Integrated Authentication with SQL

Discussion in 'ASP .Net Security' started by Scott Elgram, Oct 5, 2005.

  1. Scott Elgram

    Scott Elgram Guest

    Hello,
    I am trying to create a site using integrated windows authentication to
    access SQL databases. All the tutorials I have found so far require that
    both SQL server and IIS reside on the same server. This is a problem for me
    because I need to access multiple SQL servers from the same site so a stand
    alone web server would be ideal.
    From what I have been able to gather so far:
    - "Anonymous Access" is unchecked and "Windows Integrated
    Authentication" is checked in IIS
    - The machine running IIS must be set as "trusted for delegation" in
    active directory.
    - The domain user accounts that will be accessing the databases an
    site must not be marled "Account is sensitive and cannot be delegated".
    - The tags <Identity impersonate="true"> and <Authentication
    mode="windows"> is set in web.config
    - comImpersonationLevel="Delegate" and
    comAuthenticationLevel="PktPrivacy" are set in machine.config
    After all that is set then the connection string "server=SQLserver;
    Integrated Security=SSPI; Trusted_Connection=YES; database=SQLdatabase"
    should be able to connect to the SQL database using the clients credentials.
    However, I receive the following error:
    --------------------------------------------------------------------
    Exception Details: System.Data.SqlClient.SqlException: Login failed for user
    'NT AUTHORITY\ANONYMOUS LOGON'.

    Stack Trace:

    [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    isInTransaction) +472

    System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
    tionString options, Boolean& isInTransaction) +370
    System.Data.SqlClient.SqlConnection.Open() +383
    Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    System.Web.UI.Control.OnLoad(EventArgs e) +67
    System.Web.UI.Control.LoadRecursive() +35
    System.Web.UI.Page.ProcessRequestMain() +750
    ----------------------------------------------------------------------------
    --------

    Any help in resolving this problem would be greatly appreciated.

    Thanks,

    --
    -Scott
     
    Scott Elgram, Oct 5, 2005
    #1
    1. Advertising

  2. Hello Scott,

    delegation only works if you use kerberos end-to-end. I guess that if you
    look in the security log on the web server, you will see a logon event for
    the client - but the authentication package is NTLM

    read more here:
    http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    > I am trying to create a site using integrated windows
    > authentication to
    > access SQL databases. All the tutorials I have found so far require
    > that
    > both SQL server and IIS reside on the same server. This is a problem
    > for me
    > because I need to access multiple SQL servers from the same site so a
    > stand
    > alone web server would be ideal.
    > From what I have been able to gather so far:
    > - "Anonymous Access" is unchecked and "Windows Integrated
    > Authentication" is checked in IIS
    > - The machine running IIS must be set as "trusted for
    > delegation" in
    > active directory.
    > - The domain user accounts that will be accessing the
    > databases an
    > site must not be marled "Account is sensitive and cannot be
    > delegated".
    > - The tags <Identity impersonate="true"> and <Authentication
    > mode="windows"> is set in web.config
    > - comImpersonationLevel="Delegate" and
    > comAuthenticationLevel="PktPrivacy" are set in machine.config
    > After all that is set then the connection string
    > "server=SQLserver;
    > Integrated Security=SSPI; Trusted_Connection=YES;
    > database=SQLdatabase"
    > should be able to connect to the SQL database using the clients
    > credentials. However, I receive the following error:
    > --------------------------------------------------------------------
    > Exception Details: System.Data.SqlClient.SqlException: Login failed
    > for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    >
    > Stack Trace:
    >
    > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > isInTransaction) +472
    > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(Sql
    > Connec
    > tionString options, Boolean& isInTransaction) +370
    > System.Data.SqlClient.SqlConnection.Open() +383
    > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > System.Web.UI.Control.LoadRecursive() +35
    > System.Web.UI.Page.ProcessRequestMain() +750
    > ----------------------------------------------------------------------
    > ------
    > --------
    >
    > Any help in resolving this problem would be greatly appreciated.
    >
    > Thanks,
    >
     
    Dominick Baier [DevelopMentor], Oct 5, 2005
    #2
    1. Advertising

  3. Scott Elgram

    Scott Elgram Guest

    Is there a way to have it use kerberos so the Credentials can be passed to
    the SQL server?

