473,695 Members | 2,464 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Windows authentication from ASP.NET to SQL Server

Hello,

I am having trouble using Integrated Windows Authentication between our
intranet server and our database server, both of which are on our local
domain.

Windows authentication works for our intranet server - my domain user
"DOM\nme" is correctly authenticated and authorized to view the ASP.NET page
on our intranet. The ASP.NET application uses impersonation (<identity
impersonate="tr ue"> in Web.config).

Windows authentication also works for the SQL Server; when logged on to the
domain, I can start Query Analyzer and connect to the SQL Server using
Windows authentication. Permissions on the SQL Server are also correctly set
up.

However, problems arise when I want to connect to the SQL Server from the
ASP.NET page - I get the fairly common error message below:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.

Although I do get a lot of hits when searching for this specific error, I
still can't seem to find the cause of the problem.

The connection string I'm using to connect to the SQL Server is:
"Server=DB;Inte grated Security=SSPI;D atabase=Intrane tDB".

When setting <identity impersonate="fa lse">, I get the error message "Login
failed for user 'DOM\INTRANET$' ." - DOM\INTRANET$ is the hostname of the
intranet server.

In the database servers event log, I can see two events (supplied below)
after trying to authenticate (unsuccessfully ) from the ASP.NET application
to the SQL Server as "DOM\nme".

What do I need to do to let users use Windows authentication against the DB
server as well?
Regards,
Nils Magnus Englund
(event log entries follows...)
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 540
User: NT AUTHORITY\ANONY MOUS LOGON
Computer: DB

Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x5CE408)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: INTRANET
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 538
User: NT AUTHORITY\ANONY MOUS LOGON
Computer: DB

Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x5CE408)
Logon Type: 3



Nov 19 '05 #1
8 3425
Do you have anonymous authentication disabled in IIS?
If so, do you have <authenticati on mode="Windows" /> set in your
web.config?

Nov 19 '05 #2
The easiest way is to turn off anonymous access for the Intranet site. This
will force authentication, usually through a login box (although the network
admins can alleviate this through policy).

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** ************
Think Outside the Box!
*************** ************
"Nils Magnus Englund" wrote:
Hello,

I am having trouble using Integrated Windows Authentication between our
intranet server and our database server, both of which are on our local
domain.

Windows authentication works for our intranet server - my domain user
"DOM\nme" is correctly authenticated and authorized to view the ASP.NET page
on our intranet. The ASP.NET application uses impersonation (<identity
impersonate="tr ue"> in Web.config).

Windows authentication also works for the SQL Server; when logged on to the
domain, I can start Query Analyzer and connect to the SQL Server using
Windows authentication. Permissions on the SQL Server are also correctly set
up.

However, problems arise when I want to connect to the SQL Server from the
ASP.NET page - I get the fairly common error message below:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.

Although I do get a lot of hits when searching for this specific error, I
still can't seem to find the cause of the problem.

The connection string I'm using to connect to the SQL Server is:
"Server=DB;Inte grated Security=SSPI;D atabase=Intrane tDB".

When setting <identity impersonate="fa lse">, I get the error message "Login
failed for user 'DOM\INTRANET$' ." - DOM\INTRANET$ is the hostname of the
intranet server.

In the database servers event log, I can see two events (supplied below)
after trying to authenticate (unsuccessfully ) from the ASP.NET application
to the SQL Server as "DOM\nme".

What do I need to do to let users use Windows authentication against the DB
server as well?
Regards,
Nils Magnus Englund
(event log entries follows...)
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 540
User: NT AUTHORITY\ANONY MOUS LOGON
Computer: DB

Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x5CE408)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: INTRANET
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 538
User: NT AUTHORITY\ANONY MOUS LOGON
Computer: DB

Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x5CE408)
Logon Type: 3



Nov 19 '05 #3
"Stefan" <Cl*********@gm ail.com> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. .
Do you have anonymous authentication disabled in IIS?
If so, do you have <authenticati on mode="Windows" /> set in your
web.config?


