Re: How can I avoid using SQL Authentication with the Office Web Parts?
From: DarrylR (darrylr_at_nospam.com)
Date: 01/31/05
- Previous message: Jason Brown [MSFT]: "Re: Security - lock down by PC"
- In reply to: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 Jan 2005 22:26:02 -0500
David,
I couldn't wait to test it, so I tried it out today. Here's what I found:
If I log into my machine using one domain user account and then log into the
portal using a different account (by setting User Authentication/Logon for
the Trusted Sites zone in IE to "Prompt for user name and password"), the
Office Web Parts access the database using the credentials of the logged on
user, ignoring any impersonation. This was using Integrated Windows
authentication.
I read some documentation (for Project Server 2003, which uses some Office
Web Components and SQL Server Analysis Services) that suggested that if you
want to use Basic authentication to implement pass-through security, you
must also enable Basic authentication for the Remote Data Services ISAPI
Library
(Msadcs.dll). However, I also read that creating an MSADC virtual directory
is frowned upon in Windows Server 2003/IIS 6.0 because it creates a security
risk. Any thoughts on this?
With regards to Kerberos Constrained Delegation, the article that you
referred me to states that it will only work if the machines are members of
the same domain or trusted domains. Do you know whether delegation works
when the extranet domain has a one-way outgoing trust with the intranet
domain (extranet domain trusts users from the intranet domain)?
Regards,
Darryl R.
"DarrylR" <darrylr@nospam.com> wrote in message
news:u%2317oxwBFHA.3820@TK2MSFTNGP11.phx.gbl...
> David,
>
> Thanks for the reply and references to suggested reading. I hadn't
> considered the fact that I was mixing authentication methods for the
> extranet users. I was trying to avoid a full Kerberos implementation by
> using Basic authentication. However, I'm beginning to wonder if the Office
> Web Parts ignore the credentials supplied by the user when integrated
> security is specified in the connection string, and use the current
Windows
> user account instead.
>
> I say that because according to the NTAuthenticationProviders metabase key
> (returned by adsutil.vbs), Kerberos is not enabled for the virtual
directory
> used by internal users (which uses Integrated Windows authentication); the
> key value is "NTLM", not "Negotiate,NTLM". And even if Kerberos is enabled
> by default when Integrated Windows authentication is used in IIS 6.0, I
> haven't specifically enabled any user accounts or computers for delegation
> or created any Service Principal Names. Therefore, I'm assuming that a
true
> double-hop should still fail, even from our intranet.
>
> So when I get in tomorrow, I plan to test my theory by logging into my
> machine using one domain user account and then logging into the portal
using
> a different account. Just to be clear, I'll be logging in from our
intranet,
> so I'll be hitting the virtual directory that uses Integrated Windows
> authentication. I'll use SQL Profiler to determine which credentials are
> used to access the database. My guess is that it will be the credentials
> that I use to log onto my machine. This would suggest that the Office Web
> Parts ignore impersonation.
>
> I'll let you know what I find out.
>
> Regards,
> Darryl R.
- Previous message: Jason Brown [MSFT]: "Re: Security - lock down by PC"
- In reply to: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