    -scott

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Scott,
    >
    > delegation only works if you use kerberos end-to-end. I guess that if you
    > look in the security log on the web server, you will see a logon event for
    > the client - but the authentication package is NTLM
    >
    > read more here:
    > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello,
    > > I am trying to create a site using integrated windows
    > > authentication to
    > > access SQL databases. All the tutorials I have found so far require
    > > that
    > > both SQL server and IIS reside on the same server. This is a problem
    > > for me
    > > because I need to access multiple SQL servers from the same site so a
    > > stand
    > > alone web server would be ideal.
    > > From what I have been able to gather so far:
    > > - "Anonymous Access" is unchecked and "Windows Integrated
    > > Authentication" is checked in IIS
    > > - The machine running IIS must be set as "trusted for
    > > delegation" in
    > > active directory.
    > > - The domain user accounts that will be accessing the
    > > databases an
    > > site must not be marled "Account is sensitive and cannot be
    > > delegated".
    > > - The tags <Identity impersonate="true"> and <Authentication
    > > mode="windows"> is set in web.config
    > > - comImpersonationLevel="Delegate" and
    > > comAuthenticationLevel="PktPrivacy" are set in machine.config
    > > After all that is set then the connection string
    > > "server=SQLserver;
    > > Integrated Security=SSPI; Trusted_Connection=YES;
    > > database=SQLdatabase"
    > > should be able to connect to the SQL database using the clients
    > > credentials. However, I receive the following error:
    > > --------------------------------------------------------------------
    > > Exception Details: System.Data.SqlClient.SqlException: Login failed
    > > for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    > >
    > > Stack Trace:
    > >
    > > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    > > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > > isInTransaction) +472
    > > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(Sql
    > > Connec
    > > tionString options, Boolean& isInTransaction) +370
    > > System.Data.SqlClient.SqlConnection.Open() +383
    > > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > > System.Web.UI.Control.LoadRecursive() +35
    > > System.Web.UI.Page.ProcessRequestMain() +750
    > > ----------------------------------------------------------------------
    > > ------
    > > --------
    > >
    > > Any help in resolving this problem would be greatly appreciated.
    > >
    > > Thanks,
    > >

    >
    >
     
    Scott Elgram, Oct 5, 2005
    #3
  4. Scott Elgram

    Peter Jakab Guest

    Scott, are you sure, that in IIS manager for the application you disabled
    anonymous access?

    (find your application, right click, properties, derectory security,
    anonymous access and identity control, click edit, and be sure that
    anonymous access is unchecked, AND integrated windows authentication is
    checked)

    It should work, in case there is just 1 hop!

    Best regards

    Peter

    "Scott Elgram" <> wrote in message
    news:...
    > Hello,
    > I am trying to create a site using integrated windows authentication to
    > access SQL databases. All the tutorials I have found so far require that
    > both SQL server and IIS reside on the same server. This is a problem for
    > me
    > because I need to access multiple SQL servers from the same site so a
    > stand
    > alone web server would be ideal.
    > From what I have been able to gather so far:
    > - "Anonymous Access" is unchecked and "Windows Integrated
    > Authentication" is checked in IIS
    > - The machine running IIS must be set as "trusted for delegation"
    > in
    > active directory.
    > - The domain user accounts that will be accessing the databases an
    > site must not be marled "Account is sensitive and cannot be delegated".
    > - The tags <Identity impersonate="true"> and <Authentication
    > mode="windows"> is set in web.config
    > - comImpersonationLevel="Delegate" and
    > comAuthenticationLevel="PktPrivacy" are set in machine.config
    > After all that is set then the connection string "server=SQLserver;
    > Integrated Security=SSPI; Trusted_Connection=YES; database=SQLdatabase"
    > should be able to connect to the SQL database using the clients
    > credentials.
    > However, I receive the following error:
    > --------------------------------------------------------------------
    > Exception Details: System.Data.SqlClient.SqlException: Login failed for
    > user
    > 'NT AUTHORITY\ANONYMOUS LOGON'.
    >
    > Stack Trace:
    >
    > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > isInTransaction) +472
    >
    > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
    > tionString options, Boolean& isInTransaction) +370
    > System.Data.SqlClient.SqlConnection.Open() +383
    > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > System.Web.UI.Control.LoadRecursive() +35
    > System.Web.UI.Page.ProcessRequestMain() +750
    > ----------------------------------------------------------------------------
    > --------
    >
    > Any help in resolving this problem would be greatly appreciated.
    >
    > Thanks,
    >
    > --
    > -Scott
    >
    >
     
