Re: Using trusted database connection across domains

Hi Dave,
Thank you for your response.

First let me try to explain the Kerberos authentication though it should be a Windows AD question. Based on my communications with some AD expert, Kerberos authentication on Windows
requires KDC that is running on a domain controller. If the client computer is not in a domain, it is restricted to directly communicate with the KDC and you cannot add a domain user account
into a local user group. Also your ASP.NET host process cannot be configured to start with a domain account. Since your ASP.NET application's host process cannot run under a domain
account, if your ASP.NET web application's database connection was configured to use Windows Integrated Authentication, the workgroup account cannot be validated by KDC. In this case,
Kerberos authentication will fail.

You can use Kerberos authentication in such a scenario, for example, you need to access a web server that is in a domain and that is configured to use Windows Integrated Authentication,
after you input the URL in IE and click Enter, there will be a prompt Window to ask you to input the account and you can input the domain account here for authentication, however as you can
see that it is not for a database connection and this way is actually not welcome in my viewpoint.

Regarding double-hop, thank you for your inputs. I apologize that my last description was not accurate for your scenario. I had thought that your client computer's account token (client
computer) would be past to your web application (web server) and then your web application used it to access your database (database server). However after I discussed with some ASP.NET
experts and I knew that I had some misunderstandings before and appreciate your understanding on this since I am not an ASP.NET expert.

As I mentioned before, since your ASP.NET application pool in a Workgroup environment cannot start with a domain user account, Kerberos authentication cannot be established between a
Workgroup user and KDC in Windows environment. However if your intention is just want to use Windows authentication and do not want to encrypt connection string, I think that NTLM
authentication can also work for you. On your database server, you can create a local user with same name and password as your ASP.NET application pool's identity, and then explicitly add
the local Windows user account to your SQL Server logins and assign permissions. Then your ASP.NET application can use Windows Integrated Authentication for your database connection. I
performed a test at my side and it worked fine.

Note that for such type of issue that is cross-related with other AD and ASP.NET technologies, our initial response may not be able to fully address your real concerns, so if you have any
further questions or concerns like that in this thread, we appreciate that you could timely post back so that we can better understand your issue and try to effectively collaborate with other
technical experts to work together on resolving the issue.

If you have any other questions or concerns, please feel free to let me know. Have a nice day!

Best regards,
Charles Wang
Microsoft Online Community Support
=========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
=========================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=========================================================















.

Relevant Pages

  • Re: Login failed for ServerGuest
    ... | guest and the use of the same account/password does not ... |>I think it is not a limitation in Windows 2000. ... |>use same password for Administrator account on both Win2000 and WinXP ... although Windows Authentication is more secure than ...
    (microsoft.public.sqlserver.connect)
  • Re: User authentication
    ... With Windows authentication, ... an account is a member of Domain Admins. ... Windows account instead to run backup jobs. ...
    (microsoft.public.sqlserver.clients)
  • Re: User authentication
    ... Server Agent service account. ... What I want to do is configure scheduled backup. ... However, if possible, I would like to use Windows authentication as opposed ...
    (microsoft.public.sqlserver.clients)
  • RE: Adding a virtual FTP folder to IIS
    ... I think we can follow the Form Authentication modal. ... application will use the ASPNET account. ... If we change the username ... Windows identity different from that of the default process identity. ...
    (microsoft.public.dotnet.framework)
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
    (microsoft.public.inetserver.iis.security)