Re: Disable NTLM so Kerberos falls back to BAsic
From: Tom Kaminski [MVP] ((A@T))
From: "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> Date: Tue, 8 Apr 2003 10:42:09 -0400
Ah, the security guys - understood.
Do the users only access the database through the app?
There's no need to hard code anything, it's all in permissions on the
"John White" <email@example.com> wrote in message
> Hi Tom,
> Because our security guys want us to be able to explicitly restrict
> objects per user group rather than giving access to all due to the nature
> some of the data, they also don't like the thought of hard coded accounts
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> > "John White" <firstname.lastname@example.org> wrote in message
> > news:ubGhSWd$CHA.1600@TK2MSFTNGP10.phx.gbl...
> > > Hi,
> > > I have numerous ASP.NET applications which requires the users to
> > > their NT accounts to access them. These applications delegate to back
> > > sql servers (2000) on other domain machines. The trouble is our client
> > base
> > > is a mix of Win98/NT and Windows 2000. Is there a way any pre win 2000
> > > machines are forced to use Basic if they don't support Kerberos like
> > win2k+,
> > > rather than falling back to NTLM which wont delegate??
> > >
> > > Currently we have to force all basic but management wants this stopped
> > where
> > > possible so users are automatically "logged" in to the sites.
> > I don't know the answer, but just curious - why bother to authenticate
> > user to SQL Server? Setup and manage all your permissions on the
> > side. Just give access to info and functionality of the application to
> > accounts it's appropriate for and use one dummy service account for all
> > SQL connections.
> > --
> > Tom Kaminski IIS MVP
> > http://www.iistoolshed.com/ - tools, scripts, and utilities for running
> > http://mvp.support.microsoft.com/
> > http://www.microsoft.com/windowsserver2003/community/centers/iis/