Windows authentication from ASP.net application to Sql Server

Alice Wong

I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #1

Subscribe Reply

3028

Alice Wong

sorry for two mails... I disabled annoymous login is what I meant below

"Alice Wong" <wo******@noema il.noemail> wrote in message
news:uK******** *****@TK2MSFTNG P11.phx.gbl...

I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #2

Cowboy (Gregory A. Beamer) - MVP

If you want to use WIndows Auth you will have to turn off anon access and use
impersonation.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** ************
Think Outside the Box!
*************** ************
"Alice Wong" wrote:

I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #3

Alice Wong

YEAH... I did turn off annoynous access and set impersonation to true in
web.config
"Cowboy (Gregory A. Beamer) - MVP" <No************ @comcast.netNoS pamM> wrote
in message news:2B******** *************** ***********@mic rosoft.com...

If you want to use WIndows Auth you will have to turn off anon access and
use
impersonation.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** ************
Think Outside the Box!
*************** ************
"Alice Wong" wrote:
I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #4

Paul Henderson

IIS's Integrated Windows Authentication means that the website pages
will be accessed/executed under the user account of the user requesting
them (for requests that come from users on the same domain as the
webserver); so, the ASP process should be runing in the context of
whoever's accessing the site, not ANONYMOUS USER, as the error message
implies it is. So, you should check the directory security for the
relevant folders/site really *is* set to prevent anonymous access (and
also put a check in the ASP code to see what account it's running
under).

However, if you do use IWA + ASP impersonation, then the data access
should be done under a different account, as otherwise you'd have to
grant all your domain users rights to connect to the database server
(as the data access would be done in the context of their accounts).
You could impersonate a specific account for when you need access to
the database, and then grant that account rights to log in to the SQL
Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
where username is the qualified name of the account.

Dec 29 '05 #5

Alice Wong

yeah.. let's say the SQl server has Windows authentication. Anyone within
the domain can access to the db server. I would like to authenticate
according to their windows user information instead of granting a specify
account to the db. Can we do that?
"Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
news:11******** **************@ f14g2000cwb.goo glegroups.com.. .

IIS's Integrated Windows Authentication means that the website pages
will be accessed/executed under the user account of the user requesting
them (for requests that come from users on the same domain as the
webserver); so, the ASP process should be runing in the context of
whoever's accessing the site, not ANONYMOUS USER, as the error message
implies it is. So, you should check the directory security for the
relevant folders/site really *is* set to prevent anonymous access (and
also put a check in the ASP code to see what account it's running
under).

However, if you do use IWA + ASP impersonation, then the data access
should be done under a different account, as otherwise you'd have to
grant all your domain users rights to connect to the database server
(as the data access would be done in the context of their accounts).
You could impersonate a specific account for when you need access to
the database, and then grant that account rights to log in to the SQL
Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
where username is the qualified name of the account.

Dec 29 '05 #6

Steven Cheng[MSFT]

Hi Alice,

I assume that you've correctly configured the IIS to authenticate client
with windows authentication and also use windows authenitcation in asp.net
application and turn on impersonate (<identity impersonate="tr ue".... /> ),
also you can use System.

Still one question, is your sqlserver instance installed on another remote
server or on the same server with the IIS/ASP.Net? As for the IIS's
integarted windows authenticated user(also impersonated in asp.net) , their
security context (NT logon session) only works on the server where IIS and
ASPNET reside. So if SqlServer is on another remote machine, the
IIS/ASP.NET's security context can not be forwarded to that remote machine
(no double hops). This is an existing limitation of the NTLM
authentication ....

If we need to let the windows user context be able to hop to the remote
sqlserver, we have the following means:

1. Use basic authentication instead of integrated windows, this will force
the client user to input clear text username/password. So this is always
used together with HTTPS/SSL secure channel....

2. Use a single fixed impersonate account , like
<identify impersonate="tr ue" userName="xxx" password="xxx"/>
In addition, there does exists solution for windows authenticated security
token being forwarded accorss mutlpile server hops, but that require
client/server to use restricted kerberos delegation which has critical
requirement on clientside and serverside.....

