Re: Using trusted database connection across domains

Charles,

You asked for my comments on your response to my question. My basic response
is that it makes little sense with what I believe that I know about Windows
security. One of us clearly does not understand the problem; I admit that it
may be me. I have already implemented the encryption of the connection
string, even though I still do not understand why it is necessary.

First, you seem to be saying that Kerberos authentication will not work
between one machine that is not in a domain and a second machine that is in
a domain. If this is true, how does it work in Mac OS X or Red Hat Linux
where NT domains do not exist?

You go on to say that I have a double-hop in my authentication. I do not see
this. My plan is to configure the ASP.NET app to run in an application pool
under IIS 6. This pool will be configured to run under a username and
password defined in the local SAM database on that web server machine. When
the ASP.NET application needs to connect to the SQL database it will pass
its login credentials, from its local SAM database, to the SQL Server
machine. On the SQL Server there will be another Windows account with the
same username and password. Where is the second hop?

Thank you for your time in considering this.

Dave

""Charles Wang [MSFT]"" <changliw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ZYPD8v75IHA.3320@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Dave,
I understand that you would like to use Windows Authentication for your
ASP.NET application, however the web server is in a workgroup which is not
in any of your domains. You would like to know if this is possible.
If I have misunderstood, please let me know.

Unfortunately this is not possible, because Kerberos authentication cannot
be established between a domain and a workgroup or among seperated domains
(without building any trust relationship); while Windows NTLM
authentication cannot be double-hop. If your Web application used Windows
authentication, you client user token can be passed to your web server and
authenticated, however the token cannot be further authenticated on your
remote SQL Server. I recommend that you use SQL Authentication in this
case
and encrypt the connection string in your config file.

If you have any other questions or concerns, please feel free to let me
know. Have a nice day!

Best regards,
Charles Wang
Microsoft Online Community Support
===========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
===========================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for
non-urgent issues where an initial response from the community
or a Microsoft Support Engineer within 1 business day is acceptable.
Please note that each follow up response may take approximately
2 business days as the support professional working with you may
need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by
contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
============================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=========================================================



.

Relevant Pages

  • RE: Using trusted database connection across domains
    ... I understand that you would like to use Windows Authentication for your ... however the web server is in a workgroup which is not ... because Kerberos authentication cannot ... Microsoft Online Community Support ...
    (microsoft.public.sqlserver.security)
  • RE: OpenDataSource()
    ... The error should be caused by not specifying authentication information. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.sqlserver.odbc)
  • Re: NT domain users to 2003 web edition migration question
    ... Do you need to use Windows 2003 Web server to do the authentication? ... Do you map the drive to the Web server or from the Web server? ... Microsoft Online Partner Support ...
    (microsoft.public.windows.server.migration)
  • Re: Windows Integrated and the domain name
    ... Both NTLM and Kerberos authentication require the full realm and username - that's unfortunately the way both of those two protocols work. ... for a direct integrated windows authentication ... Microsoft Online Community Support ...
    (microsoft.public.inetserver.iis.security)
  • RE: How to Authenticate to WCF Service Via VPN
    ... \par Microsoft MSDN Online Support Lead ... He launches Cisco Systems VPN Client and authenticates as ... \par> includes the service account identity as a user principal name. ... \par> mutual authentication is assumed. ...
    (microsoft.public.dotnet.framework.webservices)
Loading