Hello,
I am having trouble using Integrated Windows Authentication between our
intranet server and our database server, both of which are on our local
domain.
Windows authentication works for our intranet server - my domain user
"DOM\nme" is correctly authenticated and authorized to view the ASP.NET page
on our intranet. The ASP.NET application uses impersonation (<identity
impersonate="true"> in Web.config).
Windows authentication also works for the SQL Server; when logged on to the
domain, I can start Query Analyzer and connect to the SQL Server using
Windows authentication. Permissions on the SQL Server are also correctly set
up.
However, problems arise when I want to connect to the SQL Server from the
ASP.NET page - I get the fairly common error message below:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.
Although I do get a lot of hits when searching for this specific error, I
still can't seem to find the cause of the problem.
The connection string I'm using to connect to the SQL Server is:
"Server=DB;Integrated Security=SSPI;Database=IntranetDB".
When setting <identity impersonate="false">, I get the error message "Login
failed for user 'DOM\INTRANET$'." - DOM\INTRANET$ is the hostname of the
intranet server.
In the database servers event log, I can see two events (supplied below)
after trying to authenticate (unsuccessfully) from the ASP.NET application
to the SQL Server as "DOM\nme".
What do I need to do to let users use Windows authentication against the DB
server as well?
Regards,
Nils Magnus Englund
(event log entries follows...)
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DB
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x5CE408)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: INTRANET
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Date: 08.08.2005
Source: Security
Time: 15:14:55
Category: Logon/Logoff
Type: Success Audit
Event ID: 538
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DB
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x5CE408)
Logon Type: 3 8 3404
Do you have anonymous authentication disabled in IIS?
If so, do you have <authentication mode="Windows" /> set in your
web.config?
The easiest way is to turn off anonymous access for the Intranet site. This
will force authentication, usually through a login box (although the network
admins can alleviate this through policy).
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
***************************
Think Outside the Box!
***************************
"Nils Magnus Englund" wrote: Hello,
I am having trouble using Integrated Windows Authentication between our intranet server and our database server, both of which are on our local domain.
Windows authentication works for our intranet server - my domain user "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page on our intranet. The ASP.NET application uses impersonation (<identity impersonate="true"> in Web.config).
Windows authentication also works for the SQL Server; when logged on to the domain, I can start Query Analyzer and connect to the SQL Server using Windows authentication. Permissions on the SQL Server are also correctly set up.
However, problems arise when I want to connect to the SQL Server from the ASP.NET page - I get the fairly common error message below:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
Although I do get a lot of hits when searching for this specific error, I still can't seem to find the cause of the problem.
The connection string I'm using to connect to the SQL Server is: "Server=DB;Integrated Security=SSPI;Database=IntranetDB".
When setting <identity impersonate="false">, I get the error message "Login failed for user 'DOM\INTRANET$'." - DOM\INTRANET$ is the hostname of the intranet server.
In the database servers event log, I can see two events (supplied below) after trying to authenticate (unsuccessfully) from the ASP.NET application to the SQL Server as "DOM\nme".
What do I need to do to let users use Windows authentication against the DB server as well?
Regards, Nils Magnus Englund
(event log entries follows...)
Date: 08.08.2005 Source: Security Time: 15:14:55 Category: Logon/Logoff Type: Success Audit Event ID: 540 User: NT AUTHORITY\ANONYMOUS LOGON Computer: DB
Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x5CE408) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: INTRANET Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: -
Date: 08.08.2005 Source: Security Time: 15:14:55 Category: Logon/Logoff Type: Success Audit Event ID: 538 User: NT AUTHORITY\ANONYMOUS LOGON Computer: DB
Description: User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x5CE408) Logon Type: 3
"Stefan" <Cl*********@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... Do you have anonymous authentication disabled in IIS? If so, do you have <authentication mode="Windows" /> set in your web.config?
In reply to both Stefan and Gregory;
Anonymous authentication is disabled, and I have authentication mode
"Windows" set in Web.config.
Again, let me specify that the Windows authentication for the ASP.NET page
works, and the User.Identity part successfully retrieves the domain user.
It's the Windows authentication to the SQL Server from the ASP.NET page that
causes trouble.
Regards,
Nils Magnus Englund
Nils hae you give your database and table the ASPNET account permission?
Try doing that.
Patrick
"Nils Magnus Englund" <ni*****************@orkfin.no> wrote in message
news:O7**************@TK2MSFTNGP15.phx.gbl... "Stefan" <Cl*********@gmail.com> wrote in message news:11**********************@g14g2000cwa.googlegr oups.com... Do you have anonymous authentication disabled in IIS? If so, do you have <authentication mode="Windows" /> set in your web.config? In reply to both Stefan and Gregory;
Anonymous authentication is disabled, and I have authentication mode "Windows" set in Web.config.
Again, let me specify that the Windows authentication for the ASP.NET page works, and the User.Identity part successfully retrieves the domain user. It's the Windows authentication to the SQL Server from the ASP.NET page
that causes trouble.
