By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,186 Members | 1,551 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,186 IT Pros & Developers. It's quick & easy.

Integrated Authentication.

P: n/a
In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks
Win 2003, SQL Server 2000
Nov 17 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks
Win 2003, SQL Server 2000


Nov 17 '05 #2

P: n/a
Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:m2**************@cpmsftngxa06.phx.gbl...
Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184652X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication, in IISI've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks
Win 2003, SQL Server 2000

Nov 17 '05 #3

P: n/a
Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl> <m2**************@cpmsftngxa06.phx.gbl>Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:m2**************@cpmsftngxa06.phx.gbl...
Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>Subject: Integrated Authentication.
>Date: Thu, 16 Oct 2003 11:19:41 -0400
>Lines: 12
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
>Xref: cpmsftngxa06.phx.gblmicrosoft.public.dotnet.framework.aspnet:184652 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>In my web.config file I've specified Windows for the authentication, inIIS >I've set it to Integrated Authentication.
>
>But my SQL connection is still showing Anonymous.
>Is there somewhere else I need to check?
>
>Thanks
>
>
>Win 2003, SQL Server 2000
>
>
>



Nov 17 '05 #4

P: n/a
Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?
1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:7d**************@cpmsftngxa06.phx.gbl...
Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:m2**************@cpmsftngxa06.phx.gbl...
Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>Subject: Integrated Authentication.
>Date: Thu, 16 Oct 2003 11:19:41 -0400
>Lines: 12
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:184652
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>In my web.config file I've specified Windows for the authentication,
inIIS
>I've set it to Integrated Authentication.
>
>But my SQL connection is still showing Anonymous.
>Is there somewhere else I need to check?
>
>Thanks
>
>
>Win 2003, SQL Server 2000
>
>
>


Nov 17 '05 #5

P: n/a
Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl> <m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ub**************@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?
1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:7d**************@cpmsftngxa06.phx.gbl...
Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
>Subject: Re: Integrated Authentication.
>Date: Thu, 16 Oct 2003 16:00:47 -0400
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gblmicrosoft.public.dotnet.framework.aspnet:184756 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Well, I catch the error and write out the Message, which is.....
>
>Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>
>and Profiler shows the same.
>
>
>"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
>news:m2**************@cpmsftngxa06.phx.gbl...
>> Tom,
>>
>> What do you mean when you say that your SQL connection is still showing >> anonymous?
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> ja******@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> --------------------
>> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >Subject: Integrated Authentication.
>> >Date: Thu, 16 Oct 2003 11:19:41 -0400
>> >Lines: 12
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 216.46.141.98
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet:184652
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >In my web.config file I've specified Windows for the authentication,in >IIS
>> >I've set it to Integrated Authentication.
>> >
>> >But my SQL connection is still showing Anonymous.
>> >Is there somewhere else I need to check?
>> >
>> >Thanks
>> >
>> >
>> >Win 2003, SQL Server 2000
>> >
>> >
>> >
>>
>
>
>



Nov 17 '05 #6

P: n/a
OK, so in my scenario.....
machineA is W2K3 IIS machine
machineB is SQL

I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?

Man, I think it was easier when I just used sa and a blank password ;)

The other option, is to just set up a user account, and impersonate that
account, right?

Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.


"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:MB*************@cpmsftngxa06.phx.gbl...
Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>
Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ub**************@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to oneof my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?
1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, Iguess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:7d**************@cpmsftngxa06.phx.gbl...
Tom,

Are you using SQL Server authentication or Windows authentication against SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>References: <#F**************@TK2MSFTNGP11.phx.gbl>
<m2**************@cpmsftngxa06.phx.gbl>
>Subject: Re: Integrated Authentication.
>Date: Thu, 16 Oct 2003 16:00:47 -0400
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:184756
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Well, I catch the error and write out the Message, which is.....
>
>Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>
>and Profiler shows the same.
>
>
>"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
>news:m2**************@cpmsftngxa06.phx.gbl...
>> Tom,
>>
>> What do you mean when you say that your SQL connection is still showing >> anonymous?
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> ja******@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights. >>
>> --------------------
>> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >Subject: Integrated Authentication.
>> >Date: Thu, 16 Oct 2003 11:19:41 -0400
>> >Lines: 12
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 216.46.141.98
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl >> >Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet:184652
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >In my web.config file I've specified Windows for the

authentication,in
>IIS
>> >I've set it to Integrated Authentication.
>> >
>> >But my SQL connection is still showing Anonymous.
>> >Is there somewhere else I need to check?
>> >
>> >Thanks
>> >
>> >
>> >Win 2003, SQL Server 2000
>> >
>> >
>> >
>>
>
>
>


Nov 17 '05 #7

P: n/a
OK, I found this
http://msdn.microsoft.com/library/en...asp?frame=true

I think that should do it.

