RE: Anonymous connection to a remote server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Roy,

Welcome to MSDN newsgroup.
Regarding on the problem you mentioned, I think the it'll be a bit
difficult to meet all your requirement. Here are some of my understandings:

First, ASP will always impersonate the anonymous account( IIS's default
IUSR_machine account) if we enable anonymous access in our IIS virtual dir.
Then, when our asp page try accessing any protected resource, the
IUSR_machine account will be the authenticated and executing account of our
asp page's thread. Then, return back to the quesitons you mentioned:

==============
What is the correct way to do one of the following.
1) - Allow all users (authenticated or not) to update a database?
2) - Set up the SQL server so that it can treat the 2003 local account (not
a domain account) as authenticated
==============

1) I think the most standard means for allow all users to access db is to
use SQLServer Autehntcaiton(provide the username account in
connectionstring. This will require the SQLServer db to allow SQL
authentication. In fact, this is limited by the ASP , in asp.net we can
impersonate a certain fixed account so as to use t hat account to access
the database through integrated windows authentication.

2) If the webserver and SqlServer's database server is the same box, we
can simply grant the IIS's IUSR_MACHINE account the permisson to access
sqlserver db. However, as you said the DB server is a remote server to the
webserver, the IUSR_machine(local account ) on webserver is not valid on DB
server. For such scenario, there are two options:

a. use a Domain Account as your IIS virtual dir's anonymous account.
(Seems you didn't want to use DomainAcount :( )

b. create a duplicate local account on the SQLServer 's machine which has
the same username and password with the IIS virtual dir's anonymous account
(on the webserver box). However, the IIS's default anonymous account(
IUSR_MACHINE) 'S password is controled by machine rather than ourself. So
we need to either explicitly set IUSR_MACHINE's password or create a
custom local account and replace the IUSR_machine as the virtual dir's
anonymous account.

Anyway, since there hasn't any means which will satisfy all the
requirement, we may need to make our decision according to the actual
situation. Please have a look of all the above things and feel free to let
us know if you have any ideas.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




.

Relevant Pages