/vbcon/html/vbtskAccessingSQLServerUsingWindowsIntegratedSecurity.htm
Paul
"Ken Schaefer" wrote:
> Hi,
>
> a) the session state service would be trying to connect to the SQL Server
> using ASP.NET's process identity. If this is IIS5, then the default process
> identity is MachineName\ASPNET. This is a *local* account, and can't be
> assigned permissions to network resources. You will need to use some other
> account (eg a domain account). If this is IIS 6.0 then ASP.NET uses the web
> application pool's process identity, which is NT Authority\Network Service
> by default.
>
> b) the above has nothing to do with the *user's* credentials. You are using
> Windows Authentication, but I don't know whether you are using
> *impersonation* (which is where ASP.NET impersonates the authenticated
> Windows user). If ASP.NET is using impersonation, then ASPNET (IIS5) or
> Network Service (IIS6) will not be used - instead, whatever user IIS is
> logging on will be used. This would be IUSR_<machinename> if IIS is allowing
> anonymous authentication, or the specific user if you are forcing the remote
> user to authenticate.
>
> BUT
>
> In most cases (Basic Authentication excepted), IIS does not have the user's
> username/password, so it can't directly impersonate the user when accessing
> remote resources. Instead, all IIS has is an access token, which does not
> have privileges to network resources (well it does, but only as
> "anonymous"). To get around this, you can use Kerberos Authentication, and
> enable Delegation, or you can use Basic Authentication.
>
> HOWEVER
>
> If you do this, you will defeat connection pooling, since a separate pool
> will be created for each authenticated user.
>
> Here are some useful links:
>
> Read chapter 12 from the Building Secure ASP.Net Application Book - it has
> very good information about building scalable, secure ASP.Net applications
> (eg using a trusted subsystem model):
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true
>
> The following document explains various authentication mechanisms in IIS
> (like Basic, Digest, IWA), and how they work:
> http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf
>
> The following document explains Kerberos Delegation (this is *very*
> detailed - well worth reading):
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
>
> Some other articles:
>
> http://support.microsoft.com/?id=319723
> INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
> on server clusters
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
> HOW TO: Configure an ASP.NET Application for a Delegation Scenario
>
> http://support.microsoft.com/?id=294382
> Authentication May Fail with "401.3" Error If Web Site's "Host Header"
> Differs from Server's NetBIOS Name
>
> http://support.microsoft.com/default.aspx?kbid=325894
> HOW TO: Configure Computer Accounts and User Accounts So That They Are
> Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
> includes Windows 2000 instructions)
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/se_con_del_computer.asp
> Configuring Users and Computers for delegation (there's a couple of pages -
> use the links in the nav bar to get to them)
>
> Windows 2003 Protocol Transition
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
>
> Cheers
> Ken
>
>
> "Brian Fulford" <brian_fulford@newsgroup.nospam> wrote in message
> news:%231gw5htjEHA.3428@TK2MSFTNGP11.phx.gbl...
> >I am losing lots of hair over this issue. We are trying to implement
> >windows
> > authentication from a web server to a database server.
> > The web server is on a domain; the db server is not... does this matter?
> > the IUSR_machinename user from the web server has been added as an account
> > on the db server and also been to added to db logins and given access to
> > the
> > databases that it will need access to.
> >
> > My web.config has the following:
> > <authentication mode="Windows"/>
> >
> > <sessionState mode="SQLServer" sqlConnectionString="Network
> > Library=DBMSSOCN; data source=192.168.30.95; Integrated Security=SSPI;"
> > cookieless="false" timeout="20"/>
> >
> >
> > Anyone run into this?
> >
> >
> > Login failed for user '(null)'. Reason: Not associated with a trusted SQL
> > Server connection.
> > at System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
> > isInTransaction)
> > at
> > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
> > tionString options, Boolean& isInTransaction)
> > at System.Data.SqlClient.SqlConnection.Open()
> > at System.Web.SessionState.SqlStateConnection..ctor(String
> > sqlconnectionstring)
> >
> >
>
>
>
- Next message: Sweet_Eliza: "user account"
- Previous message: Paul: "RE: Login failed for user 'MachineName\ASPNET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