Thank you so much for your help.

Tom B
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:MB*************@cpmsftngxa06.phx.gbl...
Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>
Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ub**************@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to oneof my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?
1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, Iguess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:7d**************@cpmsftngxa06.phx.gbl...
Tom,

Are you using SQL Server authentication or Windows authentication against SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>References: <#F**************@TK2MSFTNGP11.phx.gbl>
<m2**************@cpmsftngxa06.phx.gbl>
>Subject: Re: Integrated Authentication.
>Date: Thu, 16 Oct 2003 16:00:47 -0400
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:184756
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Well, I catch the error and write out the Message, which is.....
>
>Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>
>and Profiler shows the same.
>
>
>"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
>news:m2**************@cpmsftngxa06.phx.gbl...
>> Tom,
>>
>> What do you mean when you say that your SQL connection is still showing >> anonymous?
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> ja******@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights. >>
>> --------------------
>> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >Subject: Integrated Authentication.
>> >Date: Thu, 16 Oct 2003 11:19:41 -0400
>> >Lines: 12
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 216.46.141.98
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl >> >Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet:184652
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >In my web.config file I've specified Windows for the

authentication,in
>IIS
>> >I've set it to Integrated Authentication.
>> >
>> >But my SQL connection is still showing Anonymous.
>> >Is there somewhere else I need to check?
>> >
>> >Thanks
>> >
>> >
>> >Win 2003, SQL Server 2000
>> >
>> >
>> >
>>
>
>
>


Nov 17 '05 #8

P: n/a
Actually, this ones better.
http://msdn.microsoft.com/library/en...asp?frame=true

"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:MB*************@cpmsftngxa06.phx.gbl...
Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <sh*****@NOSPAMhotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>
Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ub**************@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to oneof my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?
1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, Iguess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.
"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:7d**************@cpmsftngxa06.phx.gbl...
Tom,

Are you using SQL Server authentication or Windows authentication against SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.
--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>References: <#F**************@TK2MSFTNGP11.phx.gbl>
<m2**************@cpmsftngxa06.phx.gbl>
>Subject: Re: Integrated Authentication.
>Date: Thu, 16 Oct 2003 16:00:47 -0400
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:184756
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Well, I catch the error and write out the Message, which is.....
>
>Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>
>and Profiler shows the same.
>
>
>"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
>news:m2**************@cpmsftngxa06.phx.gbl...
>> Tom,
>>
>> What do you mean when you say that your SQL connection is still showing >> anonymous?
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> ja******@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights. >>
>> --------------------
>> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >Subject: Integrated Authentication.
>> >Date: Thu, 16 Oct 2003 11:19:41 -0400
>> >Lines: 12
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 216.46.141.98
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl >> >Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet:184652
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >In my web.config file I've specified Windows for the

authentication,in
>IIS
>> >I've set it to Integrated Authentication.
>> >
>> >But my SQL connection is still showing Anonymous.
>> >Is there somewhere else I need to check?
>> >
>> >Thanks
>> >
>> >
>> >Win 2003, SQL Server 2000
>> >
>> >
>> >
>>
>
>
>


Nov 17 '05 #9

P: n/a
Tom,

Inline.
I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?
Yes, but only if you are using Windows authentication in SQL Server.
The other option, is to just set up a user account, and impersonate that
account, right?
You can, but if you are using Windows authentication in SQL Server, you
will still need to use Kerberos or Basic authentication on the site or it
won't work.
Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.
This is not related to whether or not SQL Server and IIS are on the same
box. If you enable impersonation and don't have anonymous access enabled,
it will work this way.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------From: "Tom B" <sh*****@hotmail.com>
References: <#F**************@TK2MSFTNGP11.phx.gbl> <m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>
<ub**************@TK2MSFTNGP12.phx.gbl>
<MB*************@cpmsftngxa06.phx.gbl>Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 13:21:52 -0400
Lines: 203
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <uI**************@TK2MSFTNGP09.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 207.61.174.60
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184981
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

OK, so in my scenario.....
machineA is W2K3 IIS machine
machineB is SQL

I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?

