Web Server connecting to db server on different machines

Discussion in 'ASP .Net Security' started by Ben, Mar 28, 2006.

  1. Ben

    Ben Guest

    Hello

    Im creating an asp.net web app that will need to connect to a SQL Server db
    on another machine. I have set this up using trusted connections and
    impersonation in the web.config file but I am getting a "Login failed for
    user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I need this to work through
    domain accounts on both machines.

    Currently, it will work if I am using the machine where the web app resides
    (ie. http://localhost/webapp/page.aspx) but i get the above message when
    using another remote machine.

    Any help is appreciated.
    Ben
     
    Ben, Mar 28, 2006
    #1
    1. Advertising

  2. http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello
    >
    > Im creating an asp.net web app that will need to connect to a SQL
    > Server db on another machine. I have set this up using trusted
    > connections and impersonation in the web.config file but I am getting
    > a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I
    > need this to work through domain accounts on both machines.
    >
    > Currently, it will work if I am using the machine where the web app
    > resides (ie. http://localhost/webapp/page.aspx) but i get the above
    > message when using another remote machine.
    >
    > Any help is appreciated.
    > Ben
     
    Dominick Baier [DevelopMentor], Mar 28, 2006
    #2
    1. Advertising

  3. Ben

    Ben Guest

    Thank you.

    Seeing as I may not be able to convince our AD services group to do this, is
    there another option?

    Thanks.


    "Dominick Baier [DevelopMentor]" wrote:

    > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello
    > >
    > > Im creating an asp.net web app that will need to connect to a SQL
    > > Server db on another machine. I have set this up using trusted
    > > connections and impersonation in the web.config file but I am getting
    > > a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I
    > > need this to work through domain accounts on both machines.
    > >
    > > Currently, it will work if I am using the machine where the web app
    > > resides (ie. http://localhost/webapp/page.aspx) but i get the above
    > > message when using another remote machine.
    > >
    > > Any help is appreciated.
    > > Ben

    >
    >
    >
     
    Ben, Mar 28, 2006
    #3
  4. Ben

    Ben Guest

    Sorry for the question, but do you have a link that describes the trusted
    subsystem design?

    Thanks for your help!

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > if you want to delegate client credentials - kerberos is they only way to go.
    >
    > You could disable delegation and use a trusted subsystem design to access
    > the back-end resources.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Thank you.
    > >
    > > Seeing as I may not be able to convince our AD services group to do
    > > this, is there another option?
    > >
    > > Thanks.
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default
    > >> .aspx
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hello
    > >>>
    > >>> Im creating an asp.net web app that will need to connect to a SQL
    > >>> Server db on another machine. I have set this up using trusted
    > >>> connections and impersonation in the web.config file but I am
    > >>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
    > >>> message. I need this to work through domain accounts on both
    > >>> machines.
    > >>>
    > >>> Currently, it will work if I am using the machine where the web app
    > >>> resides (ie. http://localhost/webapp/page.aspx) but i get the above
    > >>> message when using another remote machine.
    > >>>
    > >>> Any help is appreciated.
    > >>> Ben

    >
    >
    >
     
    Ben, Mar 28, 2006
    #4
  5. Ben

    Ben Guest

    Dominick

    Thanks for the replies (again).

    That solution wont work for use as we are building security into the
    database to identify which data a user has access to based on their domain
    account.

    I will have to investigate either delegation or having the web server reside
    on the same machine as the database.

    Thanks again.

    "Dominick Baier [DevelopMentor]" wrote:

