473,748 Members | 9,599 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

ASP.NET + SQL Server Windows authentication

Hey All,

Trying to understand why I can not get SQL server to trust my IIS server. I
have two machines set up, 1 App and 1 DB, and I'm trying to validate the
applications access to the DB server via NT Authentication. The App comes in
via NTLM which from my understanding only supports Single hop security
delegation. So far I understand why it doesn't work, although seems to me
like a very bad problem. Now, Basic Authentication will transfer the PW and
the UID which will allow IIS to login to the DB server and then NT
Authentication will work. But we all know how non-secure Basic
Authentication is.

Here's the confusion, if Kerberos permits token transferring with no
limitation why can't IIS receive a token via NTLM and transfer it to the DB
server?

I've been reading all of these articles

http://msdn.microsoft.com/library/de...us/vbcon/html/
vbconaccessings qlserverfromweb application.asp
http://msdn.microsoft.com/library/de...us/vbcon/html/
vbtskaccessings qlserverusingwi ndowsintegrated security.asp
http://msdn.microsoft.com/library/de...us/dnauth/html
/dnauth_security .asp
http://msdn.microsoft.com/library/de...us/dnauth/html
/signfaq.asp
http://support.microsoft.com/default...;en-us;Q176377

and a bunch of other documents and they all come down to two valid
solutions: Basic Authentication or SQL Users. These are only valid if the
level of security you wish to achieve is not something that needs to pass a
certain level of security (would not pass in industries that require maximum
security).

If I am bound to NT Authentication, is my only option Basic Authentication
(of course under SSL)? And why is it that we don't have these problems with
other Database vendors? Is there any way we can utilize ADSI to get the
users NTLM credentials to pass on to SQL server?

Any help or suggestions will be very appreciated.

Thank you,


Nov 17 '05 #1
2 2175
Things that you have to check are:
1- What is the account the webserver is using? in asp.net using default
configuration (no impersonation), it is ASPNET, it can be the
IUSR_MachineNam e account, or any other account.
in asp.net you can easily find out with this code
Response.Write( System.Security .Principal.Wind owsIdentity.Get Current().Name) ;
to change the username underwhich the code executes for asp.net change the
<identity> in machine.config

2- Is this account a local account or a domain account?

If it is a domain account, then check that in the SQL server security that
the is permitted to access the server, and has access to the its default
database (or the database specified in the connection string).

If it is a local account, then use a domain account.

If there is no domain, then the username and password for the local account
must be valid on the database server, ie the same username and password on
both machines, I think when ASPNET account is created a random password is
generated for it. so the password is not the same for both machines, and
changing the ASPNET account password is not recommended.

In all cases make sure that the account has access to SQL Server.

"Lior Amar" <li*******@hotm ail.com> wrote in message
news:uH******** ******@tk2msftn gp13.phx.gbl...
Hey All,

Trying to understand why I can not get SQL server to trust my IIS server. I have two machines set up, 1 App and 1 DB, and I'm trying to validate the
applications access to the DB server via NT Authentication. The App comes in via NTLM which from my understanding only supports Single hop security
delegation. So far I understand why it doesn't work, although seems to me
like a very bad problem. Now, Basic Authentication will transfer the PW and the UID which will allow IIS to login to the DB server and then NT
Authentication will work. But we all know how non-secure Basic
Authentication is.

Here's the confusion, if Kerberos permits token transferring with no
limitation why can't IIS receive a token via NTLM and transfer it to the DB server?

I've been reading all of these articles

http://msdn.microsoft.com/library/de...us/vbcon/html/ vbconaccessings qlserverfromweb application.asp
http://msdn.microsoft.com/library/de...us/vbcon/html/ vbtskaccessings qlserverusingwi ndowsintegrated security.asp
http://msdn.microsoft.com/library/de...us/dnauth/html /dnauth_security .asp
http://msdn.microsoft.com/library/de...us/dnauth/html /signfaq.asp
http://support.microsoft.com/default...;en-us;Q176377

and a bunch of other documents and they all come down to two valid
solutions: Basic Authentication or SQL Users. These are only valid if the
level of security you wish to achieve is not something that needs to pass a certain level of security (would not pass in industries that require maximum security).

If I am bound to NT Authentication, is my only option Basic Authentication
(of course under SSL)? And why is it that we don't have these problems with other Database vendors? Is there any way we can utilize ADSI to get the
users NTLM credentials to pass on to SQL server?

Any help or suggestions will be very appreciated.

Thank you,

Nov 17 '05 #2
Think the problem is just a limitation of NTLM single hop. Don't think there
is a way around it other than using SSL and Basic Authentication. ASPNET is
set up properly and is impersonating the user approriately. Don't think
there is anyway around this limitation.

Thanks for the help though

Lior
"Lior Amar" <li*******@hotm ail.com> wrote in message
news:uH******** ******@tk2msftn gp13.phx.gbl...
Hey All,

Trying to understand why I can not get SQL server to trust my IIS server. I have two machines set up, 1 App and 1 DB, and I'm trying to validate the
applications access to the DB server via NT Authentication. The App comes in via NTLM which from my understanding only supports Single hop security
delegation. So far I understand why it doesn't work, although seems to me
like a very bad problem. Now, Basic Authentication will transfer the PW and the UID which will allow IIS to login to the DB server and then NT
Authentication will work. But we all know how non-secure Basic
Authentication is.

