Re: Integrated Authentication with SQL

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 10/07/05 

Date: Fri, 07 Oct 2005 10:53:34 -0700

Hello Scott,

read the article i pointed you to
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

it contains all answers
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Yeup, quite sure.
> From what I have been reading there are two methods windows can
> use in
> this instance. The first is NTLM which is what is being used most
> often and
> where I think my problem is. NTLM does not allow for authentication
> past
> singe hop and therefore can delegate or do anything fancy like that.
> What I
> need to use is the second method. Kerberos can impersonate, delegate
> and
> make additional hops. My problem, I think, is that Kerberos is not
> being
> used but I really don't know enough about it to troubleshoot it and
> have
> found very little online about exactly how to set this up.
> I was using Windows 2k with IIS 5 but because this is all
> experimental
> for me right now I have upgraded to Windows 2k3 and IIS 6 to see if
> that
> makes any difference.
>
> -Scott
>
> "Peter Jakab" <someone@from.hu> wrote in message
> news:eRAslZyyFHA.3864@TK2MSFTNGP12.phx.gbl...
>> Scott, are you sure, that in IIS manager for the application you
>> disabled anonymous access?
>>
>> (find your application, right click, properties, derectory security,
>> anonymous access and identity control, click edit, and be sure that
>> anonymous access is unchecked, AND integrated windows authentication
>> is checked)
>>
>> It should work, in case there is just 1 hop!
>>
>> Best regards
>>
>> Peter
>>
>> "Scott Elgram" <SElgram@verifpoint.com> wrote in message
>> news:ehqT9GfyFHA.3864@TK2MSFTNGP12.phx.gbl...
>>
>>> Hello,
>>> I am trying to create a site using integrated windows authentication
> to
>
>>> access SQL databases. All the tutorials I have found so far require
>>>
> that
>
>>> both SQL server and IIS reside on the same server. This is a
>>> problem
>>>
> for
>
>>> me
>>> because I need to access multiple SQL servers from the same site so
>>> a
>>> stand
>>> alone web server would be ideal.
>>> From what I have been able to gather so far:
>>> - "Anonymous Access" is unchecked and "Windows Integrated
>>> Authentication" is checked in IIS
>>> - The machine running IIS must be set as "trusted for delegation"
>>> in
>>> active directory.
>>> - The domain user accounts that will be accessing the databases
> an
>
>>> site must not be marled "Account is sensitive and cannot be
>>> delegated".
>>> - The tags <Identity impersonate="true"> and <Authentication
>>> mode="windows"> is set in web.config
>>> - comImpersonationLevel="Delegate" and
>>> comAuthenticationLevel="PktPrivacy" are set in machine.config
>>> After all that is set then the connection string "server=SQLserver;
>>> Integrated Security=SSPI; Trusted_Connection=YES;
>>> database=SQLdatabase"
>>> should be able to connect to the SQL database using the clients
>>> credentials.
>>> However, I receive the following error:
>>> --------------------------------------------------------------------
>>> Exception Details: System.Data.SqlClient.SqlException: Login failed
>>> for
>>> user
>>> 'NT AUTHORITY\ANONYMOUS LOGON'.
>>> Stack Trace:
>>>
>>> [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS
>>> LOGON'.] System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
>>> isInTransaction) +472
>>>
> System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(Sql
> Connec
>
>>> tionString options, Boolean& isInTransaction) +370
>>> System.Data.SqlClient.SqlConnection.Open() +383
>>> Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
>>> d:\inetpub\wwwroot\rules\rules.aspx.cs:47
>>> System.Web.UI.Control.OnLoad(EventArgs e) +67
>>> System.Web.UI.Control.LoadRecursive() +35
>>> System.Web.UI.Page.ProcessRequestMain() +750
>>>
>> ---------------------------------------------------------------------
>> -----
>>
> --
>
>>> --------
>>>
>>> Any help in resolving this problem would be greatly appreciated.
>>>
>>> Thanks,
>>>
>>> -- -Scott
>>>