Impersonation

P

Paul P

Can someone explain this to me

I have a web app I am trying to deploy for the Intranet of our company. I want to use integrated windows so
have <identity impersonate = "true" /> in my web.config file and under IIS for the website I only hav
integrated windows authentication checked. My problem is when it tries to retrieve data from the SQL Serve
database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL Server. This happens whe
someone else pulls up the site on their computer. My computer is hosting the website and when I go to the
website from my computer it works just fine. I get logged into SQL Server with my domain user name/password but i
anyone from another computer tries to go to the website and when the website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed error

Things I have tried are putting an account in the identity tag <identity impersonate="true" userName="domain\username" password="password" />
this works but I would rather know the username of the actual person going to the website and retrieving data than this default user

Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS LOGON failed error and give any suggestions on a fix.

Thank
 
K

Kevin C

This is a very common pitfall.

Here are a couple links.
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572 (there are
more at the bottom of this linked article too)
http://blogs.geekdojo.net/justin/archive/2003/12/10/430.aspx .

Long story short, unless you plan to deploy AD or already running (but
obviously not configured for delegation) you will need to come up with a
different means of propagating the credentials.

Paul P said:
Can someone explain this to me:

I have a web app I am trying to deploy for the Intranet of our company. I
Click to expand...
want to use integrated windows so I
have <identity impersonate = "true" /> in my web.config file and under IIS for the website I only have
integrated windows authentication checked. My problem is when it tries to
Click to expand...
retrieve data from the SQL Server
database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL Server. This happens when
someone else pulls up the site on their computer. My computer is hosting
Click to expand...
the website and when I go to the
website from my computer it works just fine. I get logged into SQL Server
Click to expand...
with my domain user name/password but if
anyone from another computer tries to go to the website and when the
Click to expand...
website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
error.
Things I have tried are putting an account in the identity tag <identity
Click to expand...
impersonate="true" userName="domain\username" password="password" />
this works but I would rather know the username of the actual person going
Click to expand...
to the website and retrieving data than this default user.
Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS
Click to expand...
LOGON failed error and give any suggestions on a fix.
 
K

Ken Schaefer

) if you do this, you will lose the benefits of connection pooling, as a
separate connection will be used for each security context (each user
account will have it's own pool). So, this solution will not scale to a
large number of users. It's OK if you have a small number of users

b) the problem is double-hop authentication. When using IWA, the webserver
does not have the user's password. It just gets a token from the DC, but the
token does not have permission to logon to network resources.

Options:
a) if you are using a Windows 2000 Domain, you can enable delegation. This
allows the IIS server to impersonate the Windows account, and logon to the
backend SQL Server. You need to use Kerberos authentication for this (not
NTLM v2)

b) if you are using a Windows 2003 Domain, when you enable constrained
delegation, you can use Protocol Transition. This allows the user to
authenticate using any of a number of mechanisms to the IIS server (eg
Digest, or NTLM), and the webserver can still get an Kerberos token to logon
to the SQL Server.

Here are a few articles to get you started:

IMPORTANT:
Read chapter 12 from the Building Secure ASP.Net Application Book - it has
very good information about building scalable, secure ASP.Net applications
(eg using a trusted subsystem model):
http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

http://support.microsoft.com/?id=319723
INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
on server clusters

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

http://support.microsoft.com/?id=294382

Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name

http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

http://www.microsoft.com/resources/...andard/proddocs/en-us/se_con_del_computer.asp
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)

Windows 2003 Protocol Transition
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx


Cheers
Ken


: Can someone explain this to me:
:
: I have a web app I am trying to deploy for the Intranet of our company. I
want to use integrated windows so I
: have <identity impersonate = "true" /> in my web.config file and under IIS
for the website I only have
: integrated windows authentication checked. My problem is when it tries to
retrieve data from the SQL Server
: database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL
Server. This happens when
: someone else pulls up the site on their computer. My computer is hosting
the website and when I go to the
: website from my computer it works just fine. I get logged into SQL Server
with my domain user name/password but if
: anyone from another computer tries to go to the website and when the
website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
error.
:
: Things I have tried are putting an account in the identity tag <identity
impersonate="true" userName="domain\username" password="password" />
: this works but I would rather know the username of the actual person going
to the website and retrieving data than this default user.
:
: Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS
LOGON failed error and give any suggestions on a fix.
:
: Thanks
:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't connect 1
Registration Form 7
Impersonation with SQL Server SSPI 3
Delegation / Impersonation problem 0
Survey details won't go through using php, ajax, Mysql 0
impersonation 3
How do I Authencate and Authorize Users Using AD and SQL App Role 1
Impersonation with users of 2 domain (nor trusted) 0

Members online

Total: 63 (members: 3, guests: 60)
Robots: 434

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,053
Latest member
billing-software

Latest Threads

Top