Impersonation

Discussion in 'ASP .Net Security' started by Paul P, Apr 6, 2004.

  1. Paul P

    Paul P Guest

    Can someone explain this to me

    I have a web app I am trying to deploy for the Intranet of our company. I want to use integrated windows so
    have <identity impersonate = "true" /> in my web.config file and under IIS for the website I only hav
    integrated windows authentication checked. My problem is when it tries to retrieve data from the SQL Serve
    database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL Server. This happens whe
    someone else pulls up the site on their computer. My computer is hosting the website and when I go to the
    website from my computer it works just fine. I get logged into SQL Server with my domain user name/password but i
    anyone from another computer tries to go to the website and when the website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed error

    Things I have tried are putting an account in the identity tag <identity impersonate="true" userName="domain\username" password="password" />
    this works but I would rather know the username of the actual person going to the website and retrieving data than this default user

    Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS LOGON failed error and give any suggestions on a fix.

    Thank
     
    Paul P, Apr 6, 2004
    #1
    1. Advertising

  2. Paul P

    Kevin C Guest

    This is a very common pitfall.

    Here are a couple links.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572 (there are
    more at the bottom of this linked article too)
    http://blogs.geekdojo.net/justin/archive/2003/12/10/430.aspx .

    Long story short, unless you plan to deploy AD or already running (but
    obviously not configured for delegation) you will need to come up with a
    different means of propagating the credentials.

    "Paul P" <> wrote in message
    news:D...
    > Can someone explain this to me:
    >
    > I have a web app I am trying to deploy for the Intranet of our company. I

    want to use integrated windows so I
    > have <identity impersonate = "true" /> in my web.config file and under IIS

    for the website I only have
    > integrated windows authentication checked. My problem is when it tries to

    retrieve data from the SQL Server
    > database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL

    Server. This happens when
    > someone else pulls up the site on their computer. My computer is hosting

    the website and when I go to the
    > website from my computer it works just fine. I get logged into SQL Server

    with my domain user name/password but if
    > anyone from another computer tries to go to the website and when the

    website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
    error.
    >
    > Things I have tried are putting an account in the identity tag <identity

    impersonate="true" userName="domain\username" password="password" />
    > this works but I would rather know the username of the actual person going

    to the website and retrieving data than this default user.
    >
    > Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS

    LOGON failed error and give any suggestions on a fix.
    >
    > Thanks
    >
     
    Kevin C, Apr 6, 2004
    #2
    1. Advertising

  3. Paul P

    Ken Schaefer Guest

    ) if you do this, you will lose the benefits of connection pooling, as a
    separate connection will be used for each security context (each user
    account will have it's own pool). So, this solution will not scale to a
    large number of users. It's OK if you have a small number of users

    b) the problem is double-hop authentication. When using IWA, the webserver
    does not have the user's password. It just gets a token from the DC, but the
    token does not have permission to logon to network resources.

    Options:
    a) if you are using a Windows 2000 Domain, you can enable delegation. This
    allows the IIS server to impersonate the Windows account, and logon to the
    backend SQL Server. You need to use Kerberos authentication for this (not
    NTLM v2)

    b) if you are using a Windows 2003 Domain, when you enable constrained
    delegation, you can use Protocol Transition. This allows the user to
    authenticate using any of a number of mechanisms to the IIS server (eg
    Digest, or NTLM), and the webserver can still get an Kerberos token to logon
    to the SQL Server.

    Here are a few articles to get you started:

    IMPORTANT:
    Read chapter 12 from the Building Secure ASP.Net Application Book - it has
    very good information about building scalable, secure ASP.Net applications
    (eg using a trusted subsystem model):
    http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

    http://support.microsoft.com/?id=319723
    INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
    on server clusters

    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    HOW TO: Configure an ASP.NET Application for a Delegation Scenario

    http://support.microsoft.com/?id=294382

    Authentication May Fail with "401.3" Error If Web Site's "Host Header"
    Differs from Server's NetBIOS Name

    http://support.microsoft.com/default.aspx?kbid=325894
    HOW TO: Configure Computer Accounts and User Accounts So That They Are
    Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
    includes Windows 2000 instructions)

    http://www.microsoft.com/resources/...andard/proddocs/en-us/se_con_del_computer.asp
    Configuring Users and Computers for delegation (there's a couple of pages -
    use the links in the nav bar to get to them)

    Windows 2003 Protocol Transition
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx


    Cheers
    Ken


    "Paul P" <> wrote in message
    news:D...
    : Can someone explain this to me:
    :
    : I have a web app I am trying to deploy for the Intranet of our company. I
    want to use integrated windows so I
    : have <identity impersonate = "true" /> in my web.config file and under IIS
    for the website I only have
    : integrated windows authentication checked. My problem is when it tries to
    retrieve data from the SQL Server
    : database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL
    Server. This happens when
    : someone else pulls up the site on their computer. My computer is hosting
    the website and when I go to the
    : website from my computer it works just fine. I get logged into SQL Server
    with my domain user name/password but if
    : anyone from another computer tries to go to the website and when the
    website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
    error.
    :
    : Things I have tried are putting an account in the identity tag <identity
    impersonate="true" userName="domain\username" password="password" />
    : this works but I would rather know the username of the actual person going
    to the website and retrieving data than this default user.
    :
    : Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS
    LOGON failed error and give any suggestions on a fix.
    :
    : Thanks
    :
     
    Ken Schaefer, Apr 7, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with impersonation and delegation

    Kelly D. Jones, Sep 4, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,847
  2. Pramod

    Impersonation code

    Pramod, May 12, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    2,688
  3. Raymond Basque

    Re: ASP.NET Fails after SP4 with Impersonation

    Raymond Basque, Jun 27, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    548
  4. Bassel Tabbara [MSFT]

    RE: ASP.NET Fails after SP4 with Impersonation

    Bassel Tabbara [MSFT], Jun 27, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    524
    Michael Kennedy [UB]
    Jun 28, 2003
  5. Hidulf
    Replies:
    1
    Views:
    473
    Michael Kennedy [UB]
    Jun 30, 2003
Loading...

Share This Page