473,573 Members | 2,538 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Windows authentication from ASP.net application to Sql Server

I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice
Dec 29 '05 #1
7 3014
sorry for two mails... I disabled annoymous login is what I meant below

"Alice Wong" <wo******@noema il.noemail> wrote in message
news:uK******** *****@TK2MSFTNG P11.phx.gbl...
I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #2
If you want to use WIndows Auth you will have to turn off anon access and use
impersonation.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** ************
Think Outside the Box!
*************** ************
"Alice Wong" wrote:
I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #3
YEAH... I did turn off annoynous access and set impersonation to true in
web.config
"Cowboy (Gregory A. Beamer) - MVP" <No************ @comcast.netNoS pamM> wrote
in message news:2B******** *************** ***********@mic rosoft.com...
If you want to use WIndows Auth you will have to turn off anon access and
use
impersonation.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** ************
Think Outside the Box!
*************** ************
"Alice Wong" wrote:
I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.

I set up IIS to have integrated windows authenication and sql to allow
Windows authentication. And I trun annonymous login.

I use this connection to connect.
server={0};data base={1};Integr ated Security=SSPI
where {0} servname and {1} database name

I got the following error:
Login failed for user 'NT AUTHORITY\ANONY MOUS LOGON'.

I am wondering what is the correct setup for the IIS and Sql Server.

thanks,
Alice

Dec 29 '05 #4
IIS's Integrated Windows Authentication means that the website pages
will be accessed/executed under the user account of the user requesting
them (for requests that come from users on the same domain as the
webserver); so, the ASP process should be runing in the context of
whoever's accessing the site, not ANONYMOUS USER, as the error message
implies it is. So, you should check the directory security for the
relevant folders/site really *is* set to prevent anonymous access (and
also put a check in the ASP code to see what account it's running
under).

However, if you do use IWA + ASP impersonation, then the data access
should be done under a different account, as otherwise you'd have to
grant all your domain users rights to connect to the database server
(as the data access would be done in the context of their accounts).
You could impersonate a specific account for when you need access to
the database, and then grant that account rights to log in to the SQL
Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
where username is the qualified name of the account.

Dec 29 '05 #5
yeah.. let's say the SQl server has Windows authentication. Anyone within
the domain can access to the db server. I would like to authenticate
according to their windows user information instead of granting a specify
account to the db. Can we do that?
"Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
IIS's Integrated Windows Authentication means that the website pages
will be accessed/executed under the user account of the user requesting
them (for requests that come from users on the same domain as the
webserver); so, the ASP process should be runing in the context of
whoever's accessing the site, not ANONYMOUS USER, as the error message
implies it is. So, you should check the directory security for the
relevant folders/site really *is* set to prevent anonymous access (and
also put a check in the ASP code to see what account it's running
under).

However, if you do use IWA + ASP impersonation, then the data access
should be done under a different account, as otherwise you'd have to
grant all your domain users rights to connect to the database server
(as the data access would be done in the context of their accounts).
You could impersonate a specific account for when you need access to
the database, and then grant that account rights to log in to the SQL
Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
where username is the qualified name of the account.

Dec 29 '05 #6
Hi Alice,

I assume that you've correctly configured the IIS to authenticate client
with windows authentication and also use windows authenitcation in asp.net
application and turn on impersonate (<identity impersonate="tr ue".... /> ),
also you can use System.

Still one question, is your sqlserver instance installed on another remote
server or on the same server with the IIS/ASP.Net? As for the IIS's
integarted windows authenticated user(also impersonated in asp.net) , their
security context (NT logon session) only works on the server where IIS and
ASPNET reside. So if SqlServer is on another remote machine, the
IIS/ASP.NET's security context can not be forwarded to that remote machine
(no double hops). This is an existing limitation of the NTLM
authentication ....

If we need to let the windows user context be able to hop to the remote
sqlserver, we have the following means:

1. Use basic authentication instead of integrated windows, this will force
the client user to input clear text username/password. So this is always
used together with HTTPS/SSL secure channel....

2. Use a single fixed impersonate account , like
<identify impersonate="tr ue" userName="xxx" password="xxx"/>
In addition, there does exists solution for windows authenticated security
token being forwarded accorss mutlpile server hops, but that require
client/server to use restricted kerberos delegation which has critical
requirement on clientside and serverside.....

