Windows authentication from ASP.NET to SQL Server

Discussion in 'ASP .Net' started by Nils Magnus Englund, Aug 8, 2005.

  1. Hello,

    I am having trouble using Integrated Windows Authentication between our
    intranet server and our database server, both of which are on our local
    domain.

    Windows authentication works for our intranet server - my domain user
    "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page
    on our intranet. The ASP.NET application uses impersonation (<identity
    impersonate="true"> in Web.config).

    Windows authentication also works for the SQL Server; when logged on to the
    domain, I can start Query Analyzer and connect to the SQL Server using
    Windows authentication. Permissions on the SQL Server are also correctly set
    up.

    However, problems arise when I want to connect to the SQL Server from the
    ASP.NET page - I get the fairly common error message below:

    Login failed for user '(null)'. Reason: Not associated with a trusted SQL
    Server connection.

    Although I do get a lot of hits when searching for this specific error, I
    still can't seem to find the cause of the problem.

    The connection string I'm using to connect to the SQL Server is:
    "Server=DB;Integrated Security=SSPI;Database=IntranetDB".

    When setting <identity impersonate="false">, I get the error message "Login
    failed for user 'DOM\INTRANET$'." - DOM\INTRANET$ is the hostname of the
    intranet server.

    In the database servers event log, I can see two events (supplied below)
    after trying to authenticate (unsuccessfully) from the ASP.NET application
    to the SQL Server as "DOM\nme".

    What do I need to do to let users use Windows authentication against the DB
    server as well?


    Regards,
    Nils Magnus Englund


    (event log entries follows...)


    Date: 08.08.2005
    Source: Security
    Time: 15:14:55
    Category: Logon/Logoff
    Type: Success Audit
    Event ID: 540
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: DB

    Description:
    Successful Network Logon:
    User Name:
    Domain:
    Logon ID: (0x0,0x5CE408)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: INTRANET
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: -
    Source Port: -


    Date: 08.08.2005
    Source: Security
    Time: 15:14:55
    Category: Logon/Logoff
    Type: Success Audit
    Event ID: 538
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: DB

    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x5CE408)
    Logon Type: 3
     
    Nils Magnus Englund, Aug 8, 2005
    #1
    1. Advertising

  2. The easiest way is to turn off anonymous access for the Intranet site. This
    will force authentication, usually through a login box (although the network
    admins can alleviate this through policy).

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    ***************************
    Think Outside the Box!
    ***************************


    "Nils Magnus Englund" wrote:

    > Hello,
    >
    > I am having trouble using Integrated Windows Authentication between our
    > intranet server and our database server, both of which are on our local
    > domain.
    >
    > Windows authentication works for our intranet server - my domain user
    > "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page
    > on our intranet. The ASP.NET application uses impersonation (<identity
    > impersonate="true"> in Web.config).
    >
    > Windows authentication also works for the SQL Server; when logged on to the
    > domain, I can start Query Analyzer and connect to the SQL Server using
    > Windows authentication. Permissions on the SQL Server are also correctly set
    > up.
    >
    > However, problems arise when I want to connect to the SQL Server from the
    > ASP.NET page - I get the fairly common error message below:
    >
    > Login failed for user '(null)'. Reason: Not associated with a trusted SQL
    > Server connection.
    >
    > Although I do get a lot of hits when searching for this specific error, I
    > still can't seem to find the cause of the problem.
    >
    > The connection string I'm using to connect to the SQL Server is:
    > "Server=DB;Integrated Security=SSPI;Database=IntranetDB".
    >
    > When setting <identity impersonate="false">, I get the error message "Login
    > failed for user 'DOM\INTRANET$'." - DOM\INTRANET$ is the hostname of the
    > intranet server.
    >
    > In the database servers event log, I can see two events (supplied below)
    > after trying to authenticate (unsuccessfully) from the ASP.NET application
    > to the SQL Server as "DOM\nme".
    >
    > What do I need to do to let users use Windows authentication against the DB
    > server as well?
    >
    >
    > Regards,
    > Nils Magnus Englund
    >
    >
    > (event log entries follows...)
    >
    >
    > Date: 08.08.2005
    > Source: Security
    > Time: 15:14:55
    > Category: Logon/Logoff
    > Type: Success Audit
    > Event ID: 540
    > User: NT AUTHORITY\ANONYMOUS LOGON
    > Computer: DB
    >
    > Description:
    > Successful Network Logon:
    > User Name:
    > Domain:
    > Logon ID: (0x0,0x5CE408)
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: INTRANET
    > Logon GUID: -
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: -
    > Source Port: -
    >
    >
    > Date: 08.08.2005
    > Source: Security
    > Time: 15:14:55
    > Category: Logon/Logoff
    > Type: Success Audit
    > Event ID: 538
    > User: NT AUTHORITY\ANONYMOUS LOGON
    > Computer: DB
    >
    > Description:
    > User Logoff:
    > User Name: ANONYMOUS LOGON
    > Domain: NT AUTHORITY
    > Logon ID: (0x0,0x5CE408)
    > Logon Type: 3
    >
    >
    >
    >
    >
    >
    >
    >
     
