Impersonation and Delegation with ASP.NET 2.0 on 2 Servers

Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:

Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick

Hi David

i checked my settings again. And everything is as you described. But the
funny thing is, that it works now. Is it possible that ADS needs some time
to propagate the delegation of that server?

Regards
"David Wang" <w3*****@gmail.comschrieb im Newsbeitrag
news:11**********************@i42g2000cwa.googlegr oups.com...

Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:

>Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with
impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick

Glad it is working.

I don't work with AD a lot so I really cannot comment on why. I have
seen the propagation both be lightning fast (in minutes) and snail slow
(>24 hours).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Patrick wrote:

Hi David

i checked my settings again. And everything is as you described. But the
funny thing is, that it works now. Is it possible that ADS needs some time
to propagate the delegation of that server?

Regards
"David Wang" <w3*****@gmail.comschrieb im Newsbeitrag
news:11**********************@i42g2000cwa.googlegr oups.com...

Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:

Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with
impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick