Re: Using trusted database connection across domains

Charles,

Thank you for the further explanation. As I understand from your comments
about using peer-to-peer NTLM authentication, this should work; however, we
have been unable to get it to work for us. This may be due to the firewall
between our web server and our SQL server blocking NETBIOS.

This is no longer an issue for us, since I have already modified the web
application to decrypt the connection string read from web.config and have
written a standalone utility to create the encrypted connection strings.

I feel it is a shame that such a great technology like trusted database
connections are of so limited value. I can't believe that many enterprise
web application have the customer-facing web server in the same network and
domain as the SQL server machine, which means (as I understand from you)
that these application cannot use trusted connections.

Thank you for your assistance.

Dave Smith


""Charles Wang [MSFT]"" <changliw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:7Hwzeu%236IHA.4056@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Dave,
Thank you for your response.

First let me try to explain the Kerberos authentication though it should
be a Windows AD question. Based on my communications with some AD expert,
Kerberos authentication on Windows
requires KDC that is running on a domain controller. If the client
computer is not in a domain, it is restricted to directly communicate with
the KDC and you cannot add a domain user account
into a local user group. Also your ASP.NET host process cannot be
configured to start with a domain account. Since your ASP.NET
application's host process cannot run under a domain
account, if your ASP.NET web application's database connection was
configured to use Windows Integrated Authentication, the workgroup account
cannot be validated by KDC. In this case,
Kerberos authentication will fail.

You can use Kerberos authentication in such a scenario, for example, you
need to access a web server that is in a domain and that is configured to
use Windows Integrated Authentication,
after you input the URL in IE and click Enter, there will be a prompt
Window to ask you to input the account and you can input the domain
account here for authentication, however as you can
see that it is not for a database connection and this way is actually not
welcome in my viewpoint.

Regarding double-hop, thank you for your inputs. I apologize that my last
description was not accurate for your scenario. I had thought that your
client computer's account token (client
computer) would be past to your web application (web server) and then your
web application used it to access your database (database server). However
after I discussed with some ASP.NET
experts and I knew that I had some misunderstandings before and appreciate
your understanding on this since I am not an ASP.NET expert.

As I mentioned before, since your ASP.NET application pool in a Workgroup
environment cannot start with a domain user account, Kerberos
authentication cannot be established between a
Workgroup user and KDC in Windows environment. However if your intention
is just want to use Windows authentication and do not want to encrypt
connection string, I think that NTLM
authentication can also work for you. On your database server, you can
create a local user with same name and password as your ASP.NET
application pool's identity, and then explicitly add
the local Windows user account to your SQL Server logins and assign
permissions. Then your ASP.NET application can use Windows Integrated
Authentication for your database connection. I
performed a test at my side and it worked fine.

Note that for such type of issue that is cross-related with other AD and
ASP.NET technologies, our initial response may not be able to fully
address your real concerns, so if you have any
further questions or concerns like that in this thread, we appreciate that
you could timely post back so that we can better understand your issue and
try to effectively collaborate with other
technical experts to work together on resolving the issue.

If you have any other questions or concerns, please feel free to let me
know. Have a nice day!

Best regards,
Charles Wang
Microsoft Online Community Support
=========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
=========================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=========================================================

















.

Relevant Pages

  • Re: IIS & SQL Issues
    ... account will have it's own pool). ... if you are using a Windows 2000 Domain, ... backend SQL Server. ... You need to use Kerberos authentication for this (not ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: Login failed for ServerGuest
    ... | guest and the use of the same account/password does not ... |>I think it is not a limitation in Windows 2000. ... |>use same password for Administrator account on both Win2000 and WinXP ... although Windows Authentication is more secure than ...
    (microsoft.public.sqlserver.connect)
  • Re: User authentication
    ... With Windows authentication, ... an account is a member of Domain Admins. ... Windows account instead to run backup jobs. ...
    (microsoft.public.sqlserver.clients)