    > hi - no problem -
    >
    > not really a good one -
    >
    > but the general idea is that you do authentication, authorization and auditing
    > in the middle tier and access the back-end resource using the middle tier
    > server credentials as opposed to the client ones...
    >
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Sorry for the question, but do you have a link that describes the
    > > trusted subsystem design?
    > >
    > > Thanks for your help!
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hi,
    > >>
    > >> if you want to delegate client credentials - kerberos is they only
    > >> way to go.
    > >>
    > >> You could disable delegation and use a trusted subsystem design to
    > >> access the back-end resources.
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Thank you.
    > >>>
    > >>> Seeing as I may not be able to convince our AD services group to do
    > >>> this, is there another option?
    > >>>
    > >>> Thanks.
    > >>>
    > >>> "Dominick Baier [DevelopMentor]" wrote:
    > >>>
    > >>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau
    > >>>> lt .aspx
    > >>>>
    > >>>> ---------------------------------------
    > >>>> Dominick Baier - DevelopMentor
    > >>>> http://www.leastprivilege.com
    > >>>>> Hello
    > >>>>>
    > >>>>> Im creating an asp.net web app that will need to connect to a SQL
    > >>>>> Server db on another machine. I have set this up using trusted
    > >>>>> connections and impersonation in the web.config file but I am
    > >>>>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
    > >>>>> message. I need this to work through domain accounts on both
    > >>>>> machines.
    > >>>>>
    > >>>>> Currently, it will work if I am using the machine where the web
    > >>>>> app resides (ie. http://localhost/webapp/page.aspx) but i get the
    > >>>>> above message when using another remote machine.
    > >>>>>
    > >>>>> Any help is appreciated.
    > >>>>> Ben

    >
    >
    >
     
    Ben, Mar 28, 2006
    #5
  6. Setting up the various SPNs are enabling constrained delegation (if your AD
    is 2003) isn't a big deal and is quite secure. If they are concerned about
    their privileged domain admin accounts being delegated, they can flag them
    as "sensitive and cannot be delegated".

    Joe K.

    "Ben" <ben_1_ AT hotmail DOT com> wrote in message
    news:...
    > Dominick
    >
    > Thanks for the replies (again).
    >
    > That solution wont work for use as we are building security into the
    > database to identify which data a user has access to based on their domain
    > account.
    >
    > I will have to investigate either delegation or having the web server
    > reside
    > on the same machine as the database.
    >
    > Thanks again.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> hi - no problem -
    >>
    >> not really a good one -
    >>
    >> but the general idea is that you do authentication, authorization and
    >> auditing
    >> in the middle tier and access the back-end resource using the middle tier
    >> server credentials as opposed to the client ones...
    >>
    >>
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >> > Sorry for the question, but do you have a link that describes the
    >> > trusted subsystem design?
    >> >
    >> > Thanks for your help!
    >> >
    >> > "Dominick Baier [DevelopMentor]" wrote:
    >> >
    >> >> Hi,
    >> >>
    >> >> if you want to delegate client credentials - kerberos is they only
    >> >> way to go.
    >> >>
    >> >> You could disable delegation and use a trusted subsystem design to
    >> >> access the back-end resources.
    >> >>
    >> >> ---------------------------------------
    >> >> Dominick Baier - DevelopMentor
    >> >> http://www.leastprivilege.com
    >> >>> Thank you.
    >> >>>
    >> >>> Seeing as I may not be able to convince our AD services group to do
    >> >>> this, is there another option?
    >> >>>
    >> >>> Thanks.
    >> >>>
    >> >>> "Dominick Baier [DevelopMentor]" wrote:
    >> >>>
    >> >>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau
    >> >>>> lt .aspx
    >> >>>>
    >> >>>> ---------------------------------------
    >> >>>> Dominick Baier - DevelopMentor
    >> >>>> http://www.leastprivilege.com
    >> >>>>> Hello
    >> >>>>>
    >> >>>>> Im creating an asp.net web app that will need to connect to a SQL
    >> >>>>> Server db on another machine. I have set this up using trusted
    >> >>>>> connections and impersonation in the web.config file but I am
    >> >>>>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
    >> >>>>> message. I need this to work through domain accounts on both
    >> >>>>> machines.
    >> >>>>>
    >> >>>>> Currently, it will work if I am using the machine where the web
    >> >>>>> app resides (ie. http://localhost/webapp/page.aspx) but i get the
    >> >>>>> above message when using another remote machine.
    >> >>>>>
    >> >>>>> Any help is appreciated.
    >> >>>>> Ben

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Mar 31, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Walls
    Replies:
    4
    Views:
    2,665
    Kevin Spencer
    Jan 23, 2004
  2. Just D.
    Replies:
    2
    Views:
    402
    Scott Allen
    Sep 30, 2004
  3. Johnny Ruin
    Replies:
    5
    Views:
    516
  4. Christopher Brewster
    Replies:
    5
    Views:
    371
    John Machin
    Nov 14, 2008
  5. Jenny
    Replies:
    1
    Views:
    229
    Grant Wagner
    May 14, 2004
Loading...

Share This Page