    Peter Jakab, Oct 7, 2005
    #4
  5. Scott Elgram

    Scott Elgram Guest

    Yeup, quite sure.
    From what I have been reading there are two methods windows can use in
    this instance. The first is NTLM which is what is being used most often and
    where I think my problem is. NTLM does not allow for authentication past
    singe hop and therefore can delegate or do anything fancy like that. What I
    need to use is the second method. Kerberos can impersonate, delegate and
    make additional hops. My problem, I think, is that Kerberos is not being
    used but I really don't know enough about it to troubleshoot it and have
    found very little online about exactly how to set this up.
    I was using Windows 2k with IIS 5 but because this is all experimental
    for me right now I have upgraded to Windows 2k3 and IIS 6 to see if that
    makes any difference.

    -Scott

    "Peter Jakab" <> wrote in message
    news:...
    > Scott, are you sure, that in IIS manager for the application you disabled
    > anonymous access?
    >
    > (find your application, right click, properties, derectory security,
    > anonymous access and identity control, click edit, and be sure that
    > anonymous access is unchecked, AND integrated windows authentication is
    > checked)
    >
    > It should work, in case there is just 1 hop!
    >
    > Best regards
    >
    > Peter
    >
    > "Scott Elgram" <> wrote in message
    > news:...
    > > Hello,
    > > I am trying to create a site using integrated windows authentication

    to
    > > access SQL databases. All the tutorials I have found so far require

    that
    > > both SQL server and IIS reside on the same server. This is a problem

    for
    > > me
    > > because I need to access multiple SQL servers from the same site so a
    > > stand
    > > alone web server would be ideal.
    > > From what I have been able to gather so far:
    > > - "Anonymous Access" is unchecked and "Windows Integrated
    > > Authentication" is checked in IIS
    > > - The machine running IIS must be set as "trusted for delegation"
    > > in
    > > active directory.
    > > - The domain user accounts that will be accessing the databases

    an
    > > site must not be marled "Account is sensitive and cannot be delegated".
    > > - The tags <Identity impersonate="true"> and <Authentication
    > > mode="windows"> is set in web.config
    > > - comImpersonationLevel="Delegate" and
    > > comAuthenticationLevel="PktPrivacy" are set in machine.config
    > > After all that is set then the connection string "server=SQLserver;
    > > Integrated Security=SSPI; Trusted_Connection=YES; database=SQLdatabase"
    > > should be able to connect to the SQL database using the clients
    > > credentials.
    > > However, I receive the following error:
    > > --------------------------------------------------------------------
    > > Exception Details: System.Data.SqlClient.SqlException: Login failed for
    > > user
    > > 'NT AUTHORITY\ANONYMOUS LOGON'.
    > >
    > > Stack Trace:
    > >
    > > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    > > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > > isInTransaction) +472
    > >
    > >

    System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
    > > tionString options, Boolean& isInTransaction) +370
    > > System.Data.SqlClient.SqlConnection.Open() +383
    > > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > > System.Web.UI.Control.LoadRecursive() +35
    > > System.Web.UI.Page.ProcessRequestMain() +750