Man, I think it was easier when I just used sa and a blank password ;)

The other option, is to just set up a user account, and impersonate that
account, right?

Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.


"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
news:MB*************@cpmsftngxa06.phx.gbl...
Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server,it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.
If you do NOT have anonymous enabled in IIS and you are NOT impersonating, the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "Tom B" <sh*****@NOSPAMhotmail.com>
>References: <#F**************@TK2MSFTNGP11.phx.gbl>

<m2**************@cpmsftngxa06.phx.gbl>
<ut**************@TK2MSFTNGP10.phx.gbl>
<7d**************@cpmsftngxa06.phx.gbl>
>Subject: Re: Integrated Authentication.
>Date: Fri, 17 Oct 2003 08:23:22 -0400
>Lines: 114
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ub**************@TK2MSFTNGP12.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 216.46.141.98
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:184889 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Impersonate! That's what it is.
>
>It's an intranet, and I'm trying to use Windows Authentication. The odd
>thing, is it was working the other day, but when I added some stuff toone >of my classes it stopped working ?!?
>
>So would you (or someone else) be able to sum up the steps required?
>
>
>1. web.config set authentication to "Windows"
>2. SQL Server - set authentication to Windows Only (not really required,I
>guess)
>3. SQL Server - set permissions for Domain Users
>4. IIS Manager set authentication to Integrated Authentication
>5. web.config set impersonate on???????????????????????? <-- That's the
>part I'm not sure of.
>
>
>"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in message
>news:7d**************@cpmsftngxa06.phx.gbl...
>> Tom,
>>
>> Are you using SQL Server authentication or Windows authenticationagainst >> SQL Server? Sounds like you are using Windows, and in that case, you
>> either need to give the ASP.NET process account access to the SQLServer >> database, or you need to impersonate.
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> ja******@online.microsoft.com
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>>
>> --------------------
>> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >References: <#F**************@TK2MSFTNGP11.phx.gbl>
>> <m2**************@cpmsftngxa06.phx.gbl>
>> >Subject: Re: Integrated Authentication.
>> >Date: Thu, 16 Oct 2003 16:00:47 -0400
>> >Lines: 55
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <ut**************@TK2MSFTNGP10.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 216.46.141.98
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet:184756
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >Well, I catch the error and write out the Message, which is.....
>> >
>> >Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
>> >
>> >and Profiler shows the same.
>> >
>> >
>> >"Jim Cheshire [MSFT]" <ja******@online.microsoft.com> wrote in
message >> >news:m2**************@cpmsftngxa06.phx.gbl...
>> >> Tom,
>> >>
>> >> What do you mean when you say that your SQL connection is still

showing
>> >> anonymous?
>> >>
>> >> Jim Cheshire [MSFT]
>> >> Developer Support
>> >> ASP.NET
>> >> ja******@online.microsoft.com
>> >>
>> >> This post is provided as-is with no warranties and confers no

rights. >> >>
>> >> --------------------
>> >> >From: "Tom B" <sh*****@NOSPAMhotmail.com>
>> >> >Subject: Integrated Authentication.
>> >> >Date: Thu, 16 Oct 2003 11:19:41 -0400
>> >> >Lines: 12
>> >> >X-Priority: 3
>> >> >X-MSMail-Priority: Normal
>> >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >> >Message-ID: <#F**************@TK2MSFTNGP11.phx.gbl>
>> >> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >> >NNTP-Posting-Host: 216.46.141.98
>> >> >Path:cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl >> >> >Xref: cpmsftngxa06.phx.gbl
>> >microsoft.public.dotnet.framework.aspnet:184652
>> >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >> >
>> >> >In my web.config file I've specified Windows for theauthentication, >in
>> >IIS
>> >> >I've set it to Integrated Authentication.
>> >> >
>> >> >But my SQL connection is still showing Anonymous.
>> >> >Is there somewhere else I need to check?
>> >> >
>> >> >Thanks
>> >> >
>> >> >
>> >> >Win 2003, SQL Server 2000
>> >> >
>> >> >
>> >> >
>> >>
>> >
>> >
>> >
>>
>
>
>



Nov 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.