October 10, 2002 at 9:30 am
I am having a problem I hope someone can help me with. We are building one of our first ASP.NET applications. The first thing it does is go to a SQL Server (SQL1) to retrieve some data. This works fine when we run it from our local machine (localhost) but we have a problem once we put it on another web server.
We are using Windows authentication to access SQL Server. We know that our credentials are getting to the web server because we are displaying them on the screen for testing. Our problem comes when we try to connect to SQL Server. We get the error Login Failed for User 'NT AUTHORITY\ANONYMOUS LOGON'.
After doing some research we decided we needed to setup Security Account Delegation. We did this according to the guidelines in BOL and other places. It still doesn't work.
It never seemed to make sense to me anyway. I don't think the credentials are getting passed from the web server to SQL server and all of the documentation I am seeing talks about Delegation on SQL Server only.
Does anyone know how I can get my credentials, which are getting to the web server, to pass on to the SQL Server?
Thanks in advance for all help.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 10, 2002 at 9:48 am
Have you tried setting up connection strings's with the proper logins and passwords in the default's for your webservers......That's the way we do it.
We have a specific login id for each server, and use sql authentication through these connection strings. Its a little more maintenence, but well woth it in our case, as it allows us to determine specific connections from the different servers in the activity pane of EM.
Just a suggestion but I'm very interested in how others do this as well....
October 10, 2002 at 9:50 am
Thanks for the reply but we are using Windows authentication. It makes more sense to do it this way versus sql logins.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 10, 2002 at 9:53 am
Why? Changing Passwords? Maintenance?
Maybe I need to change the way I go about it......
October 10, 2002 at 9:58 am
Windows authentication is more secure. We are going to have everyone in the company accessing our data sources so there would be dual maintenance for users. We would not only have to give everyone that's already in our company a SQL login for each server we would have to setup at least two logins (Active Directory and SQL) when someone new starts. We would then have to reverse the process when someone leaves. Using Windows authentication, we set them up in Active Directory, add the Active Directory groups to the desired permissions in SQL and we only have one point of maintenance.
Also, there is a big push in our company to reduce the number of logins. Since this is an intranet application, our users are already logged in to the network so we don't want them to have to log in again.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 10, 2002 at 10:12 am
Ahhh, makes good sense....
Our web servers do all the access, and use pooled connections, so its not on an individual basis. We handle all that through application logins later. Ours is an internet app....
I appreciate the time you took to explain it.
October 15, 2002 at 1:23 pm
You have to add IUSR_servername as a user to the users group in SQL.
October 15, 2002 at 1:36 pm
Hawg,
I've run into this problem, too, in my ASP.NET applications. You might try adding/changing a couple of settings in the web.config file for your Web application; the settings are:
<authentication mode="Windows" />
<identity impersonate="true" />
This should allow your web-app to run under the security context of the individual who is viewing the web-app. I believe that this, in conjunction with the delegation you already set up, may allow ASP.NET to forward the user's credentials on to the SQL Server for authorization.
Give it a shot and let us know what happens. I've had this same problem, but haven't wanted to set up delegation on my SQL Servers, so I've not seen if this is in fact the correct solution.
If this doesn't work, look around on MSDN; I believe there are a few documents on how to do this.
Matthew Burr
October 17, 2002 at 4:55 am
Shouldn't you disable something on the webserver ?
If you have basic and NT autentication enabled it will default to BASIC.
So disable basic authentication.
I think this is the way to fix it
October 17, 2002 at 7:24 am
Thanks for all the replies. I have already done the things that some of you mentioned. Some of the suggestions goes against what we are trying to do.
liyaka, I don't want to add this user because we are trying to use each users' individual credentials.
mdburr and well0549, you are both right, those things must be done. I did those early on.
I have been working with a Microsoft rep and I have found out it has to do with the type of authentication that is occuring. Starting with Win2K, Windows starting using Kerberos authentication before NTLM. (Don't ask me, it is still above my head but I am learning.)
Anyway, NTLM does not allow account delegation (workstation browser to web server then on to SQL Server). This requires Kerberos. After running some tests, it seems that our Kerberos is not working properly so I am working with my network guys and Microsoft to figure out the problem.
Thanks again.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 17, 2002 at 7:29 am
hawg,
mdburr has got it right, 1st you will need to set IIS to disable Anonymous connection to that Virtual Directory for the .NET app then modify the web.config to the
<authentication mode="Windows" />
<identity impersonate="true" />
this will set the active user to the person connected. also you can restrict access to that web app in the web.config by setting what NT Authority Groups are allowed to see it.
Yeah Right!
S.Steefel
"Change is inevitable, so enjoy the ride"
October 17, 2002 at 7:33 am
SSteefel, you are correct, and I have already done this, but the security setup must be configured properly also. (See my last message at 7:24 on 10/17.) By this I mean the system must be using Kerberos to authenticate. Our system is not so now I am working on this part of the problem.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 22, 2002 at 6:24 pm
Try the following: In IIS, go to properties for the virtual dir, Directory security tab, click the edit button for anonomous, on the anonomous access user name - change it to a domain account (try yours). This is what IIS will 'run as' when a user hits the web site. If you have anonymous truned off, only authenticated users can access the web site.
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply