Re: IIS passing server credentials rather than user credentials

From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 6 Jul 2006 10:39:22 +1000

You need to verify that:
a) the brower (IE) is actually using Kerberos to authenticate to IIS, not
NTLM. NTLM is not natively delegatable. What is the URL you are using to
connect to? If it is in the Internet security zone, you will need to
manually add it to IE's Intranet security zone.

b) you need to verify that the IIS server is permitted to delegate in Active
Directory (either the machine account if you are running the web app pool as
a built-in principal like Network Service, or the user account if you are
using a custom domain account)

c) you need to verify that your Kerberos SPNs (Service Principal Names) are
correctly configured. This is done automatically if you are connecting to
http://servername or http://servername.domain.com However if you have
created an additional DNS CNAME or A record for this website, or you are
using the IP address of the server, then you may need to change/update your
Kerberos SPNs.

Cheers
Ken

"cfs" <wayhip@xxxxxxxxxxx> wrote in message
news:1152129654.720884.259350@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
We are using VS2005 and building for .Net 2.0 framework.

We set IIS up to use integrated security. However when I access the
application through IE, it cannot connect to the server. When I check
the SQL Server logs, I see a failed attempt to login by <domain
name>\<web server name>. It looks like it is using the credentials
under which the web server is running.

he desired behavior is to use the profile of the domain user who is
using IE.

When I give <domain name>\<web server name> explicit access to the SQL
Server DB it, *can* connect.

This reeks of a misconfiguration. What could we be doing wrong?

TIA

Follow-Ups:
- Re: IIS passing server credentials rather than user credentials
  - From: cfs

References:
- IIS passing server credentials rather than user credentials
  - From: cfs

Prev by Date: IIS passing server credentials rather than user credentials
Next by Date: Re: SelfSSL and multiple sites in IIS6?
Previous by thread: IIS passing server credentials rather than user credentials
Next by thread: Re: IIS passing server credentials rather than user credentials
Index(es):
- Date
- Thread

Relevant Pages

Re: Advanced Client and MP Policies
... Verify that the Task Scheduler is enabled. ... Verify that the SMS Agent Host service is running. ... Verify that the SQL Server has named pipes enabled. ... If you are using the IIS lockdown tool on your IIS 5 servers be sure ...
(microsoft.public.sms.admin)
Re: SMS 2003 Sec. Site Management Point doesnt work
... Verify that the Task Scheduler is enabled. ... Verify that the Windows Management Instrumentation service is running. ... Verify that the SQL Server has named pipes enabled. ... If you are using the IIS lockdown tool on your IIS 5 servers be sure ...
(microsoft.public.sms.admin)
Re: Proxy Management Point - Service Unavailable
... Verify that the Task Scheduler is enabled. ... Verify that the SQL Server has named pipes enabled. ... If you are using the IIS lockdown tool on your IIS 5 servers be sure ... I've successfully turned up> a Management Point on the Central Site server. ...
(microsoft.public.sms.admin)
Re: Proxy Management Point - Service Unavailable
... and the secondary site server is W2K3/ running IIS 6.0, ... Start IIS Admin ... If there was a problem with the IWAM account, ... Verify that the Task Scheduler is enabled. ...
(microsoft.public.sms.admin)
Re: IIS6/Kerberos/Application Pools/Integrated Security...
... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
(microsoft.public.inetserver.iis.security)