Regards, Nils Magnus Englund
Hi Patrick,
Since the database server isn't the same server as the ASP.NET server, and
since ASPNET is a local user, I cannot use that user to set permissions on
the database server. However, because of the identity impersonation, is the
application supposed to be connecting as ASPNET at all?
Regards,
Nils Magnus Englund
"Patrick.O.Ige" <na********@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl... Nils hae you give your database and table the ASPNET account permission? Try doing that. Patrick
"Nils Magnus Englund" <ni*****************@orkfin.no> wrote in message news:O7**************@TK2MSFTNGP15.phx.gbl... "Stefan" <Cl*********@gmail.com> wrote in message news:11**********************@g14g2000cwa.googlegr oups.com... > Do you have anonymous authentication disabled in IIS? > If so, do you have <authentication mode="Windows" /> set in your > web.config?
In reply to both Stefan and Gregory;
Anonymous authentication is disabled, and I have authentication mode "Windows" set in Web.config.
Again, let me specify that the Windows authentication for the ASP.NET page works, and the User.Identity part successfully retrieves the domain user. It's the Windows authentication to the SQL Server from the ASP.NET page that causes trouble.
Regards, Nils Magnus Englund
On Tue, 9 Aug 2005 08:21:08 +0200, "Nils Magnus Englund" <ni*****************@orkfin.no> wrote:
¤ Hi Patrick,
¤
¤ Since the database server isn't the same server as the ASP.NET server, and
¤ since ASPNET is a local user, I cannot use that user to set permissions on
¤ the database server. However, because of the identity impersonation, is the
¤ application supposed to be connecting as ASPNET at all?
¤
If your ASP.NET app is configured for Integrated Windows security, credentials cannot be delegated
by IIS to the remote database server w/o implementing Kerberos.
The reason for this is that NTLM authenticates credentials under IIS Integrated Windows security so
IIS never receives the credentials and cannot forward them for delegation.
Paul
~~~~
Microsoft MVP (Visual Basic)
> If your ASP.NET app is configured for Integrated Windows security, credentials cannot be delegated by IIS to the remote database server w/o implementing Kerberos.
The reason for this is that NTLM authenticates credentials under IIS Integrated Windows security so IIS never receives the credentials and cannot forward them for delegation.
But why can't I use Kerberos authentication? Is it anyway to force the
application to use Kerberos? The WindowsIdentity.AuthenticationType property
returns "Negotiate" - this should be "Kerberos", should it not?
Regards,
Nils Magnus Englund
On Tue, 16 Aug 2005 11:35:17 +0200, "Nils Magnus Englund" <ni*****************@orkfin.no> wrote:
¤ > If your ASP.NET app is configured for Integrated Windows security,
¤ > credentials cannot be delegated
¤ > by IIS to the remote database server w/o implementing Kerberos.
¤ >
¤ > The reason for this is that NTLM authenticates credentials under IIS
¤ > Integrated Windows security so
¤ > IIS never receives the credentials and cannot forward them for delegation.
¤
¤
¤ But why can't I use Kerberos authentication? Is it anyway to force the
¤ application to use Kerberos? The WindowsIdentity.AuthenticationType property
¤ returns "Negotiate" - this should be "Kerberos", should it not?
¤
You can use Kerberos, but your environment must be configured for it. The following should help: http://msdn.microsoft.com/library/de...delegation.asp http://msdn.microsoft.com/library/de...SecNetHT05.asp
Paul
~~~~
Microsoft MVP (Visual Basic) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Bob Everland |
last post by:
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no...
|
by: Joseph Geretz |
last post by:
I'm having a credentialing problem in my web application. Actually, I don't
think this is an IIS security issue, since I'm able to access the page I'm
requesting. However, the executing page itself...
|
by: Reza |
last post by:
Hello
I tried this friday, but didn't get anywhere so trying again
Basically, I have a fixed list of people that can access the application in the Intranet, and with the policy of the company the...
|
by: Thomas Scheiderich |
last post by:
I am having a problem connecting to an Sql Server using Windows
Authentication.
I am using the following command:
server=Raptor;uid=tfs;password=tol1ee;database=ABC;Network Library =dbmssocn
...
|
by: pberna |
last post by:
Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the...
|
by: mcollier |
last post by:
I am running a Windows Server 2003 machine as my web server. I would
like to use Windows authentication for connections to my SQL Server
2000 instance on a Windows 2000 server. I've read where...
|
by: Kevin Yu |
last post by:
is it possible to for user to click a logout button to logout and when the
user want to get into the system again, the user have to login again?
Kevin
|
by: Alice Wong |
last post by:
I am setting up my Web ASP.net application to connect to Sql server using
windows authentication.
I set up IIS to have integrated windows authenication and sql to allow
Windows authentication....
|
by: Preben Zacho |
last post by:
Hi there
The scenario I got is this: I have created a Windows application in VS and I
want to deploy it to another machine running Windows Vista. Since I have no
control over this other machine,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |