Re: Windows authentication from ASP.net application to Sql Server
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Fri, 30 Dec 2005 03:22:43 GMT
Hi Alice,
I assume that you've correctly configured the IIS to authenticate client
with windows authentication and also use windows authenitcation in asp.net
application and turn on impersonate (<identity impersonate="true".... /> ),
also you can use System.
Still one question, is your sqlserver instance installed on another remote
server or on the same server with the IIS/ASP.Net? As for the IIS's
integarted windows authenticated user(also impersonated in asp.net) , their
security context (NT logon session) only works on the server where IIS and
ASPNET reside. So if SqlServer is on another remote machine, the
IIS/ASP.NET's security context can not be forwarded to that remote machine
(no double hops). This is an existing limitation of the NTLM
authentication ....
If we need to let the windows user context be able to hop to the remote
sqlserver, we have the following means:
1. Use basic authentication instead of integrated windows, this will force
the client user to input clear text username/password. So this is always
used together with HTTPS/SSL secure channel....
2. Use a single fixed impersonate account , like
<identify impersonate="true" userName="xxx" password="xxx"/>
In addition, there does exists solution for windows authenticated security
token being forwarded accorss mutlpile server hops, but that require
client/server to use restricted kerberos delegation which has critical
requirement on clientside and serverside.....
For general info on ASP.NET delegation:
#ASP.NET Delegation
http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelega...
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?f...
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....
#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?fram...
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx
Hope helps. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Alice Wong" <wong3233@xxxxxxxxxxxxxxx>
| References: <uKEGgnLDGHA.344@xxxxxxxxxxxxxxxxxxxx>
<2BE1C32B-9E79-475C-B327-EA87F2B1611E@xxxxxxxxxxxxx>
<#IuFtwLDGHA.1180@xxxxxxxxxxxxxxxxxxxx>
<1135891505.218248.281660@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| Date: Thu, 29 Dec 2005 14:10:51 -0800
| Lines: 29
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <uhS97SMDGHA.4080@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 199.3.115.254
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:367640
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| yeah.. let's say the SQl server has Windows authentication. Anyone
within
| the domain can access to the db server. I would like to authenticate
| according to their windows user information instead of granting a specify
| account to the db. Can we do that?
|
|
| "Paul Henderson" <paulhenderson@xxxxxxxxxxxxxxxxxxxxx> wrote in message
| news:1135891505.218248.281660@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| > IIS's Integrated Windows Authentication means that the website pages
| > will be accessed/executed under the user account of the user requesting
| > them (for requests that come from users on the same domain as the
| > webserver); so, the ASP process should be runing in the context of
| > whoever's accessing the site, not ANONYMOUS USER, as the error message
| > implies it is. So, you should check the directory security for the
| > relevant folders/site really *is* set to prevent anonymous access (and
| > also put a check in the ASP code to see what account it's running
| > under).
| >
| > However, if you do use IWA + ASP impersonation, then the data access
| > should be done under a different account, as otherwise you'd have to
| > grant all your domain users rights to connect to the database server
| > (as the data access would be done in the context of their accounts).
| > You could impersonate a specific account for when you need access to
| > the database, and then grant that account rights to log in to the SQL
| > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| > where username is the qualified name of the account.
| >
|
|
|
.
- References:
- Windows authentication from ASP.net application to Sql Server
- From: Alice Wong
- Re: Windows authentication from ASP.net application to Sql Server
- From: Alice Wong
- Re: Windows authentication from ASP.net application to Sql Server
- From: Paul Henderson
- Re: Windows authentication from ASP.net application to Sql Server
- From: Alice Wong
- Windows authentication from ASP.net application to Sql Server
- Prev by Date: Re: question about declaring labels and errors from VWDeveloper
- Next by Date: Re: 2005 DataFormatString in Gridview?
- Previous by thread: Re: Windows authentication from ASP.net application to Sql Server
- Next by thread: Capturing Enter Key
- Index(es):
Relevant Pages
|
