Re: Windows authentication from ASP.net application to Sql Server
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Wed, 04 Jan 2006 13:48:59 GMT
Hi Alice,
How are you doing on this issue, does my last reply helps you a little? If
there're anything else we can help, please feel free to post here.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 59381458
| References: <uKEGgnLDGHA.344@xxxxxxxxxxxxxxxxxxxx>
<2BE1C32B-9E79-475C-B327-EA87F2B1611E@xxxxxxxxxxxxx>
<#IuFtwLDGHA.1180@xxxxxxxxxxxxxxxxxxxx>
<1135891505.218248.281660@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<uhS97SMDGHA.4080@xxxxxxxxxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 30 Dec 2005 03:22:43 GMT
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <y9KfUBPDGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 130
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:367670
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hi Alice,
|
| I assume that you've correctly configured the IIS to authenticate client
| with windows authentication and also use windows authenitcation in
asp.net
| application and turn on impersonate (<identity impersonate="true".... />
),
| also you can use System.
|
| Still one question, is your sqlserver instance installed on another
remote
| server or on the same server with the IIS/ASP.Net? As for the IIS's
| integarted windows authenticated user(also impersonated in asp.net) ,
their
| security context (NT logon session) only works on the server where IIS
and
| ASPNET reside. So if SqlServer is on another remote machine, the
| IIS/ASP.NET's security context can not be forwarded to that remote
machine
| (no double hops). This is an existing limitation of the NTLM
| authentication ....
|
| If we need to let the windows user context be able to hop to the remote
| sqlserver, we have the following means:
|
| 1. Use basic authentication instead of integrated windows, this will
force
| the client user to input clear text username/password. So this is always
| used together with HTTPS/SSL secure channel....
|
| 2. Use a single fixed impersonate account , like
| <identify impersonate="true" userName="xxx" password="xxx"/>
|
|
| In addition, there does exists solution for windows authenticated
security
| token being forwarded accorss mutlpile server hops, but that require
| client/server to use restricted kerberos delegation which has critical
| requirement on clientside and serverside.....
|
| For general info on ASP.NET delegation:
|
|
| #ASP.NET Delegation
| http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelega...
|
|
| #How to configure an ASP.NET application for a delegation scenario
| http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
|
|
| #How To: Use Impersonation and Delegation in ASP.NET 2.0
| http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?f...
| ue
|
|
| When the webserver is WIN2K, there needs more configuration due to the
| win2k server's particular OS security setting....
|
|
| #How To Implement Kerberos Delegation for Windows 2000
| http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?fram...
|
|
| #Understanding Kerberos Credential Delegation in Windows 2000 Using the
| TktView Utility
| http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx
|
|
| Hope helps. Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | From: "Alice Wong" <wong3233@xxxxxxxxxxxxxxx>
| | References: <uKEGgnLDGHA.344@xxxxxxxxxxxxxxxxxxxx>
| <2BE1C32B-9E79-475C-B327-EA87F2B1611E@xxxxxxxxxxxxx>
| <#IuFtwLDGHA.1180@xxxxxxxxxxxxxxxxxxxx>
| <1135891505.218248.281660@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| | Subject: Re: Windows authentication from ASP.net application to Sql
Server
| | Date: Thu, 29 Dec 2005 14:10:51 -0800
| | Lines: 29
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| | Message-ID: <uhS97SMDGHA.4080@xxxxxxxxxxxxxxxxxxxx>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | NNTP-Posting-Host: 199.3.115.254
| | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet:367640
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| | yeah.. let's say the SQl server has Windows authentication. Anyone
| within
| | the domain can access to the db server. I would like to authenticate
| | according to their windows user information instead of granting a
specify
| | account to the db. Can we do that?
| |
| |
| | "Paul Henderson" <paulhenderson@xxxxxxxxxxxxxxxxxxxxx> wrote in message
| | news:1135891505.218248.281660@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| | > IIS's Integrated Windows Authentication means that the website pages
| | > will be accessed/executed under the user account of the user
requesting
| | > them (for requests that come from users on the same domain as the
| | > webserver); so, the ASP process should be runing in the context of
| | > whoever's accessing the site, not ANONYMOUS USER, as the error message
| | > implies it is. So, you should check the directory security for the
| | > relevant folders/site really *is* set to prevent anonymous access (and
| | > also put a check in the ASP code to see what account it's running
| | > under).
| | >
| | > However, if you do use IWA + ASP impersonation, then the data access
| | > should be done under a different account, as otherwise you'd have to
| | > grant all your domain users rights to connect to the database server
| | > (as the data access would be done in the context of their accounts).
| | > You could impersonate a specific account for when you need access to
| | > the database, and then grant that account rights to log in to the SQL
| | > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| | > where username is the qualified name of the account.
| | >
| |
| |
| |
|
|
.
- Prev by Date: Re: conceptual problem
- Next by Date: Re: XML ComboBox
- Previous by thread: when is server recompilation done?
- Next by thread: Re: LDAP with ASP.NET 2.0
- Index(es):
Relevant Pages
|