In reply to both Stefan and Gregory;

Anonymous authentication is disabled, and I have authentication mode
"Windows" set in Web.config.

Again, let me specify that the Windows authentication for the ASP.NET page
works, and the User.Identity part successfully retrieves the domain user.
It's the Windows authentication to the SQL Server from the ASP.NET page that
causes trouble.
Regards,
Nils Magnus Englund
Nov 19 '05 #4
Nils hae you give your database and table the ASPNET account permission?
Try doing that.
Patrick
"Nils Magnus Englund" <ni************ *****@orkfin.no > wrote in message
news:O7******** ******@TK2MSFTN GP15.phx.gbl...
"Stefan" <Cl*********@gm ail.com> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. .
Do you have anonymous authentication disabled in IIS?
If so, do you have <authenticati on mode="Windows" /> set in your
web.config?
In reply to both Stefan and Gregory;

Anonymous authentication is disabled, and I have authentication mode
"Windows" set in Web.config.

Again, let me specify that the Windows authentication for the ASP.NET page
works, and the User.Identity part successfully retrieves the domain user.
It's the Windows authentication to the SQL Server from the ASP.NET page

that causes trouble.
Regards,
Nils Magnus Englund

Nov 19 '05 #5
Hi Patrick,

Since the database server isn't the same server as the ASP.NET server, and
since ASPNET is a local user, I cannot use that user to set permissions on
the database server. However, because of the identity impersonation, is the
application supposed to be connecting as ASPNET at all?
Regards,
Nils Magnus Englund

"Patrick.O. Ige" <na********@hot mail.com> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
Nils hae you give your database and table the ASPNET account permission?
Try doing that.
Patrick
"Nils Magnus Englund" <ni************ *****@orkfin.no > wrote in message
news:O7******** ******@TK2MSFTN GP15.phx.gbl...
"Stefan" <Cl*********@gm ail.com> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. .
> Do you have anonymous authentication disabled in IIS?
> If so, do you have <authenticati on mode="Windows" /> set in your
> web.config?


In reply to both Stefan and Gregory;

Anonymous authentication is disabled, and I have authentication mode
"Windows" set in Web.config.

Again, let me specify that the Windows authentication for the ASP.NET
page
works, and the User.Identity part successfully retrieves the domain user.
It's the Windows authentication to the SQL Server from the ASP.NET page

that
causes trouble.
Regards,
Nils Magnus Englund


Nov 19 '05 #6
On Tue, 9 Aug 2005 08:21:08 +0200, "Nils Magnus Englund" <ni************ *****@orkfin.no > wrote:

¤ Hi Patrick,
¤
¤ Since the database server isn't the same server as the ASP.NET server, and
¤ since ASPNET is a local user, I cannot use that user to set permissions on
¤ the database server. However, because of the identity impersonation, is the
¤ application supposed to be connecting as ASPNET at all?
¤

If your ASP.NET app is configured for Integrated Windows security, credentials cannot be delegated
by IIS to the remote database server w/o implementing Kerberos.

