Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "Integrated Security" SQL Server (seperate boxes)

From: Adnan Khan (adkhan@airoom.com)
Date: 10/18/02 

From: "Adnan Khan" <adkhan@airoom.com>
Date: Fri, 18 Oct 2002 09:03:34 -0500

I am facing with a milar issue here.
I have two virtual directories on same server with Integrated
Authentication.(myserver/ProjectServer and myserver/CustomPortal).
CustomPortal application tries to authenticate user on ProjectServer before
it could use any features provided by it. Now the problem that i am facing
is:
    Environment: Win2000 (notnative), .Net Framework IIS5
when i access CustomPortal , the identity is somehow not passed on to
ProjectServer. If i use basic authentication, it works fine.
Also, If i open a browser on the myServer machine and try to access the
site, it runs fine and gets authenticated from ProjectServer too.
I have tried Enabling Impersonation (in applications' config files as well
as .NET framework config file) as well as Delegation as specified by the
following URL:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q325894&#4

Any help would be highly appreciated.

Thanks,

Adnan Khan

"Thomas Deml [MS]" <thomad@online.microsoft.com> wrote in message
news:e0vBElBcCHA.2624@tkmsftngp09...
> Tom,
>
> I answered the question in a similar thread (you might want to look for
it).
>
> In a nutshell:
>
> Delegation is a very privileged operation an is therefore disabled by
> default. Let's suppose you are the author of the ASP page and you get an
> Domain Administrator to enter your URL in the browser. Windows Integrated
> authentication would automatically authenticate the domain admin. Now you
> could do whatever you want in your ASP page on behalf of the Domain Admin.
> For him it looks like you're going against a SQL Server but under the
covers
> you could create a new domain account with Domain Admin privileges.
> Therefore it works only on the local box and as soon as you try to hop
onto
> the network you get downgraded to an anonymous user.
>
> Workarounds:
>
> 1) use Basic auth (over SSL). In this case the username/password get
> transfered to the IIS box and IIS does a local logon. You buy yourself
> another hop. With all other protocols no credentials (username/password)
are
> transfered and the user identity can't be proven.
>
> 2) make sure you have a Kerberos end-to-end infrastructure and enable
> delegation for all accounts. Risky. The best description how to do this
can
> be found in Michael Howards book "Designing Secure Web-based applications"
> 2) pass the user as a SQL parameter and do your authorization logic in
SQL
> server
>
> 3) if you only have a few users use local accounts (domain accounts won't
> work) and create them on the IIS box as well as on the SQL box. Have the
> same passwords! Due to the nature of Windows auth it would work. Keep the
> accounts in sync.
>
> 4) use Windows.NET and IIS 6.0. We have a feature in Windows.NET called
> "constrained delegation". As a domain admin you can specify to which
> machines another machine can delegate to. In your case you would configure
> that the IIS Box can delegate to the SQL box. Only delegation to the SQL
box
> would succeed and all other delegation attempts would fail. Plus: You can
> come in with whatever protocol you want (digest, basic, windows auth, ssl
> client certs).
>
> Hope this helps.
>
>
> --
> Thomas Deml
> Lead Program Manager
> Internet Information Services
> Microsoft Corp.
>
>
> "Tom Rogers" <rogerst@approach.com> wrote in message
> news:u88rnp8bCHA.2524@tkmsftngp10...
> > Here is our scenaro:
> >
> > o We have a W2K domain.
> >
> > o We have a W2K IIS 5.0 server in the domain (one machine).
> > - It has a website secured via "Windows Integrated authentication"
> > - ASP pages load just fine, that's not our problem.
> >
> > o We have a SQL 2K server in the domain (seperate machine).
> > - It has been set up in mixed mode security.
> > - We can use query analyzer to hit the web apps database on the
> machine
> > using integrated
> > security and the credentials of a web user, that's not our
problem.
> >
> > The problem is that when we run ASP pages on the IIS box that hit the
SQL
> > box via ADO, we get the infamous error:
> > Microsoft OLE DB Provider for ODBC Drivers error '80040e4d'
> > [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT
> > AUTHORITY\ANONYMOUS LOGON'.
> >
> > It seems that the token/credentials that are being used for the login to
> the
> > website are not making their way to the SQL server via the ADO
connection.
> > This works JUST FINE if we use Basic Authentication.
> >
> > We have tried AD delegation between the servers and that didn't help. I
> > tried mucking with IUSR, but we really don't want anonymous access to
our
> > site.
> >
> > I have spent most of the day reading newsgroups about this problem. AD
> > delegation seems to be the way to solve it, but it didn't help in our
> case.
> > Of course, going back to Basic Authentication would solve the problem or
> > combining the SQL Server and IIS Server on the same box would solve the
> > problem...but those are available options for us.
> >
> > Regards,
> >
> > Tom Rogers
> >
> >
> >
>
>

Relevant Pages

  • Re: Issue: Virtual Directory to UNC
    ... Authentication with HTTPS/SSL. ... I now understand the reason behind the delegation ... The purpose of this server is to access I just want to access one machine ... > Just because a remote user authenticated to the web server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Application pool with domain account & anonymous access disabled
    ... Web server must use the remote user's identity to access network ... authentication protocol so that IIS forces authentication (though the choice ... The issue is called "delegation", ...
    (microsoft.public.inetserver.iis)
  • Re: Windows integrated authentication with site content on UNC share...
    ... You are indeed running into a delegation issue. ... are the client browsers able to support Kerberos authentication ... The following KB article has steps for IIS -> SQL Server, ... I am able to successfully browse the web site. ...
    (microsoft.public.inetserver.iis.security)
  • Kerberos, Delegation, and Win2.3K
    ... Server fax server... ... Windows 2003 Server with a Shared Fax ... has been trusted for delegation. ... If IIS is setup to use Windows Authentication, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: The user has not be granted the requested logon type at this machine
    ... I did, however, download and use the Authentication and Access Control ... I am able to login to the server as a domain user that is set as a local ... admin and as a regular domain admin. ...
    (microsoft.public.inetserver.iis.security)