Here's the confusion, if Kerberos permits token transferring with no
limitation why can't IIS receive a token via NTLM and transfer it to the DB server?

I've been reading all of these articles

http://msdn.microsoft.com/library/de...us/vbcon/html/ vbconaccessings qlserverfromweb application.asp
http://msdn.microsoft.com/library/de...us/vbcon/html/ vbtskaccessings qlserverusingwi ndowsintegrated security.asp
http://msdn.microsoft.com/library/de...us/dnauth/html /dnauth_security .asp
http://msdn.microsoft.com/library/de...us/dnauth/html /signfaq.asp
http://support.microsoft.com/default...;en-us;Q176377

and a bunch of other documents and they all come down to two valid
solutions: Basic Authentication or SQL Users. These are only valid if the
level of security you wish to achieve is not something that needs to pass a certain level of security (would not pass in industries that require maximum security).

If I am bound to NT Authentication, is my only option Basic Authentication
(of course under SSL)? And why is it that we don't have these problems with other Database vendors? Is there any way we can utilize ADSI to get the
users NTLM credentials to pass on to SQL server?

Any help or suggestions will be very appreciated.

Thank you,

Nov 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
8544
Is it possible for IIS and SQL server on Separate Machines with integrated auth
by: Ravikanth[MVP] | last post by:
Hi It is possible that IIS and SQL Server can reside on Seperate Machines and you can use Integrated Windows Authentication to connect. Ravikanth >-----Original Message-----
ASP.NET
3
4640
Can't connect to SQL Server, using Windows Authentication users of SQL server? help
by: Reza | last post by:
Hello I tried this friday, but didn't get anywhere so trying again Basically, I have a fixed list of people that can access the application in the Intranet, and with the policy of the company the Users can be created only with Windows authentication in SQL Server - with SQL server authentication have no problem So every time I try to connect get the error message, "Login failed for user, 'username'. I have also tried windows authentication...
ASP.NET
5
2698
Remote control of windows service with windows 2003 server
by: pberna | last post by:
Dear all, I built a Web Form application to start and stop a Windows Service remotely. I successful tested the application on Windows 2000 server + IIS. I must include the ASPNET user to the Administration group (on server side) to have the necessary authorization to start a Windows Service (I don't understand why "Power User" rights are not enough to do the same thing) Although I'm able to start a service using windows 2000 server...
ASP.NET
6
4228
IIS 6 and Windows Authentication to SQL Server 2000
by: mcollier | last post by:
I am running a Windows Server 2003 machine as my web server. I would like to use Windows authentication for connections to my SQL Server 2000 instance on a Windows 2000 server. I've read where mirroring the ASPNET account and password on the web server and SQL server would work. However, with IIS 6, ASP.NET runs under the 'NT AUTHORITY\NETWORK SERVICE' account. Should I change the password of the 'NT AUTHORITY\NETWORK SERVICE' account...
ASP.NET
2
1430
Error accessing SQL Server:
by: news.microsoft.com | last post by:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection. I guess I get this because, my pages are hosted on WinXP IIS and the sql server is on Win2k3. So my aspnet a/c doesn't match with the Win2k3's aspnet a/c.
ASP.NET
0
2265
Server error on first try, but succeeds in subsequent tries (accessing files)?
by: Joergen Bech | last post by:
Fairly new to ASP.NET 1.1. Getting the error below when running application on a web server outside of my control, but only the first time I run it: 1. After a long period of inactivity (or updating the code-behind dll) accessing any aspx page in the application causes the application to run for the first time. Some of the initialization involves reading and writing some text and xml files using simple streamreader and streamwriter...
ASP.NET
8
3434
Windows authentication from ASP.NET to SQL Server
by: Nils Magnus Englund | last post by:
Hello, I am having trouble using Integrated Windows Authentication between our intranet server and our database server, both of which are on our local domain. Windows authentication works for our intranet server - my domain user "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page on our intranet. The ASP.NET application uses impersonation (<identity impersonate="true"> in Web.config).
ASP.NET
7
3029
Windows authentication from ASP.net application to Sql Server
by: Alice Wong | last post by:
I am setting up my Web ASP.net application to connect to Sql server using windows authentication. I set up IIS to have integrated windows authenication and sql to allow Windows authentication. And I trun annonymous login. I use this connection to connect. server={0};database={1};Integrated Security=SSPI where {0} servname and {1} database name
ASP.NET
18
3414
Sun Java System Directory Server Authentication
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found dozens of examples of how to authenticate users against Active Directory, but AD seems to be a different animal than Sun Java System Directory Server. Could someone provide me with an example of how to authenticate a user against a Directory...
C# / C Sharp
4
2353
SQL Server 2005 Express Edition login problem when deploying a windows application
by: Preben Zacho | last post by:
Hi there The scenario I got is this: I have created a Windows application in VS and I want to deploy it to another machine running Windows Vista. Since I have no control over this other machine, I've set it up to run SQL Authentication and I have added a new user called "MyUser" and applied a password. This user/password is used in my connection string whick looks like this: Server=.\SQLEXPRESS;Database=MyDB;User...
C# / C Sharp
0
9370
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
9321
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8242
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6796
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6074
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4874
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3312
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2782
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2215
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us