For general info on ASP.NET delegation:
#ASP.NET Delegation
http://msdn.microsoft.com/library/en...onaspnetdelega...
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default...b;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en...ht000023.asp?f...
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....
#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en...mod19.asp?fram...
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/is...y/default.aspx
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Alice Wong" <wo******@noema il.noemail>
| References: <uK************ *@TK2MSFTNGP11. phx.gbl>
<2B************ *************** *******@microso ft.com>
<#I************ **@TK2MSFTNGP09 .phx.gbl>
<11************ **********@f14g 2000cwb.googleg roups.com>
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| Date: Thu, 29 Dec 2005 14:10:51 -0800
| Lines: 29
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <uh************ **@TK2MSFTNGP09 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: 199.3.115.254
| Path: TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3676 40
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| yeah.. let's say the SQl server has Windows authentication. Anyone
within
| the domain can access to the db server. I would like to authenticate
| according to their windows user information instead of granting a specify
| account to the db. Can we do that?
|
|
| "Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
| news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
| > IIS's Integrated Windows Authentication means that the website pages
| > will be accessed/executed under the user account of the user requesting
| > them (for requests that come from users on the same domain as the
| > webserver); so, the ASP process should be runing in the context of
| > whoever's accessing the site, not ANONYMOUS USER, as the error message
| > implies it is. So, you should check the directory security for the
| > relevant folders/site really *is* set to prevent anonymous access (and
| > also put a check in the ASP code to see what account it's running
| > under).
| >
| > However, if you do use IWA + ASP impersonation, then the data access
| > should be done under a different account, as otherwise you'd have to
| > grant all your domain users rights to connect to the database server
| > (as the data access would be done in the context of their accounts).
| > You could impersonate a specific account for when you need access to
| > the database, and then grant that account rights to log in to the SQL
| > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| > where username is the qualified name of the account.
| >
|
|
|

Dec 30 '05 #7
Hi Alice,

How are you doing on this issue, does my last reply helps you a little? If
there're anything else we can help, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 59381458
| References: <uK************ *@TK2MSFTNGP11. phx.gbl>
<2B************ *************** *******@microso ft.com>
<#I************ **@TK2MSFTNGP09 .phx.gbl>
<11************ **********@f14g 2000cwb.googleg roups.com>
<uh************ **@TK2MSFTNGP09 .phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: st*****@online. microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 30 Dec 2005 03:22:43 GMT
| Subject: Re: Windows authentication from ASP.net application to Sql Server
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
| Message-ID: <y9************ **@TK2MSFTNGXA0 2.phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| Lines: 130
| Path: TK2MSFTNGXA02.p hx.gbl
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3676 70
| NNTP-Posting-Host: tomcatimport2.p hx.gbl 10.201.218.182
|
| Hi Alice,
|
| I assume that you've correctly configured the IIS to authenticate client
| with windows authentication and also use windows authenitcation in
asp.net
| application and turn on impersonate (<identity impersonate="tr ue".... />
),
| also you can use System.
|
| Still one question, is your sqlserver instance installed on another
remote
| server or on the same server with the IIS/ASP.Net? As for the IIS's
| integarted windows authenticated user(also impersonated in asp.net) ,
their
| security context (NT logon session) only works on the server where IIS
and
| ASPNET reside. So if SqlServer is on another remote machine, the
| IIS/ASP.NET's security context can not be forwarded to that remote
machine
| (no double hops). This is an existing limitation of the NTLM
| authentication ....
|
| If we need to let the windows user context be able to hop to the remote
| sqlserver, we have the following means:
|
| 1. Use basic authentication instead of integrated windows, this will
force
| the client user to input clear text username/password. So this is always
| used together with HTTPS/SSL secure channel....
|
| 2. Use a single fixed impersonate account , like
| <identify impersonate="tr ue" userName="xxx" password="xxx"/>
|
|
| In addition, there does exists solution for windows authenticated
security
| token being forwarded accorss mutlpile server hops, but that require
| client/server to use restricted kerberos delegation which has critical
| requirement on clientside and serverside.....
|
| For general info on ASP.NET delegation:
|
|
| #ASP.NET Delegation
| http://msdn.microsoft.com/library/en...onaspnetdelega...
|
|
| #How to configure an ASP.NET application for a delegation scenario
| http://support.microsoft.com/default...b;en-us;810572
|
|
| #How To: Use Impersonation and Delegation in ASP.NET 2.0
| http://msdn.microsoft.com/library/en...ht000023.asp?f...
| ue
|
|
| When the webserver is WIN2K, there needs more configuration due to the
| win2k server's particular OS security setting....
|
|
| #How To Implement Kerberos Delegation for Windows 2000
| http://msdn.microsoft.com/library/en...mod19.asp?fram...
|
|
| #Understanding Kerberos Credential Delegation in Windows 2000 Using the
| TktView Utility
| http://msdn.microsoft.com/msdnmag/is...y/default.aspx
|
|
| Hope helps. Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | From: "Alice Wong" <wo******@noema il.noemail>
| | References: <uK************ *@TK2MSFTNGP11. phx.gbl>
| <2B************ *************** *******@microso ft.com>
| <#I************ **@TK2MSFTNGP09 .phx.gbl>
| <11************ **********@f14g 2000cwb.googleg roups.com>
| | Subject: Re: Windows authentication from ASP.net application to Sql
Server
| | Date: Thu, 29 Dec 2005 14:10:51 -0800
| | Lines: 29
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| | Message-ID: <uh************ **@TK2MSFTNGP09 .phx.gbl>
| | Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| | NNTP-Posting-Host: 199.3.115.254
| | Path: TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
| | Xref: TK2MSFTNGXA02.p hx.gbl
| microsoft.publi c.dotnet.framew ork.aspnet:3676 40
| | X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
| |
| | yeah.. let's say the SQl server has Windows authentication. Anyone
| within
| | the domain can access to the db server. I would like to authenticate
| | according to their windows user information instead of granting a
specify
| | account to the db. Can we do that?
| |
| |
| | "Paul Henderson" <pa***********@ pittville.demon .co.uk> wrote in message
| | news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
| | > IIS's Integrated Windows Authentication means that the website pages
| | > will be accessed/executed under the user account of the user
requesting
| | > them (for requests that come from users on the same domain as the
| | > webserver); so, the ASP process should be runing in the context of
| | > whoever's accessing the site, not ANONYMOUS USER, as the error message
| | > implies it is. So, you should check the directory security for the
| | > relevant folders/site really *is* set to prevent anonymous access (and
| | > also put a check in the ASP code to see what account it's running
| | > under).
| | >
| | > However, if you do use IWA + ASP impersonation, then the data access
| | > should be done under a different account, as otherwise you'd have to
| | > grant all your domain users rights to connect to the database server
| | > (as the data access would be done in the context of their accounts).
| | > You could impersonate a specific account for when you need access to
| | > the database, and then grant that account rights to log in to the SQL
| | > Server, by giving it the T-SQL command EXEC sp_grantlogin 'username'
| | > where username is the qualified name of the account.
| | >
| |
| |
| |
|
|

