Integrated Security

Discussion in 'ASP .Net Security' started by Arnold, Sep 11, 2003.

  1. Arnold

    Arnold Guest

    I'm trying to log on to SQL Server 2000 via an ASP.NET
    page using SqlClient with integrated security. I get the
    error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    believe I have all the correct web.config settigs correct
    because I can get the page to work as long as it is on the
    same computer as the WebServer (thie sqlserver is on a
    different machine). As soon as access the page from a
    client (browser not on same machine as web server) I get
    the message. I'd appreciate any ideas.

    TIA,

    Arnold
    Arnold, Sep 11, 2003
    #1
    1. Advertising

  2. Arnold

    Stefan Guest

    do you have the anonymous enabled in the iis?
    if so --> disable anonymous
    "Arnold" <> wrote in message
    news:077e01c37861$9500bc00$...
    > I'm trying to log on to SQL Server 2000 via an ASP.NET
    > page using SqlClient with integrated security. I get the
    > error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    > believe I have all the correct web.config settigs correct
    > because I can get the page to work as long as it is on the
    > same computer as the WebServer (thie sqlserver is on a
    > different machine). As soon as access the page from a
    > client (browser not on same machine as web server) I get
    > the message. I'd appreciate any ideas.
    >
    > TIA,
    >
    > Arnold
    Stefan, Sep 11, 2003
    #2
    1. Advertising

  3. Arnold

    Arnold Guest

    Forgot to mention the fact that I did have that set but I
    realized it and fixed that. So, in answer to your
    question, no, anonymous is not enabled.

    Arnold
    >-----Original Message-----
    >do you have the anonymous enabled in the iis?
    >if so --> disable anonymous
    >"Arnold" <> wrote in message
    >news:077e01c37861$9500bc00$...
    >> I'm trying to log on to SQL Server 2000 via an ASP.NET
    >> page using SqlClient with integrated security. I get the
    >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    >> believe I have all the correct web.config settigs

    correct
    >> because I can get the page to work as long as it is on

    the
    >> same computer as the WebServer (thie sqlserver is on a
    >> different machine). As soon as access the page from a
    >> client (browser not on same machine as web server) I get
    >> the message. I'd appreciate any ideas.
    >>
    >> TIA,
    >>
    >> Arnold

    >
    >
    >.
    >
    Arnold, Sep 11, 2003
    #3
  4. Arnold

    Stefan Guest

    try to use the impersonation attribute in the web.config file
    <identity impersonate="true" />
    so you get the identified token from the IIS
    "Arnold" <> wrote in message
    news:175901c3786b$1ed7aa70$...
    > Forgot to mention the fact that I did have that set but I
    > realized it and fixed that. So, in answer to your
    > question, no, anonymous is not enabled.
    >
    > Arnold
    > >-----Original Message-----
    > >do you have the anonymous enabled in the iis?
    > >if so --> disable anonymous
    > >"Arnold" <> wrote in message
    > >news:077e01c37861$9500bc00$...
    > >> I'm trying to log on to SQL Server 2000 via an ASP.NET
    > >> page using SqlClient with integrated security. I get the
    > >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    > >> believe I have all the correct web.config settigs

    > correct
    > >> because I can get the page to work as long as it is on

    > the
    > >> same computer as the WebServer (thie sqlserver is on a
    > >> different machine). As soon as access the page from a
    > >> client (browser not on same machine as web server) I get
    > >> the message. I'd appreciate any ideas.
    > >>
    > >> TIA,
    > >>
    > >> Arnold

    > >
    > >
    > >.
    > >
    Stefan, Sep 11, 2003
    #4
  5. Arnold

    Arnold Guest

    Yes, that is set also.
    >-----Original Message-----
    >try to use the impersonation attribute in the web.config

    file
    ><identity impersonate="true" />
    >so you get the identified token from the IIS
    >"Arnold" <> wrote in message
    >news:175901c3786b$1ed7aa70$...
    >> Forgot to mention the fact that I did have that set but

    I
    >> realized it and fixed that. So, in answer to your
    >> question, no, anonymous is not enabled.
    >>
    >> Arnold
    >> >-----Original Message-----
    >> >do you have the anonymous enabled in the iis?
    >> >if so --> disable anonymous
    >> >"Arnold" <> wrote in message
    >> >news:077e01c37861$9500bc00$...
    >> >> I'm trying to log on to SQL Server 2000 via an

    ASP.NET
    >> >> page using SqlClient with integrated security. I get

    the
    >> >> error message "invalid login

    NT_AUTHORITY/ANNONYMOUS". I
    >> >> believe I have all the correct web.config settigs

    >> correct
    >> >> because I can get the page to work as long as it is

    on
    >> the
    >> >> same computer as the WebServer (thie sqlserver is on

    a
    >> >> different machine). As soon as access the page from a
    >> >> client (browser not on same machine as web server) I

    get
    >> >> the message. I'd appreciate any ideas.
    >> >>
    >> >> TIA,
    >> >>
    >> >> Arnold
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
    Arnold, Sep 11, 2003
    #5
  6. Arnold

    Lior Amar Guest

    I'm pretty sure I know what the problem is but before I answer, just tell me
    is the WebServer and SQL server on the same machine?

    Lior
    "Arnold" <> wrote in message
    news:077e01c37861$9500bc00$...
    > I'm trying to log on to SQL Server 2000 via an ASP.NET
    > page using SqlClient with integrated security. I get the
    > error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    > believe I have all the correct web.config settigs correct
    > because I can get the page to work as long as it is on the
    > same computer as the WebServer (thie sqlserver is on a
    > different machine). As soon as access the page from a
    > client (browser not on same machine as web server) I get
    > the message. I'd appreciate any ideas.
    >
    > TIA,
    >
    > Arnold
    Lior Amar, Sep 11, 2003
    #6
  7. Arnold

    Arnold Guest

    No they are not.
    Arnold
    >-----Original Message-----
    >I'm pretty sure I know what the problem is but before I

    answer, just tell me
    >is the WebServer and SQL server on the same machine?
    >
    >Lior
    >"Arnold" <> wrote in message
    >news:077e01c37861$9500bc00$...
    >> I'm trying to log on to SQL Server 2000 via an ASP.NET
    >> page using SqlClient with integrated security. I get the
    >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    >> believe I have all the correct web.config settigs

    correct
    >> because I can get the page to work as long as it is on

    the
    >> same computer as the WebServer (thie sqlserver is on a
    >> different machine). As soon as access the page from a
    >> client (browser not on same machine as web server) I get
    >> the message. I'd appreciate any ideas.
    >>
    >> TIA,
    >>
    >> Arnold

    >
    >
    >.
    >
    Arnold, Sep 11, 2003
    #7
  8. Arnold

    Lior Amar Guest

    Strange, the only thing that can mean is no impersonation. When you print
    out the System.Security.Principal.WindowsIdentity.GetCurrent.Name does it
    show ASPNET, SYSTEM or the Logged on User? I've seen a couple of instances
    where setting the Web.Config does not force impersonation but going into the
    Machine.Config and setting the Identity tag to impersonate and the
    authorization to Deny="?". Granted both times I saw this, the Machine.Config
    had been setup to SYSTEM.

    SSPI should not fail when on the same machine so I would look more at your
    ASPNET setup. If you can send me the Web.Config and the Machine.Config I
    could better help you with it.

    Lior,



    "Arnold" <> wrote in message
    news:088701c37885$3c654880$...
    > No they are not.
    > Arnold
    > >-----Original Message-----
    > >I'm pretty sure I know what the problem is but before I

    > answer, just tell me
    > >is the WebServer and SQL server on the same machine?
    > >
    > >Lior
    > >"Arnold" <> wrote in message
    > >news:077e01c37861$9500bc00$...
    > >> I'm trying to log on to SQL Server 2000 via an ASP.NET
    > >> page using SqlClient with integrated security. I get the
    > >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    > >> believe I have all the correct web.config settigs

    > correct
    > >> because I can get the page to work as long as it is on

    > the
    > >> same computer as the WebServer (thie sqlserver is on a
    > >> different machine). As soon as access the page from a
    > >> client (browser not on same machine as web server) I get
    > >> the message. I'd appreciate any ideas.
    > >>
    > >> TIA,
    > >>
    > >> Arnold

    > >
    > >
    > >.
    > >
    Lior Amar, Sep 11, 2003
    #8
  9. Thanks Stefan, Lior for the suggestions.

    Hi Arnold,

    It's a Double-Hop Issue. Please check the following links for more
    information:

    264921 INFO: How IIS Authenticates Browser Clients
    http://support.microsoft.com/?id=264921

    What is the Double-Hop Issue?
    http://support.microsoft.com/?id=329986#3

    Here are two workarounds:

    Method A
    When the Web.config file is set to identity impersonate="true"/ and
    authentication mode="Windows", use the Anonymous account with the following
    settings:

    1. On the ASPX page, set the security mechanism to Anonymous only.
    2. Clear the Allow IIS to control the password check box.
    3. Set the Anonymous account to be a domain user.

    Method B

    When Web.config and Machine.config are set as follows:

    1. When Web.config is set to identity impersonate="false"/ and
    authentication mode="Windows"
    2. When Machine.config is set to processModel
    username=Domain\username,password=secret
    3. If identity impersonate="false"/ in the Web.config file, the credentials
    of the Base process are used. When you supply a domain user and password,
    you make it possible for IIS to pass a primary token to the SQL Server.

    Hope this helps.

    Best regards,
    Lewis

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Content-Class: urn:content-classes:message
    | From: "Arnold" <>
    | Sender: "Arnold" <>
    | Subject: Integrated Security
    | Date: Thu, 11 Sep 2003 05:38:20 -0700
    | Lines: 13
    | Message-ID: <077e01c37861$9500bc00$>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="iso-8859-1"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    | Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | Path: cpmsftngxa06.phx.gbl
    | Xref: cpmsftngxa06.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:6631
    | NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | I'm trying to log on to SQL Server 2000 via an ASP.NET
    | page using SqlClient with integrated security. I get the
    | error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    | believe I have all the correct web.config settigs correct
    | because I can get the page to work as long as it is on the
    | same computer as the WebServer (thie sqlserver is on a
    | different machine). As soon as access the page from a
    | client (browser not on same machine as web server) I get
    | the message. I'd appreciate any ideas.
    |
    | TIA,
    |
    | Arnold
    |
    Lewis Wang [MSFT], Sep 12, 2003
    #9
  10. Arnold

    Lior Amar Guest

    That was where I was leaning towards but he said that the SQL server and IIS
    reside on the same machine which removes the possibility of it being a
    double hop. Double hops occur when credential delegation needs to be
    transferred from the 1st remote server to subsequent remote servers. This
    can only be accomplished using Kerberos v.5 which is available on 2K and up.

    From the sound of his problem, I would think it's more in the impersonation
    or the fact that ASPNET does just in time impersonation.

    Lior,


    "Lewis Wang [MSFT]" <> wrote in message
    news:...
    > Thanks Stefan, Lior for the suggestions.
    >
    > Hi Arnold,
    >
    > It's a Double-Hop Issue. Please check the following links for more
    > information:
    >
    > 264921 INFO: How IIS Authenticates Browser Clients
    > http://support.microsoft.com/?id=264921
    >
    > What is the Double-Hop Issue?
    > http://support.microsoft.com/?id=329986#3
    >
    > Here are two workarounds:
    >
    > Method A
    > When the Web.config file is set to identity impersonate="true"/ and
    > authentication mode="Windows", use the Anonymous account with the

    following
    > settings:
    >
    > 1. On the ASPX page, set the security mechanism to Anonymous only.
    > 2. Clear the Allow IIS to control the password check box.
    > 3. Set the Anonymous account to be a domain user.
    >
    > Method B
    >
    > When Web.config and Machine.config are set as follows:
    >
    > 1. When Web.config is set to identity impersonate="false"/ and
    > authentication mode="Windows"
    > 2. When Machine.config is set to processModel
    > username=Domain\username,password=secret
    > 3. If identity impersonate="false"/ in the Web.config file, the

