Re: Delegation between .Net web app and SQL Server
From: Linwood Ferguson (Ferguson@chaslevy.com)
Date: 10/26/02
- Next message: Uttam Parui[MS]: "RE: sql server error"
- Previous message: sateesh: "sql server error"
- In reply to: Jim Weatherly: "Delegation between .Net web app and SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Linwood Ferguson" <Ferguson@chaslevy.com> Date: Sat, 26 Oct 2002 07:50:46 -0400
I think you will have better luck if you do not use a seprate DNS name for
connecting across the private nic. Keberos which is required for most kinds
of delegation relies at least to some extent on the computer name (I only
vaguely understand the numerous ways to break delegation).
We have a similar setup, and what we do is set up a ROUTE instead of a
separate DNS name. So if your server is called X, refer to it as X
regardless of where you want the traffic to flow. The go into the other
server (let's say Y) and do something like this:
ROUTE ADD -P x.x.x.x y.y.y.y
where x.x.x.x is the normal nic address of X, the one associated with the
DNS name X, and y.y.y.y is the IP address of the private IP addressed NIC on
X that points to Y.
X
Public address 1.2.3.4 matches DNS name "X"
Private address 10.1.2.2 mask 255.255.255.252
Y
Public address 1.2.3.5 matches DNS name "Y"
Private address 10.1.2.3 mask 255.255.255.252
On X you do ROUTE ADD -P 1.2.3.5 10.1.2.3
On Y you do ROUTE ADD -P 1.2.3.4 10.1.2.2
In this way, whenever server X wants to reach Y (by its normal name) it goes
over the private NIC links, but you don't have to change its name. This
assumes of course you are trying to route all traffic between the servers
via the private nic, which is what I think you meant.
"Jim Weatherly" <jweatherly@digineer.com> wrote in message
news:8SZl9.56168$bX.9957@sccrnsc02...
> Hi,
> We have two W2K Servers, one running an
> ASP.Net website and one running SQL Server 2000. They
> both have two NICs. They are members of an Active
> Directory domain, but they both use one NIC to talk to
> each other directly, and they are using private IP
> addresses on the internal nics (192.168.50.x). We are
> using windows authentication and delegating user
> credentials to the database for security. This works when
> we talk to the database from the webserver over the domain-
> addressed "External" NIC, but only the Administrator user
> can delegate across the "Internal", or private IP
> addressed NICs. Any normal user, even one that is a
> member of Domain Admin group, can not delegate across that
> private IP address - we get
> the "NT_AUTHORITY/ANONYMOUS_USER" login error message from
> SQL Server.
>
> So far I tried putting an entry into DNS for the two
> private IP addresses, and I tried to add a computer to
> Active Directory with the name of the DNS entry for the
> webserver, and marked it trusted for delegation. Doesn't
> seem to work, however.
>
> Our connection string in the web.config file is:
> "data source=MyInternalComputerName;initial
> catalog=MyDB;integrated security=SSPI;persist security
> info=False"
>
> where MyInternalComputerName is the name I added to DNS
> for the private IP address of the SQL Server machine.
>
> Once again, if I authenticate against the website as the
> domain Administrator user, the delegation seems to work -
> I get access to SQL Server, and the profiler shows
> MyDomain\Administrator as the login for the SQL calls.
> But any other domain user gets the
> NT_AUTHORITY/ANONYMOUS_USER error message, indicating no
> windows credentials came across (I think.)
>
> Any ideas?
>
> Thanks a million,
> Jim Weatherly
> jweatherly@digineer.com
>
>
>
>
>
- Next message: Uttam Parui[MS]: "RE: sql server error"
- Previous message: sateesh: "sql server error"
- In reply to: Jim Weatherly: "Delegation between .Net web app and SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