Jan 4 '06 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
3684
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The rest of my application is using authentication that is...
1
2386
by: Marino | last post by:
Hi all, I have a Windows 2003 server, which is also a terminal server for application, with sql 2000 installed. My company has developed an application that uses SQL 2000 as its database. The application is a client/server one. In each client computer there's a link to the application on the server. There is no problem with Windows 98,...
2
2615
by: Joseph Geretz | last post by:
I'm having a credentialing problem in my web application. Actually, I don't think this is an IIS security issue, since I'm able to access the page I'm requesting. However, the executing page itself is not able to access a specific network resource and I just can't figure out why. First of all, let me say this worked fine with IIS running on...
5
2679
by: pberna | last post by:
Dear all, I built a Web Form application to start and stop a Windows Service remotely. I successful tested the application on Windows 2000 server + IIS. I must include the ASPNET user to the Administration group (on server side) to have the necessary authorization to start a Windows Service (I don't understand why "Power User" rights are...
6
4213
by: mcollier | last post by:
I am running a Windows Server 2003 machine as my web server. I would like to use Windows authentication for connections to my SQL Server 2000 instance on a Windows 2000 server. I've read where mirroring the ASPNET account and password on the web server and SQL server would work. However, with IIS 6, ASP.NET runs under the 'NT...
8
3418
by: Nils Magnus Englund | last post by:
Hello, I am having trouble using Integrated Windows Authentication between our intranet server and our database server, both of which are on our local domain. Windows authentication works for our intranet server - my domain user "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page on our intranet. The ASP.NET...
4
7711
by: Gav | last post by:
Hi, I am writing a windows form application (C#) which access's data from an SQL server. The SQL server is using windows authentication only. At the moment I have to grant the domain users access to the database for the application to work. However, the database includes information that I need to hide from the users, currently the...
3
13773
by: =?Utf-8?B?RGFuZGFuIFpoYW5n?= | last post by:
Now I have a web application, a web service and a SQL Server database. The Web application will invoke the web service, the web service invokes the SQL Server stored procedure. I let the web service run in an application pool which runs under a domain user, this domain user has permissions of accessing database and the connection to...
4
2340
by: Preben Zacho | last post by:
Hi there The scenario I got is this: I have created a Windows application in VS and I want to deploy it to another machine running Windows Vista. Since I have no control over this other machine, I've set it up to run SQL Authentication and I have added a new user called "MyUser" and applied a password. This user/password is used in my...
0
7661
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
8167
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7730
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8028
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6349
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5550
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5252
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3692
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
2164
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.