    credentials
    > of the Base process are used. When you supply a domain user and password,
    > you make it possible for IIS to pass a primary token to the SQL Server.
    >
    > Hope this helps.
    >
    > Best regards,
    > Lewis
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    > --------------------
    > | Content-Class: urn:content-classes:message
    > | From: "Arnold" <>
    > | Sender: "Arnold" <>
    > | Subject: Integrated Security
    > | Date: Thu, 11 Sep 2003 05:38:20 -0700
    > | Lines: 13
    > | Message-ID: <077e01c37861$9500bc00$>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="iso-8859-1"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    > | Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | Path: cpmsftngxa06.phx.gbl
    > | Xref: cpmsftngxa06.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security:6631
    > | NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > |
    > | I'm trying to log on to SQL Server 2000 via an ASP.NET
    > | page using SqlClient with integrated security. I get the
    > | error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
    > | believe I have all the correct web.config settigs correct
    > | because I can get the page to work as long as it is on the
    > | same computer as the WebServer (thie sqlserver is on a
    > | different machine). As soon as access the page from a
    > | client (browser not on same machine as web server) I get
    > | the message. I'd appreciate any ideas.
    > |
    > | TIA,
    > |
    > | Arnold
    > |
    >
    Lior Amar, Sep 12, 2003
    #10
  11. Arnold

    Arnold Guest

    Lior,
    What e-mail should I use to send you my config files?

    Arnold
    >-----Original Message-----
    >Strange, the only thing that can mean is no

    impersonation. When you print
    >out the

    System.Security.Principal.WindowsIdentity.GetCurrent.Name
    does it
    >show ASPNET, SYSTEM or the Logged on User? I've seen a

    couple of instances
    >where setting the Web.Config does not force impersonation

    but going into the
    >Machine.Config and setting the Identity tag to

    impersonate and the
    >authorization to Deny="?". Granted both times I saw this,

    the Machine.Config
    >had been setup to SYSTEM.
    >
    >SSPI should not fail when on the same machine so I would

    look more at your
    >ASPNET setup. If you can send me the Web.Config and the

    Machine.Config I
    >could better help you with it.
    >
    >Lior,
    >
    >
    >
    >"Arnold" <> wrote in message
    >news:088701c37885$3c654880$...
    >> No they are not.
    >> Arnold
    >> >-----Original Message-----
    >> >I'm pretty sure I know what the problem is but before I

    >> answer, just tell me
    >> >is the WebServer and SQL server on the same machine?
    >> >
    >> >Lior
    >> >"Arnold" <> wrote in message
    >> >news:077e01c37861$9500bc00$...
    >> >> I'm trying to log on to SQL Server 2000 via an

    ASP.NET
    >> >> page using SqlClient with integrated security. I get

    the
    >> >> error message "invalid login

    NT_AUTHORITY/ANNONYMOUS". I
    >> >> believe I have all the correct web.config settigs

    >> correct
    >> >> because I can get the page to work as long as it is

    on
    >> the
    >> >> same computer as the WebServer (thie sqlserver is on

    a
    >> >> different machine). As soon as access the page from a
    >> >> client (browser not on same machine as web server) I

    get
    >> >> the message. I'd appreciate any ideas.
    >> >>
    >> >> TIA,
    >> >>
    >> >> Arnold
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
    Arnold, Sep 12, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Srinivasa Reddy K Ganji

    Integrated Security

    Srinivasa Reddy K Ganji, Jul 28, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    475
    S. Justin Gengo
    Jul 28, 2003
  2. Dave
    Replies:
    1
    Views:
    482
    S. Justin Gengo
    Aug 11, 2003
  3. Markus Stehle

    Integrated security + Forms authentication

    Markus Stehle, Aug 21, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    411
    ASP.NET
    Aug 22, 2003
  4. STom
    Replies:
    0
    Views:
    305
  5. chris

    integrated security=true

    chris, Oct 24, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    10,227
    AlexS
    Oct 24, 2003
Loading...

Share This Page