The reason for this is that NTLM authenticates credentials under IIS Integrated Windows security so
IIS never receives the credentials and cannot forward them for delegation.
Paul
~~~~
Microsoft MVP (Visual Basic)
Nov 19 '05 #7
> If your ASP.NET app is configured for Integrated Windows security,
credentials cannot be delegated
by IIS to the remote database server w/o implementing Kerberos.

The reason for this is that NTLM authenticates credentials under IIS
Integrated Windows security so
IIS never receives the credentials and cannot forward them for delegation.

But why can't I use Kerberos authentication? Is it anyway to force the
application to use Kerberos? The WindowsIdentity .Authentication Type property
returns "Negotiate" - this should be "Kerberos", should it not?
Regards,
Nils Magnus Englund
Nov 19 '05 #8
On Tue, 16 Aug 2005 11:35:17 +0200, "Nils Magnus Englund" <ni************ *****@orkfin.no > wrote:

¤ > If your ASP.NET app is configured for Integrated Windows security,
¤ > credentials cannot be delegated
¤ > by IIS to the remote database server w/o implementing Kerberos.
¤ >
¤ > The reason for this is that NTLM authenticates credentials under IIS
¤ > Integrated Windows security so
¤ > IIS never receives the credentials and cannot forward them for delegation.
¤
¤
¤ But why can't I use Kerberos authentication? Is it anyway to force the
¤ application to use Kerberos? The WindowsIdentity .Authentication Type property
¤ returns "Negotiate" - this should be "Kerberos", should it not?
¤

You can use Kerberos, but your environment must be configured for it. The following should help:

http://msdn.microsoft.com/library/de...delegation.asp
http://msdn.microsoft.com/library/de...SecNetHT05.asp
Paul
~~~~
Microsoft MVP (Visual Basic)
Nov 19 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
3701
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The rest of my application is using authentication that is database driven and wouldn't want the users to know the userid and password. Is this possible? If so...
2
2623
by: Joseph Geretz | last post by:
I'm having a credentialing problem in my web application. Actually, I don't think this is an IIS security issue, since I'm able to access the page I'm requesting. However, the executing page itself is not able to access a specific network resource and I just can't figure out why. First of all, let me say this worked fine with IIS running on Win2000 Server. This has not worked since I upgraded to Windows Server 2003. My Platform: Windows...
3
4630
by: Reza | last post by:
Hello I tried this friday, but didn't get anywhere so trying again Basically, I have a fixed list of people that can access the application in the Intranet, and with the policy of the company the Users can be created only with Windows authentication in SQL Server - with SQL server authentication have no problem So every time I try to connect get the error message, "Login failed for user, 'username'. I have also tried windows authentication...
1
1743
by: Thomas Scheiderich | last post by:
I am having a problem connecting to an Sql Server using Windows Authentication. I am using the following command: server=Raptor;uid=tfs;password=tol1ee;database=ABC;Network Library =dbmssocn This works fine if Sql Server is set up as Sql and Windows Authentication. If I change the Sql Server to Windows Authentication, I get the following page:
5
2689
by: pberna | last post by:
Dear all, I built a Web Form application to start and stop a Windows Service remotely. I successful tested the application on Windows 2000 server + IIS. I must include the ASPNET user to the Administration group (on server side) to have the necessary authorization to start a Windows Service (I don't understand why "Power User" rights are not enough to do the same thing) Although I'm able to start a service using windows 2000 server...
6
4225
by: mcollier | last post by:
I am running a Windows Server 2003 machine as my web server. I would like to use Windows authentication for connections to my SQL Server 2000 instance on a Windows 2000 server. I've read where mirroring the ASPNET account and password on the web server and SQL server would work. However, with IIS 6, ASP.NET runs under the 'NT AUTHORITY\NETWORK SERVICE' account. Should I change the password of the 'NT AUTHORITY\NETWORK SERVICE' account...
6
7548
by: Kevin Yu | last post by:
is it possible to for user to click a logout button to logout and when the user want to get into the system again, the user have to login again? Kevin
7
3026
by: Alice Wong | last post by:
I am setting up my Web ASP.net application to connect to Sql server using windows authentication. I set up IIS to have integrated windows authenication and sql to allow Windows authentication. And I trun annonymous login. I use this connection to connect. server={0};database={1};Integrated Security=SSPI where {0} servname and {1} database name
4
2348
by: Preben Zacho | last post by:
Hi there The scenario I got is this: I have created a Windows application in VS and I want to deploy it to another machine running Windows Vista. Since I have no control over this other machine, I've set it up to run SQL Authentication and I have added a new user called "MyUser" and applied a password. This user/password is used in my connection string whick looks like this: Server=.\SQLEXPRESS;Database=MyDB;User...
0
8553
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9112
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8971
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8815
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6483
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5827
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4570
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2994
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2251
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.