Re: Can't run IIS and SQL Server on Separate Machines with Trusted Connection

From: Tom Kaminski [MVP] ("Tom)
Date: 03/10/03


From: "Tom Kaminski [MVP]" <tomk (A T) mvps (D O T) org>
Date: Mon, 10 Mar 2003 16:18:40 -0500


"Julie Cooper" <julie.cooper@fairfaxcounty.gov> wrote in message
news:pavp6v4i8oigrfg6d05r2rhs0ejn5kg5dl@4ax.com...
> I am trying to run IIS and SQL Server on Separate Machines with
> Trusted Connection. I have reviewed the KB articles below:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;176377
>
> I am confused. because I have checked both servers, and they are
> Windows 2000 running Kerberos security.
>
> I am posting the connection string, and error message that I receive:
>
> >using this string: Provider=SQLOLEDB;Server=xxx;Database=abc;Integrated
Security=SSPI;TRUSTED_CONNECTION=YES
>
> Error is:
>
> >Microsoft OLE DB Provider for SQL Server error '80040e4d'
> >
> >Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>
> I have been informed by a colleague that this should work. The IIS
> web site is configured to disallow anonymous access and enable
> Integrated Windows authentication. I am allowed access to the web
> site, but it does not appear that my domain/user account is being
> passed on to SQL Server.
>
> The account, if it was being passed onto SQL Server correctly, is in
> an active directory group that has been added to the SQL Server
> Instance and database and been granted appropriate privileges.
>
> I haven't found a good answer my searching the knowledge base or the
> Google archives. What am I missing?

I don't believe you can use Windows Integrated authentication and have SQL
on a separate machine. It creates a delegation issue as the IIS box doesn't
have the user's password to forward to the SQL box.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;247931

-- 
Tom Kaminski IIS MVP
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/