For general info on ASP.NET delegation:
#ASP.NET Delegation
http://msdn.microsoft.com/library/en...onaspnetdelega...
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default...b;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en...ht000023.asp?f...
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....
#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en...mod19.asp?fram...
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/is...y/default.aspx
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Alice Wong" <wo******@noema il.noemail>
| References: <uK************ *@TK2MSFTNGP11. phx.gbl>
<2B************ *************** *******@microso ft.com>
<#I************ **@TK2MSFTNGP09 .phx.gbl>
<11************ **********@f14g 2000cwb.googleg roups.com>
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| Date: Thu, 29 Dec 2005 14:10:51 -0800
| Lines: 29
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <uh************ **@TK2MSFTNGP09 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: 199.3.115.254
| Path: TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3676 40
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| yeah.. let's say the SQl server has Windows authentication. Anyone
within
| the domain can access to the db server. I would like to authenticate
| according to their windows user information instead of granting a specify
| account to the db. Can we do that?
|
|
| "Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
| news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
| > IIS's Integrated Windows Authentication means that the website pages
| > will be accessed/executed under the user account of the user requesting
| > them (for requests that come from users on the same domain as the
| > webserver); so, the ASP process should be runing in the context of
| > whoever's accessing the site, not ANONYMOUS USER, as the error message
| > implies it is. So, you should check the directory security for the
| > relevant folders/site really *is* set to prevent anonymous access (and
| > also put a check in the ASP code to see what account it's running
| > under).
| >
| > However, if you do use IWA + ASP impersonation, then the data access
| > should be done under a different account, as otherwise you'd have to
| > grant all your domain users rights to connect to the database server
| > (as the data access would be done in the context of their accounts).
| > You could impersonate a specific account for when you need access to
| > the database, and then grant that account rights to log in to the SQL
| > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| > where username is the qualified name of the account.
| >
|
|
|

Dec 30 '05 #7

Steven Cheng[MSFT]

Hi Alice,

How are you doing on this issue, does my last reply helps you a little? If
there're anything else we can help, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 59381458
| References: <uK************ *@TK2MSFTNGP11. phx.gbl>
<2B************ *************** *******@microso ft.com>
<#I************ **@TK2MSFTNGP09 .phx.gbl>
<11************ **********@f14g 2000cwb.googleg roups.com>
<uh************ **@TK2MSFTNGP09 .phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: st*****@online. microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 30 Dec 2005 03:22:43 GMT
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
| Message-ID: <y9************ **@TK2MSFTNGXA0 2.phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| Lines: 130
| Path: TK2MSFTNGXA02.p hx.gbl
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3676 70
| NNTP-Posting-Host: tomcatimport2.p hx.gbl 10.201.218.182
|
| Hi Alice,
|
| I assume that you've correctly configured the IIS to authenticate client
| with windows authentication and also use windows authenitcation in
asp.net
| application and turn on impersonate (<identity impersonate="tr ue".... />
),
| also you can use System.
|
| Still one question, is your sqlserver instance installed on another
remote
| server or on the same server with the IIS/ASP.Net? As for the IIS's
| integarted windows authenticated user(also impersonated in asp.net) ,
their
| security context (NT logon session) only works on the server where IIS
and
| ASPNET reside. So if SqlServer is on another remote machine, the
| IIS/ASP.NET's security context can not be forwarded to that remote
machine
| (no double hops). This is an existing limitation of the NTLM
| authentication ....
|
| If we need to let the windows user context be able to hop to the remote
| sqlserver, we have the following means:
|
| 1. Use basic authentication instead of integrated windows, this will
force
| the client user to input clear text username/password. So this is always
| used together with HTTPS/SSL secure channel....
|
| 2. Use a single fixed impersonate account , like
| <identify impersonate="tr ue" userName="xxx" password="xxx"/>
|
|
| In addition, there does exists solution for windows authenticated
security
| token being forwarded accorss mutlpile server hops, but that require
| client/server to use restricted kerberos delegation which has critical
| requirement on clientside and serverside.....
|
| For general info on ASP.NET delegation:
|
|
| #ASP.NET Delegation
| http://msdn.microsoft.com/library/en...onaspnetdelega...
|
|
| #How to configure an ASP.NET application for a delegation scenario
| http://support.microsoft.com/default...b;en-us;810572
|
|
| #How To: Use Impersonation and Delegation in ASP.NET 2.0
| http://msdn.microsoft.com/library/en...ht000023.asp?f...
| ue
|
|
| When the webserver is WIN2K, there needs more configuration due to the
| win2k server's particular OS security setting....
|
|
| #How To Implement Kerberos Delegation for Windows 2000
| http://msdn.microsoft.com/library/en...mod19.asp?fram...
|
|
| #Understanding Kerberos Credential Delegation in Windows 2000 Using the
| TktView Utility
| http://msdn.microsoft.com/msdnmag/is...y/default.aspx
|
|
| Hope helps. Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | From: "Alice Wong" <wo******@noema il.noemail>
| | References: <uK************ *@TK2MSFTNGP11. phx.gbl>
| <2B************ *************** *******@microso ft.com>
| <#I************ **@TK2MSFTNGP09 .phx.gbl>
| <11************ **********@f14g 2000cwb.googleg roups.com>
| | Subject: Re: Windows authentication from ASP.net application to Sql
Server
| | Date: Thu, 29 Dec 2005 14:10:51 -0800
| | Lines: 29
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| | Message-ID: <uh************ **@TK2MSFTNGP09 .phx.gbl>
| | Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| | NNTP-Posting-Host: 199.3.115.254
| | Path: TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
| | Xref: TK2MSFTNGXA02.p hx.gbl
| microsoft.publi c.dotnet.framew ork.aspnet:3676 40
| | X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
| |
| | yeah.. let's say the SQl server has Windows authentication. Anyone
| within
| | the domain can access to the db server. I would like to authenticate
| | according to their windows user information instead of granting a
specify
| | account to the db. Can we do that?
| |
| |
| | "Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
| | news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
| | > IIS's Integrated Windows Authentication means that the website pages
| | > will be accessed/executed under the user account of the user
requesting
| | > them (for requests that come from users on the same domain as the
| | > webserver); so, the ASP process should be runing in the context of
| | > whoever's accessing the site, not ANONYMOUS USER, as the error message
| | > implies it is. So, you should check the directory security for the
| | > relevant folders/site really *is* set to prevent anonymous access (and
| | > also put a check in the ASP code to see what account it's running
| | > under).
| | >
| | > However, if you do use IWA + ASP impersonation, then the data access
| | > should be done under a different account, as otherwise you'd have to
| | > grant all your domain users rights to connect to the database server
| | > (as the data access would be done in the context of their accounts).
| | > You could impersonate a specific account for when you need access to
| | > the database, and then grant that account rights to log in to the SQL
| | > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| | > where username is the qualified name of the account.
| | >
| |
| |
| |
|
|

