ASP.NET -> SQL Server : Impersonation not working!

On Tue, 9 Aug 2005 02:31:59 -0700, "Patrick" <qu*******@news group.nospam> wrote:

¤ But surely, when I login to my XP, then open up
¤ http://myServer/impersonation.aspx, my IE6 browser also pass in my
¤ credentials to myServer, and that is called Integrated Windows
¤ Authentication, too regardless of whether myServer is IIS6.0 or IIS5.1, as
¤ long as it is in the same domain!
¤

No, NTLM does not pass credentials to IIS when your web app is configured for Integrated Windows
security. NTLM handles the authentication. In order to delegate credentials via the web server NTLM
must be used in conjunction with Kerberos.

¤ How else did myServer managed to log Environment.Use rName correctly
¤ (corresponding to the user launching http://myServer/impersonation from a
¤ remote WinXP IE6 browser in the same domain)?
¤

As was mentioned, the difference is that IIS is not capable of forwarding encrypted credentials (it
does not have) for delegation to a remote server when using Integrated Windows security. This is
different than being authenticated locally on your machine where the credentials are known and can
be forwarded for remote resource authentication. In addition, while the authenticated user name may
be known, the password is not.

BTW if you were using Basic authentication, where clear text credentials can be delegated remotely,
the integrated security mechanism should function as you expect.
Paul
~~~~
Microsoft MVP (Visual Basic)

I have the same problem. Is there a book or something that spells out exactly
what needs to happen to make this work? I also have it working locally with
XP (so i thought this solution was good), promoted it to the server, only to
run into this problem. Seems to be more difficult than it has to be for
something that appears to be common to do (retrieve data from your SQL server
and display it in your .net pages).

Looking for an answer also,
lyners

"Patrick" wrote:

I set my web.config as follows:
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

Logon to my ASP.NET website as a user who can authenticate to the target
database.

1) Works fine on my local PC running IIS5.1 on WinXP Pro SP1
2) does not work on IIS6.0 on Windows 2003 server:
System.Data.Sql Client.SqlExcep tion: Login failed for user '(null)'. Reason:
Not associated with a trusted SQL Server connection.
at System.Data.Sql Client.Connecti onPool.GetConne ction(Boolean&
isInTransaction )
at
System.Data.Sql Client.SqlConne ctionPoolManage r.GetPooledConn ection(SqlConne ctionString options, Boolean& isInTransaction )
at System.Data.Sql Client.SqlConne ction.Open()
at Microsoft.Pract ices.Enterprise Library.Data.Da tabase.OpenConn ection()
HOWEVER, Environment.Use rName returns the correct username!
Why? How to fix?

Hi Lyners,

For such accessing remote resource on client's forward identity issue, you
can refer to
Bruce's former message whicn mentioned the 4 possible options:
===============

1) switch to basic authentication. this will give IIS a primary token it
can
use to access a remore sqlserver.
2) switch to kerberos authentication and enable creditials forwarding.
3) use a fixed account
4) move the SqlServer to the IIS box.

=============== =

In addition, if you have interests, I also recommend that you have a look
at the

"Programmin g windows security" or
"The .NET Developer's Guide to Windows Security"

authored by Keith Brown. The twos are good guide on windows security
programming.

Thanks & Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: ASP.NET -> SQL Server : Impersonation not working!
| thread-index: AcWd9XWiDDZC3Jc zQtemxmLiosdewg ==
| X-WBNR-Posting-Host: 204.194.251.3
| From: =?Utf-8?B?THluZXJz?= <Ly****@discuss ions.microsoft. com>
| References: <5A************ *************** *******@microso ft.com>
| Subject: RE: ASP.NET -> SQL Server : Impersonation not working!
| Date: Wed, 10 Aug 2005 14:50:01 -0700
| Lines: 33
| Message-ID: <95************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.publi c.dotnet.framew ork.adonet,micr osoft.public.do tnet.framework. a
spnet
| NNTP-Posting-Host: TK2MSFTNGXA03.p hx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GXA03.phx.gbl
| Xref: TK2MSFTNGXA01.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:1172 66
microsoft.publi c.dotnet.framew ork.adonet:3379 7
