Re: Subject: impersonate="True" gives login (null) for SQL Server
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Jun 2006 10:25:39 +0000 (UTC)
Hi,
besides i wouldn't want any of my users to type in their domain password at public terminals (key loggers, cache etc...) -
as the article mentions this only works if you are doing kerberos end-to-end - something you cannot do if the client does not have access to the DC.
If your web server is Windows 2003 and your domain has 2003 functionality level - you can use a feature called protocol transition to translate NTLM logins to kerberos credentials. Otherwise you are out of luck and you have to re-design the security part of your application.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick,
In fact the document you metioned was very, very good.
But I still have a problem:
The application is also to be accessed by the internet on any
computer.
The application users travel a lot, and some times need to access to
the application in a computer on a internet cafee or something like
that.
The problem that I found is that when you enter the site in a computer
where you are not logged as a our domain user, the browser ask you to
identifiy yourself, which is good, but when the application tries to
access the Data server the login (null) problem raises again.
Is there a way to solve this?
Regards,
Pedro Gonçalves
"Dominick Baier [DevelopMentor]" wrote:
Thats a typical two-hop problem
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default
.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,
I've an application using ASP.NET 2.0 that is deployied in IIS 6.0
in a Win2003 application server.
For that application I'm using windows authentication and
impersonation to access to an SQL Server 2000 on other Win2003
application server througth a integrated security connection string.
The domain is Win 2000.
On web.config file I've:
<identity impersonate="true"/>
<authentication mode="Windows"/>
The problem is that when the application try to open the connection
gets an error saying that can't logon because user '(null) ' is not
configured to a trust connection.
How can I configure this application and/or IIS to able this
functionality?
Impersonate a specific user doesn't work because the stored
procedures that my web application use in the database uses a lot of
caller user identity for permit or not access to tables and inserts
or updates. same times the processing is very different according to
the user that call the SP.
I've read that migth be a problem of configuring the ASP account to
"Act as part of OS", but I don't know exactlt how to do it and where
to do it. Both machines, Web Server and Database Server, are in a
domain, but they are only application servers. The domain server is
on other computer. The ASP account on the web server is a local
account (on the web server). Do I have to change the account for
asp_wp to a domain account? And where I give the permition to "Act
as part of OS"? In the Local Group policy of the web server or in
the Domain group policy?
Regards,
Pedro Gonçalves
.
- Follow-Ups:
- Re: Subject: impersonate="True" gives login (null) for SQL Server
- From: Pedro Gonçalves
- Re: Subject: impersonate="True" gives login (null) for SQL Server
- References:
- Re: Subject: impersonate="True" gives login (null) for SQL Server
- From: Pedro Gonçalves
- Re: Subject: impersonate="True" gives login (null) for SQL Server
- Prev by Date: Re: Subject: impersonate="True" gives login (null) for SQL Server
- Next by Date: Re: ASP.NET Membership
- Previous by thread: Re: Subject: impersonate="True" gives login (null) for SQL Server
- Next by thread: Re: Subject: impersonate="True" gives login (null) for SQL Server
- Index(es):
Relevant Pages
|
|