    >
    > --------------------------------------------------------------------------

    --
    > > --------
    > >
    > > Any help in resolving this problem would be greatly appreciated.
    > >
    > > Thanks,
    > >
    > > --
    > > -Scott
    > >
    > >

    >
    >
     
    Scott Elgram, Oct 7, 2005
    #5
  6. Scott Elgram

    Peter Jakab Guest

    See

    http://support.microsoft.com/?id=215383

    In iis 6 metabase is an xml file that you can edit with notepad.

    http://www.microsoft.com/technet/pr...IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx

    I think, Kerberos cannot be forced, Negotiate means: it tryes with kerberos,
    when it fails, switches to ntlm.

    Regards

    Peter




    "Scott Elgram" <> wrote in message
    news:...
    > Yeup, quite sure.
    > From what I have been reading there are two methods windows can use in
    > this instance. The first is NTLM which is what is being used most often
    > and
    > where I think my problem is. NTLM does not allow for authentication past
    > singe hop and therefore can delegate or do anything fancy like that. What
    > I
    > need to use is the second method. Kerberos can impersonate, delegate and
    > make additional hops. My problem, I think, is that Kerberos is not being
    > used but I really don't know enough about it to troubleshoot it and have
    > found very little online about exactly how to set this up.
    > I was using Windows 2k with IIS 5 but because this is all experimental
    > for me right now I have upgraded to Windows 2k3 and IIS 6 to see if that
    > makes any difference.
    >
    > -Scott
    >
    > "Peter Jakab" <> wrote in message
    > news:...
    >> Scott, are you sure, that in IIS manager for the application you disabled
    >> anonymous access?
    >>
    >> (find your application, right click, properties, derectory security,
    >> anonymous access and identity control, click edit, and be sure that
    >> anonymous access is unchecked, AND integrated windows authentication is
    >> checked)
    >>
    >> It should work, in case there is just 1 hop!
    >>
    >> Best regards
    >>
    >> Peter
    >>
    >> "Scott Elgram" <> wrote in message
    >> news:...
    >> > Hello,
    >> > I am trying to create a site using integrated windows authentication

    > to
    >> > access SQL databases. All the tutorials I have found so far require

    > that
    >> > both SQL server and IIS reside on the same server. This is a problem

    > for
    >> > me
    >> > because I need to access multiple SQL servers from the same site so a
    >> > stand
    >> > alone web server would be ideal.
    >> > From what I have been able to gather so far:
    >> > - "Anonymous Access" is unchecked and "Windows Integrated
    >> > Authentication" is checked in IIS
    >> > - The machine running IIS must be set as "trusted for
    >> > delegation"
    >> > in
    >> > active directory.
    >> > - The domain user accounts that will be accessing the databases

    > an
    >> > site must not be marled "Account is sensitive and cannot be delegated".
    >> > - The tags <Identity impersonate="true"> and <Authentication
    >> > mode="windows"> is set in web.config
    >> > - comImpersonationLevel="Delegate" and
    >> > comAuthenticationLevel="PktPrivacy" are set in machine.config
    >> > After all that is set then the connection string "server=SQLserver;
    >> > Integrated Security=SSPI; Trusted_Connection=YES; database=SQLdatabase"
    >> > should be able to connect to the SQL database using the clients
    >> > credentials.
    >> > However, I receive the following error:
    >> > --------------------------------------------------------------------
    >> > Exception Details: System.Data.SqlClient.SqlException: Login failed for
    >> > user
    >> > 'NT AUTHORITY\ANONYMOUS LOGON'.
    >> >
    >> > Stack Trace:
    >> >
    >> > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    >> > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    >> > isInTransaction) +472
    >> >
    >> >

    > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
    >> > tionString options, Boolean& isInTransaction) +370
    >> > System.Data.SqlClient.SqlConnection.Open() +383
    >> > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    >> > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    >> > System.Web.UI.Control.OnLoad(EventArgs e) +67
    >> > System.Web.UI.Control.LoadRecursive() +35
    >> > System.Web.UI.Page.ProcessRequestMain() +750

    >>
    >> --------------------------------------------------------------------------

    > --
    >> > --------
    >> >
    >> > Any help in resolving this problem would be greatly appreciated.
    >> >
    >> > Thanks,
    >> >
    >> > --
    >> > -Scott
    >> >
    >> >

    >>
    >>

    >
    >
     
    Peter Jakab, Oct 7, 2005
    #6
  7. Hello Scott,

    read the article i pointed you to
    http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

    it contains all answers
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yeup, quite sure.
    > From what I have been reading there are two methods windows can
    > use in
    > this instance. The first is NTLM which is what is being used most
    > often and
    > where I think my problem is. NTLM does not allow for authentication
    > past
    > singe hop and therefore can delegate or do anything fancy like that.
    > What I
    > need to use is the second method. Kerberos can impersonate, delegate
    > and
    > make additional hops. My problem, I think, is that Kerberos is not
    > being
    > used but I really don't know enough about it to troubleshoot it and
    > have
    > found very little online about exactly how to set this up.
    > I was using Windows 2k with IIS 5 but because this is all
    > experimental
    > for me right now I have upgraded to Windows 2k3 and IIS 6 to see if
    > that
    > makes any difference.
    >
    > -Scott
    >
    > "Peter Jakab" <> wrote in message
    > news:...
    >> Scott, are you sure, that in IIS manager for the application you
    >> disabled anonymous access?
    >>
    >> (find your application, right click, properties, derectory security,
    >> anonymous access and identity control, click edit, and be sure that
    >> anonymous access is unchecked, AND integrated windows authentication
    >> is checked)
    >>
    >> It should work, in case there is just 1 hop!
    >>
    >> Best regards
    >>
    >> Peter
    >>
    >> "Scott Elgram" <> wrote in message
    >> news:...
    >>
    >>> Hello,
    >>> I am trying to create a site using integrated windows authentication

    > to
    >
    >>> access SQL databases. All the tutorials I have found so far require
    >>>

    > that
    >
    >>> both SQL server and IIS reside on the same server. This is a
    >>> problem
    >>>

    > for
    >
    >>> me
    >>> because I need to access multiple SQL servers from the same site so
    >>> a
    >>> stand
    >>> alone web server would be ideal.
    >>> From what I have been able to gather so far:
    >>> - "Anonymous Access" is unchecked and "Windows Integrated
    >>> Authentication" is checked in IIS
    >>> - The machine running IIS must be set as "trusted for delegation"
    >>> in
    >>> active directory.
    >>> - The domain user accounts that will be accessing the databases

    > an
    >
    >>> site must not be marled "Account is sensitive and cannot be
    >>> delegated".
    >>> - The tags <Identity impersonate="true"> and <Authentication
    >>> mode="windows"> is set in web.config
    >>> - comImpersonationLevel="Delegate" and
    >>> comAuthenticationLevel="PktPrivacy" are set in machine.config
    >>> After all that is set then the connection string "server=SQLserver;
    >>> Integrated Security=SSPI; Trusted_Connection=YES;
    >>> database=SQLdatabase"
    >>> should be able to connect to the SQL database using the clients
    >>> credentials.
    >>> However, I receive the following error:
    >>> --------------------------------------------------------------------
    >>> Exception Details: System.Data.SqlClient.SqlException: Login failed
    >>> for
    >>> user
    >>> 'NT AUTHORITY\ANONYMOUS LOGON'.
    >>> Stack Trace:
    >>>
    >>> [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS
    >>> LOGON'.] System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    >>> isInTransaction) +472
    >>>

    > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(Sql
    > Connec
    >
    >>> tionString options, Boolean& isInTransaction) +370
    >>> System.Data.SqlClient.SqlConnection.Open() +383
    >>> Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    >>> d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    >>> System.Web.UI.Control.OnLoad(EventArgs e) +67
    >>> System.Web.UI.Control.LoadRecursive() +35
    >>> System.Web.UI.Page.ProcessRequestMain() +750
    >>>

    >> ---------------------------------------------------------------------
    >> -----
    >>

    > --
    >
    >>> --------
    >>>
    >>> Any help in resolving this problem would be greatly appreciated.
    >>>
    >>> Thanks,
    >>>
    >>> -- -Scott
    >>>
     
    Dominick Baier [DevelopMentor], Oct 7, 2005
    #7
  8. Scott Elgram

    Scott Elgram Guest

    Dominick,
    Thanks for that article....It was a big help especially for
    understanding the SetSPN.exe utility. However, It still doesn't seem to
    work. I have even written the author to see if he can help.

    -Scott
    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Scott,
    >
    > read the article i pointed you to
    > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
    >
    > it contains all answers
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Yeup, quite sure.
    > > From what I have been reading there are two methods windows can
    > > use in
    > > this instance. The first is NTLM which is what is being used most
    > > often and
    > > where I think my problem is. NTLM does not allow for authentication
    > > past
    > > singe hop and therefore can delegate or do anything fancy like that.
    > > What I
    > > need to use is the second method. Kerberos can impersonate, delegate
    > > and
    > > make additional hops. My problem, I think, is that Kerberos is not
    > > being
    > > used but I really don't know enough about it to troubleshoot it and
    > > have
    > > found very little online about exactly how to set this up.
    > > I was using Windows 2k with IIS 5 but because this is all
    > > experimental
    > > for me right now I have upgraded to Windows 2k3 and IIS 6 to see if
    > > that
    > > makes any difference.
    > >
    > > -Scott
    > >
    > > "Peter Jakab" <> wrote in message
    > > news:...
    > >> Scott, are you sure, that in IIS manager for the application you
    > >> disabled anonymous access?
    > >>
    > >> (find your application, right click, properties, derectory security,
    > >> anonymous access and identity control, click edit, and be sure that
    > >> anonymous access is unchecked, AND integrated windows authentication
    > >> is checked)
    > >>
    > >> It should work, in case there is just 1 hop!
    > >>
    > >> Best regards
    > >>
    > >> Peter
    > >>
    > >> "Scott Elgram" <> wrote in message
    > >> news:...
    > >>
    > >>> Hello,
    > >>> I am trying to create a site using integrated windows authentication

    > > to
    > >
    > >>> access SQL databases. All the tutorials I have found so far require
    > >>>

    > > that
    > >
    > >>> both SQL server and IIS reside on the same server. This is a
    > >>> problem
    > >>>

    > > for
    > >
    > >>> me
    > >>> because I need to access multiple SQL servers from the same site so
    > >>> a
    > >>> stand
    > >>> alone web server would be ideal.
    > >>> From what I have been able to gather so far:
    > >>> - "Anonymous Access" is unchecked and "Windows Integrated
    > >>> Authentication" is checked in IIS
    > >>> - The machine running IIS must be set as "trusted for delegation"
    > >>> in
    > >>> active directory.
    > >>> - The domain user accounts that will be accessing the databases

    > > an
    > >
    > >>> site must not be marled "Account is sensitive and cannot be
    > >>> delegated".
    > >>> - The tags <Identity impersonate="true"> and <Authentication
    > >>> mode="windows"> is set in web.config
    > >>> - comImpersonationLevel="Delegate" and
    > >>> comAuthenticationLevel="PktPrivacy" are set in machine.config
    > >>> After all that is set then the connection string "server=SQLserver;
    > >>> Integrated Security=SSPI; Trusted_Connection=YES;
    > >>> database=SQLdatabase"
    > >>> should be able to connect to the SQL database using the clients
    > >>> credentials.
    > >>> However, I receive the following error:
    > >>> --------------------------------------------------------------------
    > >>> Exception Details: System.Data.SqlClient.SqlException: Login failed
    > >>> for
    > >>> user
    > >>> 'NT AUTHORITY\ANONYMOUS LOGON'.
    > >>> Stack Trace:
    > >>>
    > >>> [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS
    > >>> LOGON'.] System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > >>> isInTransaction) +472
    > >>>

