RE: ASP.NET + SQL Server Windows authentication

From: Bill Cheng [MSFT] (billchng_at_online.microsoft.com)
Date: 08/27/03

  • Next message: Jasper Smith: "Re: encrypting stored procedures" 
    Date: Wed, 27 Aug 2003 03:11:43 GMT

    Hi Lior,

    The problem is actually related to ASP.NET security. Therefore,
    microsoft.public.dotnet.framework.aspnet.security newsgroup may be better.
    However, I found the following articles for your reference.
    Q306158 INFO: Implementing Impersonation in an ASP.NET Application
    http://support.microsoft.com/default.aspx?scid=KB;en-us;q306158

    Q306590 INFO: ASP.NET Security Overview
    http://support.microsoft.com/default.aspx?scid=KB;en-us;q306590

    Q317012 INFO: Process and Request Identity in ASP.NET
    http://support.microsoft.com/default.aspx?scid=KB;en-us;q317012

    Bill Cheng
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
    --------------------
    | From: "Lior Amar" <lior_amar@hotmail.com>
    | Subject: ASP.NET + SQL Server Windows authentication
    | Date: Tue, 26 Aug 2003 11:16:21 -0400
    | Lines: 46
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
    | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    | Message-ID: <uHPZbT#aDHA.2928@tk2msftngp13.phx.gbl>
    | Newsgroups:
    microsoft.public.dotnet.framework.aspnet,microsoft.public.dotnet.framework.a
    spnet.security,microsoft.public.sqlserver.security
    | NNTP-Posting-Host: p130.n-sfpop06.stsn.com 199.107.157.130
    | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    | Xref: cpmsftngxa06.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:6436
    microsoft.public.sqlserver.security:15404
    microsoft.public.dotnet.framework.aspnet:171505
    | X-Tomcat-NG: microsoft.public.sqlserver.security
    |
    | Hey All,
    |
    | Trying to understand why I can not get SQL server to trust my IIS server.
    I
    | have two machines set up, 1 App and 1 DB, and I'm trying to validate the
    | applications access to the DB server via NT Authentication. The App comes
    in
    | via NTLM which from my understanding only supports Single hop security
    | delegation. So far I understand why it doesn't work, although seems to me
    | like a very bad problem. Now, Basic Authentication will transfer the PW
    and
    | the UID which will allow IIS to login to the DB server and then NT
    | Authentication will work. But we all know how non-secure Basic
    | Authentication is.
    |
    | Here's the confusion, if Kerberos permits token transferring with no
    | limitation why can't IIS receive a token via NTLM and transfer it to the
    DB
    | server?
    |
    | I've been reading all of these articles
    |
    |
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
    | vbconaccessingsqlserverfromwebapplication.asp
    |
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
    | vbtskaccessingsqlserverusingwindowsintegratedsecurity.asp
    |
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
    | /dnauth_security.asp
    |
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
    | /signfaq.asp
    | http://support.microsoft.com/default.aspx?scid=kb;en-us;Q176377
    |
    | and a bunch of other documents and they all come down to two valid
    | solutions: Basic Authentication or SQL Users. These are only valid if the
    | level of security you wish to achieve is not something that needs to pass
    a
    | certain level of security (would not pass in industries that require
    maximum
    | security).
    |
    | If I am bound to NT Authentication, is my only option Basic Authentication
    | (of course under SSL)? And why is it that we don't have these problems
    with
    | other Database vendors? Is there any way we can utilize ADSI to get the
    | users NTLM credentials to pass on to SQL server?
    |
    | Any help or suggestions will be very appreciated.
    |
    | Thank you,
    |
    |
    |
    |
    |

  • Next message: Jasper Smith: "Re: encrypting stored procedures"

    Relevant Pages

    • Re: Access Denied to share with anonymous access disabled
      ... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > ASPNet local user account full access to the share. ... > anonymous access with integrated windows security on the web site. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
      ... >> Further to Greg's comments about this Encode Security Labs ... >> NTLM for authentication, ... > NTLM is a unilateral authentication protocol where the server ...
      (NT-Bugtraq)
    • Re: WCF security advice (and clarification) needed
      ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
      (microsoft.public.dotnet.framework.webservices)
    • unified authentication
      ... and a single Windows 2000 Server. ... I have recently been plagued by the security audit ... as employees have left the company and new ... and very fast authentication system with vpopmail + MySQL. ...
      (FreeBSD-Security)
    • Re: ASP.NET + SQL Server Windows authentication
      ... with ASP.NET security newsgroup. ... | is a way around it other than using SSL and Basic Authentication. ... |> Trying to understand why I can not get SQL server to trust my IIS ... Basic Authentication will transfer the PW ...
      (microsoft.public.sqlserver.security)
    • Quantcast