Hi Alice,
How are you doing on this issue, does my last reply helps you a little? If
there're anything else we can help, please feel free to post here.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 59381458
| References: <
[email protected]>
<
[email protected]>
<#
[email protected]>
<
[email protected]>
<
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 30 Dec 2005 03:22:43 GMT
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 130
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:367670
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hi Alice,
|
| I assume that you've correctly configured the IIS to authenticate client
| with windows authentication and also use windows authenitcation in
asp.net
| application and turn on impersonate (<identity impersonate="true".... />
),
| also you can use System.
|
| Still one question, is your sqlserver instance installed on another
remote
| server or on the same server with the IIS/ASP.Net? As for the IIS's
| integarted windows authenticated user(also impersonated in asp.net) ,
their
| security context (NT logon session) only works on the server where IIS
and
| ASPNET reside. So if SqlServer is on another remote machine, the
| IIS/ASP.NET's security context can not be forwarded to that remote
machine
| (no double hops). This is an existing limitation of the NTLM
| authentication ....
|
| If we need to let the windows user context be able to hop to the remote
| sqlserver, we have the following means:
|
| 1. Use basic authentication instead of integrated windows, this will
force
| the client user to input clear text username/password. So this is always
| used together with HTTPS/SSL secure channel....
|
| 2. Use a single fixed impersonate account , like
| <identify impersonate="true" userName="xxx" password="xxx"/>
|
|
| In addition, there does exists solution for windows authenticated
security
| token being forwarded accorss mutlpile server hops, but that require
| client/server to use restricted kerberos delegation which has critical
| requirement on clientside and serverside.....
|
| For general info on ASP.NET delegation:
|
|
| #ASP.NET Delegation
|
http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelega...
|
|
| #How to configure an ASP.NET application for a delegation scenario
|
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
|
|
| #How To: Use Impersonation and Delegation in ASP.NET 2.0
|
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?f...
| ue
|
|
| When the webserver is WIN2K, there needs more configuration due to the
| win2k server's particular OS security setting....
|
|
| #How To Implement Kerberos Delegation for Windows 2000
|
http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?fram...
|
|
| #Understanding Kerberos Credential Delegation in Windows 2000 Using the
| TktView Utility
|
http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx
|
|
| Hope helps. Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure!
www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | From: "Alice Wong" <
[email protected]>
| | References: <
[email protected]>
| <
[email protected]>
| <#
[email protected]>
| <
[email protected]>
| | Subject: Re: Windows authentication from ASP.net application to Sql
Server
| | Date: Thu, 29 Dec 2005 14:10:51 -0800
| | Lines: 29
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| | Message-ID: <
[email protected]>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | NNTP-Posting-Host: 199.3.115.254
| | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet:367640
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| | yeah.. let's say the SQl server has Windows authentication. Anyone
| within
| | the domain can access to the db server. I would like to authenticate
| | according to their windows user information instead of granting a
specify
| | account to the db. Can we do that?
| |
| |
| | | | > IIS's Integrated Windows Authentication means that the website pages
| | > will be accessed/executed under the user account of the user
requesting
| | > them (for requests that come from users on the same domain as the
| | > webserver); so, the ASP process should be runing in the context of
| | > whoever's accessing the site, not ANONYMOUS USER, as the error message
| | > implies it is. So, you should check the directory security for the
| | > relevant folders/site really *is* set to prevent anonymous access (and
| | > also put a check in the ASP code to see what account it's running
| | > under).
| | >
| | > However, if you do use IWA + ASP impersonation, then the data access
| | > should be done under a different account, as otherwise you'd have to
| | > grant all your domain users rights to connect to the database server
| | > (as the data access would be done in the context of their accounts).
| | > You could impersonate a specific account for when you need access to
| | > the database, and then grant that account rights to log in to the SQL
| | > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| | > where username is the qualified name of the account.
| | >
| |
| |
| |
|
|