Re: Authentication with IIS and SQL Server on separate machines
From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 10/09/02
- Next message: Simon: "Re: IIS recognize only Local Users and not Local Grps"
- Previous message: Thomas Deml [MS]: "Re: Windows NT Users using IE cannot access 128 bit Certificate"
- In reply to: Ken Schaefer: "Re: Authentication with IIS and SQL Server on separate machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas Deml [MS]" <thomad@online.microsoft.com> Date: Wed, 9 Oct 2002 00:16:50 -0700
There are a couple of issues with Kerberos today:
The first problem is that you have to enable delegation on the DC.
Delegation is unconstrained. This means that whoever owns the web server can
act on behalf of every user who connects and authenticates against the IIS
box on the network. If delegation is not enabled this person can only act on
behalf of an authenticated user on the local IIS box but not on the network.
The person owns the IIS box anyway so it wouldn't buy him much.
Another problem with Kerberos is that the client (e.g. Internet Explorer)
has to get a Service ticket for the IIS machine from the DC. This basically
means that the DC needs to be directly accessible from the Internet.
In Windows.NET we solve this problem by enabling constrained delegation. A
domain admin can basically decide where the IIS box can delegate to. He
might decide to only allow delegation to a particular SQL Server box.
We also enable delegation across all protocols. This means you can come in
with whatever protocol you want (Basic, Digest, NTLM, Kerberos or SSL client
certs, even Passport); IIS would be able to get a Kerberos service ticket
for the SQL Server on your behalf.
Hope this helps.
-- Thomas Deml Lead Program Manager Internet Information Services Microsoft Corp. "Ken Schaefer" <kenRMV@THISadOpenStatic.com> wrote in message news:OMonfA0bCHA.2616@tkmsftngp09... > Um, you can't use Kerboros and Delegation to achieve this? > > (of course you'll need a Win2k/XP domain, plus the necessary settings, but > it should work with IWA) > > Cheers > Ken > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Thomas Deml [MS]" <thomad@online.microsoft.com> wrote in message > news:OgvqOCqbCHA.2424@tkmsftngp09... > > That's not as easy as it should be. > > > > To fill the REMOTE_USER, LOGON_USER or AUTH_USER variable you have to > > authenticate the user otherwise it will be empty. If you authenticate with > > something other than Basic you have no outbound credentials to access the > > remote SQL box. > > > > You can do the following: > > RevertToSelf within you asp page and access the SQL Server as the process > > identity (typically IWAM whereas this identity has to be a domain > account). > > I think this is a pretty common scenario but I don't know if we have an KB > > article that would describe what to do. > > > > Wife is nagging me and Conan is already on the air so I can't do it now. > > I'll write something up and/or put some code together tomorrow. > > > > Does anybody know if there is a best practice document on how to connect > to > > a SQL backend using Windows Authentication on SQL Server? > > > > -- > > Thomas Deml > > Lead Program Manager > > Internet Information Services > > Microsoft Corp. > > > > > > "Sergio Vargas" <sergio.v.vargas@gsk.com> wrote in message > > news:808f01c26e42$91122ea0$35ef2ecf@TKMSFTNGXA11... > > > I have SQL Server 2000 in one computer, and IIS and ASP > > > pages in another. I need to enable Windows NT > > > authentication through the IIS computer, because I have a > > > users table and need to match them with the REMOTE_USER. > > > > > > As is suggested in the Knowledge Base Article Q247931, I > > > used a domain account accessible to both computers, and > > > set it as the Anonymous user in the IIS computer. This > > > user also has permissions in the SQL Server computer. The > > > connection can be made, but I can’t detect the specific > > > user. > > > > > > Is there a way to resolve this issue without having to use > > > Basic Authentication? > > > > > > Thanks > > > > > > > > >
- Next message: Simon: "Re: IIS recognize only Local Users and not Local Grps"
- Previous message: Thomas Deml [MS]: "Re: Windows NT Users using IE cannot access 128 bit Certificate"
- In reply to: Ken Schaefer: "Re: Authentication with IIS and SQL Server on separate machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
