Re: ASP.NET + SQL Server Windows authentication

• Previous message: itme: "Re: MSDE 2000 SA Account Password"
• In reply to: Lior Amar: "Re: ASP.NET + SQL Server Windows authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Aug 2003 01:27:44 GMT

Hi Lior,

I found the following article on using Kerberos and delegation in ASP.NET.
It requires Active Directory operations. I would suggest that you pursue
with ASP.NET security newsgroup.

810572 HOW TO: Configure an ASP.NET Application for a Delegation Scenario
http://support.microsoft.com/?id=810572

Bill Cheng
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--------------------
| From: "Lior Amar" <lior_amar@hotmail.com>
| References: <uHPZbT#aDHA.2928@tk2msftngp13.phx.gbl>
| Subject: Re: ASP.NET + SQL Server Windows authentication
| Date: Wed, 27 Aug 2003 12:09:30 -0400
| Lines: 71
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <eRxXzVLbDHA.4020@tk2msftngp13.phx.gbl>
| Newsgroups:
microsoft.public.dotnet.framework.aspnet,microsoft.public.dotnet.framework.a
spnet.security,microsoft.public.sqlserver.security
| NNTP-Posting-Host: p113.n-sfpop03.stsn.com 199.107.154.113
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6451
microsoft.public.sqlserver.security:15430
microsoft.public.dotnet.framework.aspnet:171959
| X-Tomcat-NG: microsoft.public.sqlserver.security
|
| Think the problem is just a limitation of NTLM single hop. Don't think
there
| is a way around it other than using SSL and Basic Authentication. ASPNET
is
| set up properly and is impersonating the user approriately. Don't think
| there is anyway around this limitation.
|
| Thanks for the help though
|
| Lior
|
|
| "Lior Amar" <lior_amar@hotmail.com> wrote in message
| news:uHPZbT#aDHA.2928@tk2msftngp13.phx.gbl...
| > Hey All,
| >
| > Trying to understand why I can not get SQL server to trust my IIS
server.
| I
| > have two machines set up, 1 App and 1 DB, and I'm trying to validate the
| > applications access to the DB server via NT Authentication. The App
comes
| in
| > via NTLM which from my understanding only supports Single hop security
| > delegation. So far I understand why it doesn't work, although seems to
me
| > like a very bad problem. Now, Basic Authentication will transfer the PW
| and
| > the UID which will allow IIS to login to the DB server and then NT
| > Authentication will work. But we all know how non-secure Basic
| > Authentication is.
| >
| > Here's the confusion, if Kerberos permits token transferring with no
| > limitation why can't IIS receive a token via NTLM and transfer it to the
| DB
| > server?
| >
| > I've been reading all of these articles
| >
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
| > vbconaccessingsqlserverfromwebapplication.asp
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
| > vbtskaccessingsqlserverusingwindowsintegratedsecurity.asp
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
| > /dnauth_security.asp
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
| > /signfaq.asp
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q176377
| >
| > and a bunch of other documents and they all come down to two valid
| > solutions: Basic Authentication or SQL Users. These are only valid if
the
| > level of security you wish to achieve is not something that needs to
pass
| a
| > certain level of security (would not pass in industries that require
| maximum
| > security).
| >
| > If I am bound to NT Authentication, is my only option Basic
Authentication
| > (of course under SSL)? And why is it that we don't have these problems
| with
| > other Database vendors? Is there any way we can utilize ADSI to get the
| > users NTLM credentials to pass on to SQL server?
| >
| > Any help or suggestions will be very appreciated.
| >
| > Thank you,
| >
| >
| >
| >
|
|
|

• Previous message: itme: "Re: MSDE 2000 SA Account Password"
• In reply to: Lior Amar: "Re: ASP.NET + SQL Server Windows authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Access Denied to share with anonymous access disabled ... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > ASPNet local user account full access to the share. ... > anonymous access with integrated windows security on the web site. ... (microsoft.public.inetserver.iis.security) Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging ... >> Further to Greg's comments about this Encode Security Labs ... >> NTLM for authentication, ... > NTLM is a unilateral authentication protocol where the server ... (NT-Bugtraq) Re: WCF security advice (and clarification) needed ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ... (microsoft.public.dotnet.framework.webservices) unified authentication ... and a single Windows 2000 Server. ... I have recently been plagued by the security audit ... as employees have left the company and new ... and very fast authentication system with vpopmail + MySQL. ... (FreeBSD-Security) Re: ASP.NET + SQL Server Windows authentication ... Hi Lior, ... | is a way around it other than using SSL and Basic Authentication. ... |> Trying to understand why I can not get SQL server to trust my IIS ... Basic Authentication will transfer the PW ... (microsoft.public.dotnet.framework.aspnet.security)