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I have the same problem. Is there a book or something that spells out
exactly
| what needs to happen to make this work? I also have it working locally
with
| XP (so i thought this solution was good), promoted it to the server, only
to
| run into this problem. Seems to be more difficult than it has to be for
| something that appears to be common to do (retrieve data from your SQL
server
| and display it in your .net pages).
|
| Looking for an answer also,
| lyners
|
| "Patrick" wrote:
|
| > I set my web.config as follows:
| > <authenticati on mode="Windows" />
| > <identity impersonate="tr ue" />
| >
| > Logon to my ASP.NET website as a user who can authenticate to the
target
| > database.
| >
| > 1) Works fine on my local PC running IIS5.1 on WinXP Pro SP1
| > 2) does not work on IIS6.0 on Windows 2003 server:
| > System.Data.Sql Client.SqlExcep tion: Login failed for user '(null)'.
Reason:
| > Not associated with a trusted SQL Server connection.
| > at System.Data.Sql Client.Connecti onPool.GetConne ction(Boolean&
| > isInTransaction )
| > at
| >
System.Data.Sql Client.SqlConne ctionPoolManage r.GetPooledConn ection(SqlConne c
tionString options, Boolean& isInTransaction )
| > at System.Data.Sql Client.SqlConne ction.Open()
| > at
Microsoft.Pract ices.Enterprise Library.Data.Da tabase.OpenConn ection()
| > HOWEVER, Environment.Use rName returns the correct username!
| >
| >
| > Why? How to fix?
|

Assuming you are using windows auth to connect to SQL Server - which it
looks like you are - you are more than likely running into the infamous
"double hop" issue. You cannot go from client -> (one hop) web server ->
(2nd hop) sql server unless you allowed delegation for the account that are
trying to authenticate.

It is possible to achieve what you are trying to do, but it will require
some additional setup. Check out these links for more info:

http://odetocode.com/Blogs/scott/arc...2/24/1053.aspx
http://support.microsoft.com/default...b;en-us;810572
http://pluralsight.com/blogs/keith/a...7/08/1586.aspx

Kevin Cunningham

"Lyners" <Ly****@discuss ions.microsoft. com> wrote in message
news:95******** *************** ***********@mic rosoft.com...

I have the same problem. Is there a book or something that spells out
exactly
what needs to happen to make this work? I also have it working locally
with
XP (so i thought this solution was good), promoted it to the server, only
to
run into this problem. Seems to be more difficult than it has to be for
something that appears to be common to do (retrieve data from your SQL
server
and display it in your .net pages).

Looking for an answer also,
lyners

"Patrick" wrote:

I set my web.config as follows:
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

Logon to my ASP.NET website as a user who can authenticate to the target
database.

1) Works fine on my local PC running IIS5.1 on WinXP Pro SP1
2) does not work on IIS6.0 on Windows 2003 server:
System.Data.Sql Client.SqlExcep tion: Login failed for user '(null)'.
Reason:
Not associated with a trusted SQL Server connection.
at System.Data.Sql Client.Connecti onPool.GetConne ction(Boolean&
isInTransaction )
at
System.Data.Sql Client.SqlConne ctionPoolManage r.GetPooledConn ection(SqlConne ctionString
options, Boolean& isInTransaction )
at System.Data.Sql Client.SqlConne ction.Open()
at
Microsoft.Pract ices.Enterprise Library.Data.Da tabase.OpenConn ection()
HOWEVER, Environment.Use rName returns the correct username!
Why? How to fix?

Actually, if the user is logged onto our intranet, that is good enough
security. I am trying to make the IIS talk to the SQL server, I have been
experimenting with different setups, but i can't get any data back. I usually
get "Login failed for user '(null)'. Reason: Not associated with a trusted
SQL Server connection" What is the correct way to setup a connection to a SQL
server running on a Windows 2003 server from an IIS Windows 2003 server? I
know the second hop is my problem, but what is the best business practice for
setting up the conection?

"kevin cunningham" wrote:

Assuming you are using windows auth to connect to SQL Server - which it
looks like you are - you are more than likely running into the infamous
"double hop" issue. You cannot go from client -> (one hop) web server ->
(2nd hop) sql server unless you allowed delegation for the account that are
trying to authenticate.

