Windows authentication from ASP.net application to Sql Server

[Alice Wong]

I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};database={1};Integrated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

 

[Alice Wong]

sorry for two mails... I disabled annoymous login is what I meant below

 

[Guest]

If you want to use WIndows Auth you will have to turn off anon access and use
impersonation.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***************************
Think Outside the Box!
***************************

 

[Alice Wong]

YEAH... I did turn off annoynous access and set impersonation to true in
web.config

 

[Paul Henderson]

IIS's Integrated Windows Authentication means that the website pages
will be accessed/executed under the user account of the user requesting
them (for requests that come from users on the same domain as the
webserver); so, the ASP process should be runing in the context of
whoever's accessing the site, not ANONYMOUS USER, as the error message
implies it is. So, you should check the directory security for the
relevant folders/site really *is* set to prevent anonymous access (and
also put a check in the ASP code to see what account it's running
under).

However, if you do use IWA + ASP impersonation, then the data access
should be done under a different account, as otherwise you'd have to
grant all your domain users rights to connect to the database server
(as the data access would be done in the context of their accounts).
You could impersonate a specific account for when you need access to
the database, and then grant that account rights to log in to the SQL
Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
where username is the qualified name of the account.

 

[Alice Wong]

yeah.. let's say the SQl server has Windows authentication. Anyone within
the domain can access to the db server. I would like to authenticate
according to their windows user information instead of granting a specify
account to the db. Can we do that?

 

[Steven Cheng[MSFT]]

Hi Alice,

I assume that you've correctly configured the IIS to authenticate client
with windows authentication and also use windows authenitcation in asp.net
application and turn on impersonate (<identity impersonate="true".... /> ),
also you can use System.

Still one question, is your sqlserver instance installed on another remote
server or on the same server with the IIS/ASP.Net? As for the IIS's
integarted windows authenticated user(also impersonated in asp.net) , their
security context (NT logon session) only works on the server where IIS and
ASPNET reside. So if SqlServer is on another remote machine, the
IIS/ASP.NET's security context can not be forwarded to that remote machine
(no double hops). This is an existing limitation of the NTLM
authentication ....

If we need to let the windows user context be able to hop to the remote
sqlserver, we have the following means:

1. Use basic authentication instead of integrated windows, this will force
the client user to input clear text username/password. So this is always
used together with HTTPS/SSL secure channel....

2. Use a single fixed impersonate account , like
<identify impersonate="true" userName="xxx" password="xxx"/>


In addition, there does exists solution for windows authenticated security
token being forwarded accorss mutlpile server hops, but that require
client/server to use restricted kerberos delegation which has critical
requirement on clientside and serverside.....

For general info on ASP.NET delegation:


#ASP.NET Delegation
http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelega...


#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572


#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?f...
ue


When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....


#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?fram...


#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx


Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| From: "Alice Wong" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| Date: Thu, 29 Dec 2005 14:10:51 -0800
| Lines: 29
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 199.3.115.254
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:367640
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| yeah.. let's say the SQl server has Windows authentication. Anyone
within
| the domain can access to the db server. I would like to authenticate
| according to their windows user information instead of granting a specify
| account to the db. Can we do that?
|
|
| | > IIS's Integrated Windows Authentication means that the website pages
| > will be accessed/executed under the user account of the user requesting
| > them (for requests that come from users on the same domain as the
| > webserver); so, the ASP process should be runing in the context of
| > whoever's accessing the site, not ANONYMOUS USER, as the error message
| > implies it is. So, you should check the directory security for the
| > relevant folders/site really *is* set to prevent anonymous access (and
| > also put a check in the ASP code to see what account it's running
| > under).
| >
| > However, if you do use IWA + ASP impersonation, then the data access
| > should be done under a different account, as otherwise you'd have to
| > grant all your domain users rights to connect to the database server
| > (as the data access would be done in the context of their accounts).
| > You could impersonate a specific account for when you need access to
| > the database, and then grant that account rights to log in to the SQL
| > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| > where username is the qualified name of the account.
| >
|
|
|

 

[Steven Cheng[MSFT]]