    =?Utf-8?B?Q293Ym95IChHcmVnb3J5IEEuIEJlYW1lcikgLSBN, Aug 8, 2005
    #2
    1. Advertising

  3. Nils Magnus Englund

    Stefan Guest

    Do you have anonymous authentication disabled in IIS?
    If so, do you have <authentication mode="Windows" /> set in your
    web.config?
     
    Stefan, Aug 8, 2005
    #3
  4. "Stefan" <> wrote in message
    news:...
    > Do you have anonymous authentication disabled in IIS?
    > If so, do you have <authentication mode="Windows" /> set in your
    > web.config?


    In reply to both Stefan and Gregory;

    Anonymous authentication is disabled, and I have authentication mode
    "Windows" set in Web.config.

    Again, let me specify that the Windows authentication for the ASP.NET page
    works, and the User.Identity part successfully retrieves the domain user.
    It's the Windows authentication to the SQL Server from the ASP.NET page that
    causes trouble.


    Regards,
    Nils Magnus Englund
     
    Nils Magnus Englund, Aug 8, 2005
    #4
  5. Nils hae you give your database and table the ASPNET account permission?
    Try doing that.
    Patrick


    "Nils Magnus Englund" <> wrote in message
    news:...
    > "Stefan" <> wrote in message
    > news:...
    > > Do you have anonymous authentication disabled in IIS?
    > > If so, do you have <authentication mode="Windows" /> set in your
    > > web.config?

    >
    > In reply to both Stefan and Gregory;
    >
    > Anonymous authentication is disabled, and I have authentication mode
    > "Windows" set in Web.config.
    >
    > Again, let me specify that the Windows authentication for the ASP.NET page
    > works, and the User.Identity part successfully retrieves the domain user.
    > It's the Windows authentication to the SQL Server from the ASP.NET page

    that
    > causes trouble.
    >
    >
    > Regards,
    > Nils Magnus Englund
    >
    >
     
    Patrick.O.Ige, Aug 9, 2005
    #5
  6. Hi Patrick,

    Since the database server isn't the same server as the ASP.NET server, and
    since ASPNET is a local user, I cannot use that user to set permissions on
    the database server. However, because of the identity impersonation, is the
    application supposed to be connecting as ASPNET at all?


    Regards,
    Nils Magnus Englund

    "Patrick.O.Ige" <> wrote in message
    news:%...
    > Nils hae you give your database and table the ASPNET account permission?
    > Try doing that.
    > Patrick
    >
    >
    > "Nils Magnus Englund" <> wrote in message
    > news:...
    >> "Stefan" <> wrote in message
    >> news:...
    >> > Do you have anonymous authentication disabled in IIS?
    >> > If so, do you have <authentication mode="Windows" /> set in your
    >> > web.config?