Jan 4 '06 #8

Similar topics

3707

Windows authentication

by: Bob Everland | last post by:

I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The rest of my application is using authentication that is database driven and wouldn't want the users to know the userid and password. Is this possible? If so...

ASP / Active Server Pages

2390

connection problem to sql 2000 on windows 2003 from Windows 95

by: Marino | last post by:

Hi all, I have a Windows 2003 server, which is also a terminal server for application, with sql 2000 installed. My company has developed an application that uses SQL 2000 as its database. The application is a client/server one. In each client computer there's a link to the application on the server. There is no problem with Windows 98, Windows 2000 pro, Windows xp pro clients, but the windows 95 ones cannot log in to the database. The...

Microsoft SQL Server

2625

Windows Credentialing Security Problem

by: Joseph Geretz | last post by:

I'm having a credentialing problem in my web application. Actually, I don't think this is an IIS security issue, since I'm able to access the page I'm requesting. However, the executing page itself is not able to access a specific network resource and I just can't figure out why. First of all, let me say this worked fine with IIS running on Win2000 Server. This has not worked since I upgraded to Windows Server 2003. My Platform: Windows...

ASP.NET

2696

Remote control of windows service with windows 2003 server

by: pberna | last post by:

Dear all, I built a Web Form application to start and stop a Windows Service remotely. I successful tested the application on Windows 2000 server + IIS. I must include the ASPNET user to the Administration group (on server side) to have the necessary authorization to start a Windows Service (I don't understand why "Power User" rights are not enough to do the same thing) Although I'm able to start a service using windows 2000 server...

ASP.NET

4228

IIS 6 and Windows Authentication to SQL Server 2000

by: mcollier | last post by:

I am running a Windows Server 2003 machine as my web server. I would like to use Windows authentication for connections to my SQL Server 2000 instance on a Windows 2000 server. I've read where mirroring the ASPNET account and password on the web server and SQL server would work. However, with IIS 6, ASP.NET runs under the 'NT AUTHORITY\NETWORK SERVICE' account. Should I change the password of the 'NT AUTHORITY\NETWORK SERVICE' account...

ASP.NET

3433

Windows authentication from ASP.NET to SQL Server

by: Nils Magnus Englund | last post by:

Hello, I am having trouble using Integrated Windows Authentication between our intranet server and our database server, both of which are on our local domain. Windows authentication works for our intranet server - my domain user "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page on our intranet. The ASP.NET application uses impersonation (<identity impersonate="true"> in Web.config).

ASP.NET

7720

Authentication between windows application and SQL server

by: Gav | last post by:

Hi, I am writing a windows form application (C#) which access's data from an SQL server. The SQL server is using windows authentication only. At the moment I have to grant the domain users access to the database for the application to work. However, the database includes information that I need to hide from the users, currently the application is taking care of that. There is nothing stopping the users from accessing the database in a...

.NET Framework

13803

About the web service using Integrated windows authentication

by: =?Utf-8?B?RGFuZGFuIFpoYW5n?= | last post by:

Now I have a web application, a web service and a SQL Server database. The Web application will invoke the web service, the web service invokes the SQL Server stored procedure. I let the web service run in an application pool which runs under a domain user, this domain user has permissions of accessing database and the connection to database is trusted connection. All these work well. The web application will be used in internet (not...

.NET Framework

2352

SQL Server 2005 Express Edition login problem when deploying a windows application

by: Preben Zacho | last post by:

Hi there The scenario I got is this: I have created a Windows application in VS and I want to deploy it to another machine running Windows Vista. Since I have no control over this other machine, I've set it up to run SQL Authentication and I have added a new user called "MyUser" and applied a password. This user/password is used in my connection string whick looks like this: Server=.\SQLEXPRESS;Database=MyDB;User...

C# / C Sharp

9426

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

9200

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

8148

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6022

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

4525

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

4795

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3238

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

2680

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2163

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General