Hi Alice,

How are you doing on this issue, does my last reply helps you a little? If
there're anything else we can help, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 59381458
| References: <[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 30 Dec 2005 03:22:43 GMT
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 130
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:367670
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hi Alice,
|
| I assume that you've correctly configured the IIS to authenticate client
| with windows authentication and also use windows authenitcation in
asp.net
| application and turn on impersonate (<identity impersonate="true".... />
),
| also you can use System.
|
| Still one question, is your sqlserver instance installed on another
remote
| server or on the same server with the IIS/ASP.Net? As for the IIS's
| integarted windows authenticated user(also impersonated in asp.net) ,
their
| security context (NT logon session) only works on the server where IIS
and
| ASPNET reside. So if SqlServer is on another remote machine, the
| IIS/ASP.NET's security context can not be forwarded to that remote
machine
| (no double hops). This is an existing limitation of the NTLM
| authentication ....
|
| If we need to let the windows user context be able to hop to the remote
| sqlserver, we have the following means:
|
| 1. Use basic authentication instead of integrated windows, this will
force
| the client user to input clear text username/password. So this is always
| used together with HTTPS/SSL secure channel....
|
| 2. Use a single fixed impersonate account , like
| <identify impersonate="true" userName="xxx" password="xxx"/>
|
|
| In addition, there does exists solution for windows authenticated
security
| token being forwarded accorss mutlpile server hops, but that require
| client/server to use restricted kerberos delegation which has critical
| requirement on clientside and serverside.....
|
| For general info on ASP.NET delegation:
|
|
| #ASP.NET Delegation
| http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelega...
|
|
| #How to configure an ASP.NET application for a delegation scenario
| http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
|
|
| #How To: Use Impersonation and Delegation in ASP.NET 2.0
| http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?f...
| ue
|
|
| When the webserver is WIN2K, there needs more configuration due to the
| win2k server's particular OS security setting....
|
|
| #How To Implement Kerberos Delegation for Windows 2000
| http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?fram...
|
|
| #Understanding Kerberos Credential Delegation in Windows 2000 Using the
| TktView Utility
| http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx
|
|
| Hope helps. Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | From: "Alice Wong" <[email protected]>
| | References: <[email protected]>
| <[email protected]>
| <#[email protected]>
| <[email protected]>
| | Subject: Re: Windows authentication from ASP.net application to Sql
Server
| | Date: Thu, 29 Dec 2005 14:10:51 -0800
| | Lines: 29
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| | Message-ID: <[email protected]>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | NNTP-Posting-Host: 199.3.115.254
| | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet:367640
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| | yeah.. let's say the SQl server has Windows authentication. Anyone
| within
| | the domain can access to the db server. I would like to authenticate
| | according to their windows user information instead of granting a
specify
| | account to the db. Can we do that?
| |
| |
| | | | > IIS's Integrated Windows Authentication means that the website pages
| | > will be accessed/executed under the user account of the user
requesting
| | > them (for requests that come from users on the same domain as the
| | > webserver); so, the ASP process should be runing in the context of
| | > whoever's accessing the site, not ANONYMOUS USER, as the error message
| | > implies it is. So, you should check the directory security for the
| | > relevant folders/site really *is* set to prevent anonymous access (and
| | > also put a check in the ASP code to see what account it's running
| | > under).
| | >
| | > However, if you do use IWA + ASP impersonation, then the data access
| | > should be done under a different account, as otherwise you'd have to
| | > grant all your domain users rights to connect to the database server
| | > (as the data access would be done in the context of their accounts).
| | > You could impersonate a specific account for when you need access to
| | > the database, and then grant that account rights to log in to the SQL
| | > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| | > where username is the qualified name of the account.
| | >
| |
| |
| |
|
|

 

[Artur]

I recommend to use <identity impersonate="false"/>

That means your application will be running in the context of Application Pool Identity (IIS), so any further connections will be one with this one service account e.g. all connections to your database. You may also be interested in how to check in .Net which user is accessing your website and which context you are actually running. Please see an example at malcan.com/EN/Lists/Tips%20and%20tricks/DispForm.aspx?ID=6