Re: asp.net sql trusted connections between servers

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/23/05 

Date: Sun, 23 Oct 2005 19:38:53 +0800

If IIS and SQL are on different boxes and you are using IWA in IIS, then you
need Kerberos delegation in order for IIS to be able to delegate the user's
credentials over a second machine hop to the SQL box.

http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Joe K.

"Rob" <rob@nospamforme.com> wrote in message
news:OgwvFsj1FHA.980@TK2MSFTNGP14.phx.gbl...
> So we have a client who doesn't want to run a Service Level Account
> (either via an Application Pool or IIS impersonation) and we need to
> connect to a remote SQL Server instance w/ Read-Write permissions. They
> don't want to do it that way due to the maintenance issues with passwords
> in multiple locations.
>
> We're using an OLE connection to SQL server and currently have the
> username and password obfuscated (not strong encryption) in the connection
> string in the web.config. Looking for a better alternative.
>
> We've looked into things such as described here:
>
> http://idunno.org/dotNet/trustedConnections.aspx
>
> This is a secured, internal app: Where I'm confused is why the standard
> Windows Authentication setting for access via IIS doesn't seem pass the
> users credentials to the SQL Server (even with impersonate=true in
> web.config). Ideally we just wanted to have read-write windows group and
> add users that way. The connection to SQL with impersonation and Windows
> Authentication remains either IIS or the Application Pool Identity?
>
> So, two questions:
>
> 1. is this impersonation behavior with IIS and Windows Authentication
> documented anywhere (need to show them via a reliable source this doesn't
> work beyond the fact that its not working)
>
> 2. Short of encrypting the user connection information in the registry
> (also a maintenance hassle) are there any other options?
>
> many thanks,
>
> Rob

Relevant Pages

  • Re: asp.net sql trusted connections between machines
    ... > connect to a remote SQL Server instance w/ Read-Write permissions. ... > connection string in the web.config. ... > Windows Authentication setting for access via IIS doesn't seem pass the ... is this impersonation behavior with IIS and Windows Authentication ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: SQL Express non-functional outside of VS 2005
    ... Not sure exactly what you mean by attaching from IIS. ... VS creates connections with the "User Instance" option. ... uses a user instance connection string, it will create an different SQL ...
    (microsoft.public.sqlserver.setup)
  • Re: web server performance issues
    ... >quesry anlyser) an inactive connection (connecting from ... Good question, for a SQL group. ... It's not related to IIS. ... >version is the current server version. ...
    (microsoft.public.inetserver.iis)
  • Re: SQL.Net connection in VS2005 from local IIS to local SQLExpres
    ... IWAM_LANDON: Launch IIS process Account ... outside IIS in a "standalone" C# ADO.NET program using the same connection ... I can log into SQL Server 2005 and look at the tables. ...
    (microsoft.public.sqlserver.connect)
  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... uses NT group based permissons on the SQL Server, ... > transfered to the IIS box and IIS does a local logon. ... > delegation for all accounts. ...
    (microsoft.public.inetserver.iis.security)