Re: Web Server connecting to db server on different machines
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 07:47:44 -0600
Setting up the various SPNs are enabling constrained delegation (if your AD
is 2003) isn't a big deal and is quite secure. If they are concerned about
their privileged domain admin accounts being delegated, they can flag them
as "sensitive and cannot be delegated".
Joe K.
"Ben" <ben_1_ AT hotmail DOT com> wrote in message
news:1DB1C294-985C-4CF8-BF10-9D0585CC3E9A@xxxxxxxxxxxxxxxx
Dominick
Thanks for the replies (again).
That solution wont work for use as we are building security into the
database to identify which data a user has access to based on their domain
account.
I will have to investigate either delegation or having the web server
reside
on the same machine as the database.
Thanks again.
"Dominick Baier [DevelopMentor]" wrote:
hi - no problem -
not really a good one -
but the general idea is that you do authentication, authorization and
auditing
in the middle tier and access the back-end resource using the middle tier
server credentials as opposed to the client ones...
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Sorry for the question, but do you have a link that describes the
trusted subsystem design?
Thanks for your help!
"Dominick Baier [DevelopMentor]" wrote:
Hi,
if you want to delegate client credentials - kerberos is they only
way to go.
You could disable delegation and use a trusted subsystem design to
access the back-end resources.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Thank you.
Seeing as I may not be able to convince our AD services group to do
this, is there another option?
Thanks.
"Dominick Baier [DevelopMentor]" wrote:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau
lt .aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello
Im creating an asp.net web app that will need to connect to a SQL
Server db on another machine. I have set this up using trusted
connections and impersonation in the web.config file but I am
getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
message. I need this to work through domain accounts on both
machines.
Currently, it will work if I am using the machine where the web
app resides (ie. http://localhost/webapp/page.aspx) but i get the
above message when using another remote machine.
Any help is appreciated.
Ben
.
- References:
- Re: Web Server connecting to db server on different machines
- From: Dominick Baier [DevelopMentor]
- Re: Web Server connecting to db server on different machines
- From: Dominick Baier [DevelopMentor]
- Re: Web Server connecting to db server on different machines
- From: Dominick Baier [DevelopMentor]
- Re: Web Server connecting to db server on different machines
- From: Ben
- Re: Web Server connecting to db server on different machines
- Prev by Date: Re: Impersonation and accessing Windows file share
- Next by Date: Re: Invoke(SetPassword) in Active Directory, Works, Then Access is Den
- Previous by thread: Re: Web Server connecting to db server on different machines
- Next by thread: 401 Unauthorized on HttpWebRequest with DefaultCredentials (2003)
- Index(es):
Relevant Pages
|
|
