Re: Login failed for user (null)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Wed, 10 Aug 2005 08:26:02 -0500, Bob Segrest <Bob.Segrest@xxxxxxxxx> wrote:

¤ Hello Paul,
¤
¤ Thank you for your response!
¤
¤ I am using VB to create an ASP.Net web application rather than a
¤ traditional windows application. I appologize for failing to make
¤ this clear.
¤
¤ Your question leads me to suspect I have missed something...
¤
¤ How do I solve my problem?
¤

If you're not using impersonation then go with Bill's suggestion. When impersonation is disabled
(the default) the identity under which the thread executes is ASPNET (or NetworkService under
Windows 2003). Just keep in mind that ASPNET is a local account so you will need an identical
account on the SQL Server box with the exact credentials for delegation to succeed.

If you want to impersonate the authenticated user through your ASP.NET app then you will need to
enable impersonation. This is the first step.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconimpersonation.asp

The second step involves setting the appropriate security for your web app. If you have Anonymous
authentication enabled the impersonated identity is either the IUSR or IWAM account. Probably not
what you want. If you enable Basic authentication then you can impersonate and delegate the (clear
text) credentials of the authenticated user (via IIS) to a remote resource (such as SQL Server).

If you configure your web app for Integrated Windows Security you *cannot* delegate credentials (via
IIS) to a remote resource without enabling Kerberos. This is because NTLM performs the
authentication (by default) and IIS never actually receives the encrypted credentials.

The above scenario is what typically stop folks cold, because Integrated Windows security will
appear to work on their development machine, but only because they are logged on locally, but will
fail once they move the ASP.NET app to their production web server.


Paul
~~~~
Microsoft MVP (Visual Basic)
.

Relevant Pages

  • Re: About ASP.Net Impersonation
    ... ¤ First of all - why do you set impersonate to true - in the original question ¤ i cannot see that this is a requirement?? ... I think you mentioned this before when I stated that impersonation ... the account that will be delegated is ASPNET (or NetworkService under ... Windows 2003) which appears to the network as the Windows anonymous ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: querying AD users
    ... ¤> most cases you may need to implement impersonation in the application, ... id like to avoid impersonation if possible. ... As long as your ASP.NET app is running under an account that has sufficient permissions to query AD ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: querying AD users
    ... ¤> most cases you may need to implement impersonation in the application, ... id like to avoid impersonation if possible. ... As long as your ASP.NET app is running under an account that has sufficient permissions to query AD ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: About ASP.Net Impersonation
    ... ¤ Hello Joe, ... I think you mentioned this before when I stated that impersonation needed to be enabled, ... default the account that will be delegated is ASPNET (or NetworkService under Windows 2003) which ... appears to the network as the Windows anonymous account.. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: dsoFile Summary Updates in ASP.Net
    ... "Paul Clement" wrote: ... > ¤ in the summary of documents located on our Intranet. ... > If you are not implementing impersonation have you provided sufficient permissions to the ASPNET ... Authentication because it's going to a DFS virtual directory with NTFS ...
    (microsoft.public.dotnet.framework.aspnet)