Re: How can I avoid using SQL Authentication with the Office Web Parts?
From: DarrylR (darrylr_at_nospam.com)
Date: 01/30/05
- Next message: CNSL Dev: "Re: Posting Word Documents"
- Previous message: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- In reply to: David Wang [Msft]: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Next in thread: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Reply: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 30 Jan 2005 15:43:25 -0500
David,
Thanks for the reply and references to suggested reading. I hadn't
considered the fact that I was mixing authentication methods for the
extranet users. I was trying to avoid a full Kerberos implementation by
using Basic authentication. However, I'm beginning to wonder if the Office
Web Parts ignore the credentials supplied by the user when integrated
security is specified in the connection string, and use the current Windows
user account instead.
I say that because according to the NTAuthenticationProviders metabase key
(returned by adsutil.vbs), Kerberos is not enabled for the virtual directory
used by internal users (which uses Integrated Windows authentication); the
key value is "NTLM", not "Negotiate,NTLM". And even if Kerberos is enabled
by default when Integrated Windows authentication is used in IIS 6.0, I
haven't specifically enabled any user accounts or computers for delegation
or created any Service Principal Names. Therefore, I'm assuming that a true
double-hop should still fail, even from our intranet.
So when I get in tomorrow, I plan to test my theory by logging into my
machine using one domain user account and then logging into the portal using
a different account. Just to be clear, I'll be logging in from our intranet,
so I'll be hitting the virtual directory that uses Integrated Windows
authentication. I'll use SQL Profiler to determine which credentials are
used to access the database. My guess is that it will be the credentials
that I use to log onto my machine. This would suggest that the Office Web
Parts ignore impersonation.
I'll let you know what I find out.
Regards,
Darryl R.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uSZTA6fBFHA.936@TK2MSFTNGP12.phx.gbl...
> I've not directly dealt with your stated situation, but I'd like to offer
> some viewpoints that can hopefully point you to the right direction.
>
> I think your problem is caused by the fact that your extranet users
> authenticate using Basic, yet you tell the web page (and web part) to
> authenticate via another authentication protocol (Integrated) to the
backend
> SQL server. I'm not certain how IIS is supposed to translate between
> different authentication protocols unless you use something like protocol
> transition (see the URL below)
>
> Although the following URL talks about IIS6 and UNC shares, the underlying
> issues that it addresses is the same that you face with SQL. Namely, user
> authenticates to IIS, which must authenticate to some remote server to
> access a resource (be it a UNC share or SQL).
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
>
>
> Your situation sounds like protocol transitioning is the solution.
>
> FYI: using Integrated authentication with IIS6 in a domain will use
Kerberos
> by default. So, you already have half the puzzle all set up (as evidenced
by
> Intranet access working). Protocol transition allows IIS to take the basic
> auth'd credential and get a kerberos ticket out of it, so that kerberos
can
> be used in Integrated authentication to access SQL.
>
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
- Next message: CNSL Dev: "Re: Posting Word Documents"
- Previous message: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- In reply to: David Wang [Msft]: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Next in thread: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Reply: DarrylR: "Re: How can I avoid using SQL Authentication with the Office Web Parts?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
