Re: Integrated Authentication with SQL

From: Peter Jakab (someone_at_from.hu)
Date: 10/07/05 

Date: Fri, 7 Oct 2005 18:08:29 +0200

See

http://support.microsoft.com/?id=215383

In iis 6 metabase is an xml file that you can edit with notepad.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx

I think, Kerberos cannot be forced, Negotiate means: it tryes with kerberos,
when it fails, switches to ntlm.

Regards

Peter

"Scott Elgram" <SElgram@verifpoint.com> wrote in message
news:uo0ESY1yFHA.2372@TK2MSFTNGP10.phx.gbl...
> Yeup, quite sure.
> From what I have been reading there are two methods windows can use in
> this instance. The first is NTLM which is what is being used most often
> and
> where I think my problem is. NTLM does not allow for authentication past
> singe hop and therefore can delegate or do anything fancy like that. What
> I
> need to use is the second method. Kerberos can impersonate, delegate and
> make additional hops. My problem, I think, is that Kerberos is not being
> used but I really don't know enough about it to troubleshoot it and have
> found very little online about exactly how to set this up.
> I was using Windows 2k with IIS 5 but because this is all experimental
> for me right now I have upgraded to Windows 2k3 and IIS 6 to see if that
> makes any difference.
>
> -Scott
>
> "Peter Jakab" <someone@from.hu> wrote in message
> news:eRAslZyyFHA.3864@TK2MSFTNGP12.phx.gbl...
>> Scott, are you sure, that in IIS manager for the application you disabled
>> anonymous access?
>>
>> (find your application, right click, properties, derectory security,
>> anonymous access and identity control, click edit, and be sure that
>> anonymous access is unchecked, AND integrated windows authentication is
>> checked)
>>
>> It should work, in case there is just 1 hop!
>>
>> Best regards
>>
>> Peter
>>
>> "Scott Elgram" <SElgram@verifpoint.com> wrote in message
>> news:ehqT9GfyFHA.3864@TK2MSFTNGP12.phx.gbl...
>> > Hello,
>> > I am trying to create a site using integrated windows authentication
> to
>> > access SQL databases. All the tutorials I have found so far require
> that
>> > both SQL server and IIS reside on the same server. This is a problem
> for
>> > me
>> > because I need to access multiple SQL servers from the same site so a
>> > stand
>> > alone web server would be ideal.
>> > From what I have been able to gather so far:
>> > - "Anonymous Access" is unchecked and "Windows Integrated
>> > Authentication" is checked in IIS
>> > - The machine running IIS must be set as "trusted for
>> > delegation"
>> > in
>> > active directory.
>> > - The domain user accounts that will be accessing the databases
> an
>> > site must not be marled "Account is sensitive and cannot be delegated".
>> > - The tags <Identity impersonate="true"> and <Authentication
>> > mode="windows"> is set in web.config
>> > - comImpersonationLevel="Delegate" and
>> > comAuthenticationLevel="PktPrivacy" are set in machine.config
>> > After all that is set then the connection string "server=SQLserver;
>> > Integrated Security=SSPI; Trusted_Connection=YES; database=SQLdatabase"
>> > should be able to connect to the SQL database using the clients
>> > credentials.
>> > However, I receive the following error:
>> > --------------------------------------------------------------------
>> > Exception Details: System.Data.SqlClient.SqlException: Login failed for
>> > user
>> > 'NT AUTHORITY\ANONYMOUS LOGON'.
>> >
>> > Stack Trace:
>> >
>> > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
>> > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
>> > isInTransaction) +472
>> >
>> >
> System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
>> > tionString options, Boolean& isInTransaction) +370
>> > System.Data.SqlClient.SqlConnection.Open() +383
>> > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
>> > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
>> > System.Web.UI.Control.OnLoad(EventArgs e) +67
>> > System.Web.UI.Control.LoadRecursive() +35
>> > System.Web.UI.Page.ProcessRequestMain() +750
>>
>> --------------------------------------------------------------------------
> --
>> > --------
>> >
>> > Any help in resolving this problem would be greatly appreciated.
>> >
>> > Thanks,
>> >
>> > --
>> > -Scott
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Cannot resolve KDC error 11
    ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS6/Kerberos/Application Pools/Integrated Security...
    ... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Serializing credentials and reauthenticating. How?
    ... if your calling process is trusted for delegation with any protocol in AD ... In IIS, to get Kerberos you need to enable IWA auth and ensure the metabase ... We may go SSL/Basic from client to ALSB. ...
    (microsoft.public.dotnet.security)
  • Re: Application Pool timouts.
    ... It is using kerberos to authenticate the user and it is connecting ... anonymous connections being made at this time. ... an idle session which is created by a browser. ... Note that the problem also occurs if i restart IIS while the user has the ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos - Multi-domain SPN problem
    ... Kerberos - Multi-domain SPN problem ... I've also discussed with some other IIS engineers on this scenario, ... Add website.NotAnADDomain.com as an additional UPN for ADDomain2 ... website.NotAnADDomain.com across the trust ...
    (microsoft.public.inetserver.iis.security)