    >>
    >> In reply to both Stefan and Gregory;
    >>
    >> Anonymous authentication is disabled, and I have authentication mode
    >> "Windows" set in Web.config.
    >>
    >> Again, let me specify that the Windows authentication for the ASP.NET
    >> page
    >> works, and the User.Identity part successfully retrieves the domain user.
    >> It's the Windows authentication to the SQL Server from the ASP.NET page

    > that
    >> causes trouble.
    >>
    >>
    >> Regards,
    >> Nils Magnus Englund
    >>
    >>

    >
    >
     
    Nils Magnus Englund, Aug 9, 2005
    #6
  7. Nils Magnus Englund

    Paul Clement Guest

    On Tue, 9 Aug 2005 08:21:08 +0200, "Nils Magnus Englund" <> wrote:

    ¤ Hi Patrick,
    ¤
    ¤ Since the database server isn't the same server as the ASP.NET server, and
    ¤ since ASPNET is a local user, I cannot use that user to set permissions on
    ¤ the database server. However, because of the identity impersonation, is the
    ¤ application supposed to be connecting as ASPNET at all?
    ¤

    If your ASP.NET app is configured for Integrated Windows security, credentials cannot be delegated
    by IIS to the remote database server w/o implementing Kerberos.

    The reason for this is that NTLM authenticates credentials under IIS Integrated Windows security so
    IIS never receives the credentials and cannot forward them for delegation.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Aug 9, 2005
    #7
  8. > If your ASP.NET app is configured for Integrated Windows security,
    > credentials cannot be delegated
    > by IIS to the remote database server w/o implementing Kerberos.
    >
    > The reason for this is that NTLM authenticates credentials under IIS
    > Integrated Windows security so
    > IIS never receives the credentials and cannot forward them for delegation.



    But why can't I use Kerberos authentication? Is it anyway to force the
    application to use Kerberos? The WindowsIdentity.AuthenticationType property
    returns "Negotiate" - this should be "Kerberos", should it not?


    Regards,
    Nils Magnus Englund
     
    Nils Magnus Englund, Aug 16, 2005
    #8
  9. Nils Magnus Englund

    Paul Clement Guest

    On Tue, 16 Aug 2005 11:35:17 +0200, "Nils Magnus Englund" <> wrote:

    ¤ > If your ASP.NET app is configured for Integrated Windows security,
    ¤ > credentials cannot be delegated
    ¤ > by IIS to the remote database server w/o implementing Kerberos.
    ¤ >
    ¤ > The reason for this is that NTLM authenticates credentials under IIS
    ¤ > Integrated Windows security so
    ¤ > IIS never receives the credentials and cannot forward them for delegation.
    ¤
    ¤
    ¤ But why can't I use Kerberos authentication? Is it anyway to force the
    ¤ application to use Kerberos? The WindowsIdentity.AuthenticationType property
    ¤ returns "Negotiate" - this should be "Kerberos", should it not?
    ¤

    You can use Kerberos, but your environment must be configured for it. The following should help:

    http://msdn.microsoft.com/library/d...y/en-us/vsent7/html/vxconaspnetdelegation.asp
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Aug 16, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lior Amar
    Replies:
    2
    Views:
    691
    Lior Amar
    Aug 27, 2003
  2. =?Utf-8?B?UmV6YQ==?=
    Replies:
    3
    Views:
    17,989
    Carlos Barini
    Jun 7, 2004
  3. andy
    Replies:
    2
    Views:
    625
  4. Alice Wong
    Replies:
    8
    Views:
    8,876
    Artur
    Dec 18, 2008
  5. Doug
    Replies:
    9
    Views:
    6,874
    Terence Tirella
    Apr 7, 2006
Loading...

Share This Page