Re: IIS passing server credentials rather than user credentials

From: "cfs" <wayhip@xxxxxxxxxxx>
Date: 6 Jul 2006 07:41:13 -0700

Fixed it. Thanks...

Ken Schaefer wrote:

You need to verify that:
a) the brower (IE) is actually using Kerberos to authenticate to IIS, not
NTLM. NTLM is not natively delegatable. What is the URL you are using to
connect to? If it is in the Internet security zone, you will need to
manually add it to IE's Intranet security zone.

b) you need to verify that the IIS server is permitted to delegate in Active
Directory (either the machine account if you are running the web app pool as
a built-in principal like Network Service, or the user account if you are
using a custom domain account)

c) you need to verify that your Kerberos SPNs (Service Principal Names) are
correctly configured. This is done automatically if you are connecting to
http://servername or http://servername.domain.com However if you have
created an additional DNS CNAME or A record for this website, or you are
using the IP address of the server, then you may need to change/update your
Kerberos SPNs.

Cheers
Ken

"cfs" <wayhip@xxxxxxxxxxx> wrote in message
news:1152129654.720884.259350@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
We are using VS2005 and building for .Net 2.0 framework.

We set IIS up to use integrated security. However when I access the
application through IE, it cannot connect to the server. When I check
the SQL Server logs, I see a failed attempt to login by <domain
name>\<web server name>. It looks like it is using the credentials
under which the web server is running.

he desired behavior is to use the profile of the domain user who is
using IE.

When I give <domain name>\<web server name> explicit access to the SQL
Server DB it, *can* connect.

This reeks of a misconfiguration. What could we be doing wrong?

TIA

References:
- IIS passing server credentials rather than user credentials
  - From: cfs
- Re: IIS passing server credentials rather than user credentials
  - From: Ken Schaefer

Prev by Date: Basic Authentication for only one special user
Next by Date: Re: Is there a way to avoid/security alert box from redirecting to HTTP to HTTPS?
Previous by thread: Re: IIS passing server credentials rather than user credentials
Next by thread: Re: IIS passing server credentials rather than user credentials
Index(es):
- Date
- Thread

Relevant Pages

Re: Cannot resolve KDC error 11
... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
(microsoft.public.windows.server.sbs)
Re: Integrated Windows Authentication Timeout?
... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Kerberos to NTLM???
... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ...
(microsoft.public.windows.server.networking)
Re: IIS6/Kerberos/Application Pools/Integrated Security...
... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
(microsoft.public.inetserver.iis.security)
Re: IIS6, Integrated Windows Auth, and IE6 Integrated Windows Auth
... on your server, modifying its behavior, and causing the issue. ... do you feel that there is an issue with NTLM ... > application -- after IIS has successfully authenticated with NTLM -- so it ... > is an application issue and not with IIS6, Integrated Authentication, nor ...
(microsoft.public.inetserver.iis)