    > > System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(Sql
    > > Connec
    > >
    > >>> tionString options, Boolean& isInTransaction) +370
    > >>> System.Data.SqlClient.SqlConnection.Open() +383
    > >>> Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > >>> d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > >>> System.Web.UI.Control.OnLoad(EventArgs e) +67
    > >>> System.Web.UI.Control.LoadRecursive() +35
    > >>> System.Web.UI.Page.ProcessRequestMain() +750
    > >>>
    > >> ---------------------------------------------------------------------
    > >> -----
    > >>

    > > --
    > >
    > >>> --------
    > >>>
    > >>> Any help in resolving this problem would be greatly appreciated.
    > >>>
    > >>> Thanks,
    > >>>
    > >>> -- -Scott
    > >>>

    >
    >
     
    Scott Elgram, Oct 7, 2005
    #8
  9. Scott Elgram

    Scott Elgram Guest

    Peter,
    On the IIS level there is no trouble authenticating with kerberos. I
    have "Windows Integrated Authentication" as the only option checked for the
    entire site and have no trouble accessing any other part. It seems that the
    problem is in when I try to flow those credentials over to the SQL server.
    I have turned on Auditing of successful logon events for the Web server
    and the SQL server. When I try to access the site I receive the following
    record in the Web Servers even log:
    ----------------------------------------------------------------------------
    ----
    Date: 10/07/2005 Source: Security
    Time: 10:40 Category: Logon/Logoff
    Type: Success Event ID: 540
    User: <domain>\<username>
    Computer: WEB01

    Description:
    Successful Network Logon:
    User Name: <username>
    Domain: <domain>
    Logon ID: (0x0,0x4EACB)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {207e942d-6d16-5a6e-630c-d466379edfea}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 192.168.0.103
    Source Port: 1412
    ----------------------------------------------------------------------------
    ----
    This, I think is good....I have no problem accessing any other part of
    the site that uses Integrated Authentication. However, I have noticed that
    for every one of the above entries in the web server I have the following
    entry on the SQL server.
    ----------------------------------------------------------------------------
    ----
    Date: 10/07/2005 Source: Security
    Time: 10:40 Category: Logon/Logoff
    Type: Success Event ID: 538
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: SQL01

    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x17BA0E)
    Logon Type: 3
    ----------------------------------------------------------------------------
    ----
    If I am understanding this correctly then the credentials being used to
    access the site are not flowing to the SQL server as I had intended. The
    part that puzzles me here aside from it not working is that this entry is
    "User Logoff".
    Perhaps I am missing some small setting or detail?

    -Scott

    "Peter Jakab" <> wrote in message
    news:...
    > See
    >
    > http://support.microsoft.com/?id=215383
    >
    > In iis 6 metabase is an xml file that you can edit with notepad.
    >
    >

    http://www.microsoft.com/technet/pr...IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx
    >
    > I think, Kerberos cannot be forced, Negotiate means: it tryes with

    kerberos,
    > when it fails, switches to ntlm.
    >
    > Regards
    >
    > Peter
    >
    >
    >
    >
    > "Scott Elgram" <> wrote in message
    > news:...
    > > Yeup, quite sure.
    > > From what I have been reading there are two methods windows can use

    in
    > > this instance. The first is NTLM which is what is being used most often
    > > and
    > > where I think my problem is. NTLM does not allow for authentication

    past
    > > singe hop and therefore can delegate or do anything fancy like that.

