Re: Active Directory and SQL Server Connection
- From: Lyners <Lyners@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Aug 2005 14:07:02 -0700
Thanks Sahil,
I need a little more help with this. i am writing this in VB.NET/ASP.NET, my
connection string is in my web.config file and looks like this;
<add key="DsnSql" value="server=server\dev;integrated security=SSPI;persist
security info=False;Trusted_Connection=yes;database=datatables" />
I tried figuring out the system.net.networkidentity, but had no luck. Do you
have any further pointers?
"Sahil Malik [MVP]" wrote:
> You need to switch identities by using the WindowsIdentity class in the .NET
> framework.
>
> The bigger problem though is, SqlConnection doesn't expose an instance of
> WindowsIdentity. Actually it's not so much of an issue, because you really
> need to Impersonate and you can get the new identity easily using a class
> such as (I think) System.Net.NetworkIdentity (I think).
>
> So say for instance, in your postback in your page_load, you could have code
> that looks like as below -
>
> WindowsIdentity userIdentity = // Get the new identity here ;
> WindowsImpersonationContext impContext = userIdentity.Impersonate();
> // Then do your regular SqlConnection stuff using this
> switched/impersonated identity.
>
> This requires that you are in a Kerberos friendly network, which it appears
> that you are.
>
> Under the scenes basically when you impersonate, your web application would
> get a kerberos service ticket on the behalf of the impersonated user, which
> the SqlServer will recognize. This way, delegation will work the way you
> intend to make it work. This "ticket" based kerberos architecture is
> necessary because passwords are usually never sent clear text, so if you
> know my password, and I know my password, I hash it (one way encryption),
> and we compare hashes. The problem is, the third machine that neither has my
> password, nor my password's hash, will not be able to authenticate me - this
> third machine in this case is the Sql Server, and the first two machines are
> the machines the browser is running on, and the machine IIS is running on.
>
> - Sahil Malik [MVP]
> ADO.NET 2.0 book -
> http://codebetter.com/blogs/sahil.malik/archive/2005/05/13/63199.aspx
> ----------------------------------------------------------------------------
> ---------------
>
>
>
>
> "Lyners" <Lyners@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:0A9B7DA5-965F-4E43-865B-1DF4B92724D8@xxxxxxxxxxxxxxxx
> > We have 2 servers running Windows 2003. One is the IIS server the other is
> a
> > SQL server. We made a web page that gets the using users name through
> their
> > logon from active directory. We then query the SQl server looking for
> > information about the user. Our problem, when we have anonymous access
> turned
> > off and integration turned on, we get a login failed, not trusted
> connection.
> > If we add an anonymous user from the domain that has access to the SQL
> > server, we get data, but of the anonymous user, not the using client. It
> > appears once we post to the server, the anonymous access takes over and
> > everything is geared to that user ID.
> >
> > How do we do both?
> >
> > Thanks
>
>
>
>
>
.
- Follow-Ups:
- Re: Active Directory and SQL Server Connection
- From: Sahil Malik [MVP]
- Re: Active Directory and SQL Server Connection
- References:
- Active Directory and SQL Server Connection
- From: Lyners
- Re: Active Directory and SQL Server Connection
- From: Sahil Malik [MVP]
- Active Directory and SQL Server Connection
- Prev by Date: Re: Error: SQL server does not exist or access is denied
- Next by Date: Re: documenation for '.NET Data Provider for SQL Server' errors
- Previous by thread: Re: Active Directory and SQL Server Connection
- Next by thread: Re: Active Directory and SQL Server Connection
- Index(es):
Relevant Pages
|