It is possible to achieve what you are trying to do, but it will require
some additional setup. Check out these links for more info:

http://odetocode.com/Blogs/scott/arc...2/24/1053.aspx
http://support.microsoft.com/default...b;en-us;810572
http://pluralsight.com/blogs/keith/a...7/08/1586.aspx

Kevin Cunningham

"Lyners" <Ly****@discuss ions.microsoft. com> wrote in message
news:95******** *************** ***********@mic rosoft.com...

I have the same problem. Is there a book or something that spells out
exactly
what needs to happen to make this work? I also have it working locally
with
XP (so i thought this solution was good), promoted it to the server, only
to
run into this problem. Seems to be more difficult than it has to be for
something that appears to be common to do (retrieve data from your SQL
server
and display it in your .net pages).

Looking for an answer also,
lyners

"Patrick" wrote:

I set my web.config as follows:
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

Logon to my ASP.NET website as a user who can authenticate to the target
database.

1) Works fine on my local PC running IIS5.1 on WinXP Pro SP1
2) does not work on IIS6.0 on Windows 2003 server:
System.Data.Sql Client.SqlExcep tion: Login failed for user '(null)'.
Reason:
Not associated with a trusted SQL Server connection.
at System.Data.Sql Client.Connecti onPool.GetConne ction(Boolean&
isInTransaction )
at
System.Data.Sql Client.SqlConne ctionPoolManage r.GetPooledConn ection(SqlConne ctionString
options, Boolean& isInTransaction )
at System.Data.Sql Client.SqlConne ction.Open()
at
Microsoft.Pract ices.Enterprise Library.Data.Da tabase.OpenConn ection()
HOWEVER, Environment.Use rName returns the correct username!
Why? How to fix?

Hi Patrick,

Have you had a chance to look at Paul and Kevins' further suggestions.
Also, as I mentioned in my former reply, currently the four options Bruce
has suggested:
=========
1) switch to basic authentication. this will give IIS a primary token it
can
use to access a remore sqlserver.
2) switch to kerberos authentication and enable creditials forwarding.
3) use a fixed account
4) move the SqlServer to the IIS box
=========

are the reasonable approach avaiable for multi-tier application. Please
feel free to post here if there'r anything else we can help. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: ASP.NET -> SQL Server : Impersonation not working!
| thread-index: AcWcOezYxxuAGdP fQ5acH2lDwOZtOg ==
| X-WBNR-Posting-Host: 198.240.128.75
| From: "=?Utf-8?B?UGF0cmljaw= =?=" <qu*******@news group.nospam>
| References: <5A************ *************** *******@microso ft.com>
<ex************ **@TK2MSFTNGP10 .phx.gbl>
<F1************ *************** *******@microso ft.com>
<##************ **@TK2MSFTNGP15 .phx.gbl>
| Subject: Re: ASP.NET -> SQL Server : Impersonation not working!
| Date: Mon, 8 Aug 2005 09:55:05 -0700
| Lines: 27
| Message-ID: <94************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.publi c.dotnet.framew ork.adonet,micr osoft.public.do tnet.framework. a
spnet
| NNTP-Posting-Host: TK2MSFTNGXA03.p hx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GXA03.phx.gbl
| Xref: TK2MSFTNGXA01.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:1167 40
microsoft.publi c.dotnet.framew ork.adonet:3365 3
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| wanting the user credentials to be those of the user in whose identity
the
| browser is running? (For example, if I logged on to your network as
| MYDOMAIN\Fred and opened the web browser, would you want the connection
to
| the server to be under the user credentials of MYDOMAIN\Fred?)
|
| "Oenone" wrote:
|
| > Patrick wrote:
| > > What I do NOT want connection to the SQL Server to be with a fixed
| > > Domain username/password, but rather I want the user to pass the
| > > username/password from the web browser to IIS6 and for IIS6/ASP.NET
| > > to pass the credentials to SQL Server.
| >
| > Aha -- I'm not sure how you'd do it in that case...
| >
| > Are you wanting the user credentials to be those of the user in whose
| > identity the browser is running? (For example, if I logged on to your
| > network as MYDOMAIN\Fred and opened the web browser, would you want the
| > connection to the server to be under the user credentials of
MYDOMAIN\Fred?)
| > Or would you want the user to type them into a form in the browser?
| >
| > --
| >
| > (O)enone
| >
| >
| >
|