Re: IIS & SQL Issues

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/18/04

• Next message: Machi: "PostBack Issue"
• Previous message: Ken Schaefer: "Re: n00b Help Setting up MSDE SQL Server"
• In reply to: TipTop: "IIS & SQL Issues"
• Next in thread: Michael P Phillipson: "Re: IIS & SQL Issues"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 18 Apr 2004 15:44:20 +1000

a) if you do this, you will lose the benefits of connection pooling, as a
separate connection will be used for each security context (each user
account will have it's own pool). So, this solution will not scale to a
large number of users. It's OK if you have a small number of users

b) the problem is double-hop authentication. When using IWA, the webserver
does not have the user's password. It just gets a token from the DC, but the
token does not have permission to logon to network resources.

Options:
a) if you are using a Windows 2000 Domain, you can enable delegation. This
allows the IIS server to impersonate the Windows account, and logon to the
backend SQL Server. You need to use Kerberos authentication for this (not
NTLM v2)

b) if you are using a Windows 2003 Domain, when you enable constrained
delegation, you can use Protocol Transition. This allows the user to
authenticate using any of a number of mechanisms to the IIS server (eg
Digest, or NTLM), and the webserver can still get an Kerberos token to logon
to the SQL Server.

Here are a few articles to get you started:

IMPORTANT:
Read chapter 12 from the Building Secure ASP.Net Application Book - it has
very good information about building scalable, secure ASP.Net applications
(eg using a trusted subsystem model):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

http://support.microsoft.com/?id=319723
INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
on server clusters

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

http://support.microsoft.com/?id=294382
Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name

http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/se_con_del_computer.asp
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)

Windows 2003 Protocol Transition
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx

Cheers
Ken

"TipTop" <aburley@speakeasy.net> wrote in message
news:et1380pg1ivehmmehhn9s1ibr3kvnlvbmn@4ax.com...
: I am trying to use integrated Windows authentication and
: impersonation to run a page that accesses SQL Server via integrated
: security. It's not working -- sort of. I've set IIS security to
: integrated Windows authentication (and unchecked the other options).
: I've set the web.config to use Windows authentication and set
: impersonation to true. The connection string includes Integrated
: Security = SSPI. And it works... if you access the page from the same
: machine. If you call the page over the network (even when logged in
: under the same Windows account as when on the server), it fails with
: the "Login failed for user '(null)'" error. I display the results of
: Environment.UserName on the page (commenting out the sql connection
: code so that it will run when calling it over the network), and in all
: cases it shows the correct username. (I call the page over the network
: and sure enough it displays my account name.)
:
:

---

• Next message: Machi: "PostBack Issue"
• Previous message: Ken Schaefer: "Re: n00b Help Setting up MSDE SQL Server"
• In reply to: TipTop: "IIS & SQL Issues"
• Next in thread: Michael P Phillipson: "Re: IIS & SQL Issues"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure? ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ... (microsoft.public.inetserver.iis.security) RE: Beginners Questions ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ... (microsoft.public.dotnet.distributed_apps) Re: Cannot connect to the Internet ... My Windows 2000 pro PC is connected to the internet (Local Area ... Connection 2 Status icon shows "Connected" with a speed of 10..0 ... The master browser has received a server announcement from ... Posted via a free Usenet account from http://www.teranews.com ... (microsoft.public.mac.virtualpc) Re: Login failed for ServerGuest ... | guest and the use of the same account/password does not ... |>I think it is not a limitation in Windows 2000. ... |>use same password for Administrator account on both Win2000 and WinXP ... although Windows Authentication is more secure than ... (microsoft.public.sqlserver.connect) Re: User authentication ... With Windows authentication, ... an account is a member of Domain Admins. ... Windows account instead to run backup jobs. ... (microsoft.public.sqlserver.clients)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)