RE: problem connecting to dbase from webservice with impersonation



Hello Nadav,

From your description, you have an ASP.NET 2.0 webservice application which
will acess a remote SQL Server instance, so you want to let your ASP.NET
application run under a domain account so as to access the remote SQL
Server. Your current implementation is configured the domain account as
IIS virtual directory's anonymous user identity and set impersonate=true in
web.config so as not to expose username/password credentials in web.config
file. However, you found this not work and will result to "Login failed for
user The user is not associated with a trusted SQL Server connection."
error. If there is anything I missed , please feel free to corret me.


As you mentioned that the same setting works well for ASP.NET 1.1, based on
my experience, there is no such significant change from ASP.NET V1 to V2.
For your scenario, I've also tested according to your setting on my local
environment and such solution can work well for connecting remote SQL
Server through domain account. There is not particular difference on this
from ASP.NET V1 and V2.

As for the problem you met, I think it is likely environment specific. I
think you can have a check on the following things:

1. As for the connection string, are you specify the "integraetd
security=true" option as below?

<add name="TestConnectionString" connectionString="Data
Source=sha-weilu-test;Initial Catalog=Test;Integrated Security=True"
providerName="System.Data.SqlClient" />

2. Since you configure your ASP.NET application to impersonate and running
under a domain account, have you granted that domain account sufficient
permission for accessing any necessary ASP.NET resources. For .net 2.0,
you can use the aspnet_regiis -ga command to grant a given account
sufficient permission to executing ASP.NET code:

#ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
http://msdn2.microsoft.com/en-us/library/k6h9cz8h.aspx

3. Based on the debugger trace info, when you encountered the problem, the
authenticationtype display " MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" which
is not clear whether it uses NTLM or Kerberos( the two main protocol for
intergrated windows authentication). It is possible that the anonymous
account's login is not authenticated through one of the valid integrated
windows authentication protocol and result to the "login failed" at SQL
Server side. (in my local test under ASP.NET 2.0, it display "kerberos")

for this point, you can check your IIS virtual directory or site's
authentication setting to see whether it is configured to use NTML or
kerberos(negotiate), the following kb article has demonstrate how to
configure this in IIS. You can even force your ASP.NET 2.0 webservice's
virtual directory to use NTLM only for test to see whether it works.(NTLM
is enough for accessing remote resource under single hop)

#How to configure IIS to support both the Kerberos protocol and the NTLM
protocol for network authentication
http://support.microsoft.com/kb/215383/en-us

Just some of my understanding and suggestion. Please feel free to let me
know if you have anything unclear or any further finding.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.





.



Relevant Pages

  • Re: IIS 6 CreateObject premissions issue
    ... >> tier system so I am confident that running on Windows 2000 what I am ... >> What I am attempting is to add a Windows 2003 server box to function as ... However if it is set for anonymous access using the ... >> end boxes to specifically allow the Domain account I attempted to use as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Networking XP Pro to a Downlevel NT4 domain
    ... There are two ways to create a domain account on an NT4 ... domain - the first is to run Server Manager either from ... >We are not running DCHP here. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Adding additional users to a client computer
    ... is what you mean be a domain account. ... user folders on the server in My Network Places. ... you use My Documents Folder Redirection, all data saved to their My ...
    (microsoft.public.windows.server.sbs)
  • Re: Local admin through group policy and keep admin on local machi
    ... "Support" and it is a member of administrators ... My current GPO for the OU is: ... If you then add the per machine domain account as/where ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin through group policy and keep admin on local machi
    ... "Support" and it is a member of administrators ... My current GPO for the OU is: ... If you then add the per machine domain account as/where ...
    (microsoft.public.windows.server.active_directory)