    What
    > > I
    > > need to use is the second method. Kerberos can impersonate, delegate

    and
    > > make additional hops. My problem, I think, is that Kerberos is not

    being
    > > used but I really don't know enough about it to troubleshoot it and have
    > > found very little online about exactly how to set this up.
    > > I was using Windows 2k with IIS 5 but because this is all

    experimental
    > > for me right now I have upgraded to Windows 2k3 and IIS 6 to see if that
    > > makes any difference.
    > >
    > > -Scott
    > >
    > > "Peter Jakab" <> wrote in message
    > > news:...
    > >> Scott, are you sure, that in IIS manager for the application you

    disabled
    > >> anonymous access?
    > >>
    > >> (find your application, right click, properties, derectory security,
    > >> anonymous access and identity control, click edit, and be sure that
    > >> anonymous access is unchecked, AND integrated windows authentication is
    > >> checked)
    > >>
    > >> It should work, in case there is just 1 hop!
    > >>
    > >> Best regards
    > >>
    > >> Peter
    > >>
    > >> "Scott Elgram" <> wrote in message
    > >> news:...
    > >> > Hello,
    > >> > I am trying to create a site using integrated windows

    authentication
    > > to
    > >> > access SQL databases. All the tutorials I have found so far require

    > > that
    > >> > both SQL server and IIS reside on the same server. This is a problem

    > > for
    > >> > me
    > >> > because I need to access multiple SQL servers from the same site so a
    > >> > stand
    > >> > alone web server would be ideal.
    > >> > From what I have been able to gather so far:
    > >> > - "Anonymous Access" is unchecked and "Windows Integrated
    > >> > Authentication" is checked in IIS
    > >> > - The machine running IIS must be set as "trusted for
    > >> > delegation"
    > >> > in
    > >> > active directory.
    > >> > - The domain user accounts that will be accessing the

    databases
    > > an
    > >> > site must not be marled "Account is sensitive and cannot be

    delegated".
    > >> > - The tags <Identity impersonate="true"> and <Authentication
    > >> > mode="windows"> is set in web.config
    > >> > - comImpersonationLevel="Delegate" and
    > >> > comAuthenticationLevel="PktPrivacy" are set in machine.config
    > >> > After all that is set then the connection string

    "server=SQLserver;
    > >> > Integrated Security=SSPI; Trusted_Connection=YES;

    database=SQLdatabase"
    > >> > should be able to connect to the SQL database using the clients
    > >> > credentials.
    > >> > However, I receive the following error:
    > >> > --------------------------------------------------------------------
    > >> > Exception Details: System.Data.SqlClient.SqlException: Login failed

    for
    > >> > user
    > >> > 'NT AUTHORITY\ANONYMOUS LOGON'.
    > >> >
    > >> > Stack Trace:
    > >> >
    > >> > [SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
    > >> > System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
    > >> > isInTransaction) +472
    > >> >
    > >> >

    > >

    System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnec
    > >> > tionString options, Boolean& isInTransaction) +370
    > >> > System.Data.SqlClient.SqlConnection.Open() +383
    > >> > Rules.WebForm1.Page_Load(Object sender, EventArgs e) in
    > >> > d:\inetpub\wwwroot\rules\rules.aspx.cs:47
    > >> > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > >> > System.Web.UI.Control.LoadRecursive() +35
    > >> > System.Web.UI.Page.ProcessRequestMain() +750
    > >>

    >
    >> -------------------------------------------------------------------------

    -
    > > --
    > >> > --------
    > >> >
    > >> > Any help in resolving this problem would be greatly appreciated.
    > >> >
    > >> > Thanks,
    > >> >
    > >> > --
    > >> > -Scott
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Scott Elgram, Oct 7, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    677
  2. Brett Smith
    Replies:
    2
    Views:
    454
    Brett Smith
    Oct 26, 2004
  3. Will
    Replies:
    5
    Views:
    2,622
  4. B N
    Replies:
    2
    Views:
    375
  5. Mario B.
    Replies:
    0
    Views:
    114
    Mario B.
    Feb 12, 2008
Loading...

Share This Page