By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,153 Members | 1,031 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,153 IT Pros & Developers. It's quick & easy.

Impersonation and Delegation with ASP.NET 2.0 on 2 Servers

P: n/a
Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick
Nov 15 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:
Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick
Nov 15 '06 #2

P: n/a
Hi David

i checked my settings again. And everything is as you described. But the
funny thing is, that it works now. Is it possible that ADS needs some time
to propagate the delegation of that server?

Regards
"David Wang" <w3*****@gmail.comschrieb im Newsbeitrag
news:11**********************@i42g2000cwa.googlegr oups.com...
Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:
>Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with
impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick

Nov 15 '06 #3

P: n/a
Glad it is working.

I don't work with AD a lot so I really cannot comment on why. I have
seen the propagation both be lightning fast (in minutes) and snail slow
(>24 hours).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Patrick wrote:
Hi David

i checked my settings again. And everything is as you described. But the
funny thing is, that it works now. Is it possible that ADS needs some time
to propagate the delegation of that server?

Regards
"David Wang" <w3*****@gmail.comschrieb im Newsbeitrag
news:11**********************@i42g2000cwa.googlegr oups.com...
Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication
mode="Windows"/it means ASP.Net does no authentication and uses IIS
to negotiate authentication, so you need to configure IIS to require
NTLM. Then, you need <identity impersonate="true"/for ASP.Net to use
the user token negotiated by IIS instead of stripping it off like it
does by default. Only by doing these two steps do you end up with a NT
user token to be able to begin the game of Delegation and Protocol
Transitioning with AD...

And to clarify what you are describing -- you have three separate
servers (one with SQL, one with IIS, one with AD), the web page is on
IIS, it is trying to access the SQL server, and getting that logon
failure when you access the web page from a machine on the same network
segment as IIS?
//David
http
Patrick wrote:
Hello

I have the following scenario
- SQL 2005 server (serversql)
- Windows 2003 with IIS (serveriis)
- Windows 2003 ADS (serverads)

I want to connect to an intranet application using NTML with
impersonation
and delegation. so for this I made the following change in web.config
<identity impersonate="true"/>

<authentication mode="Windows"/>

Then in the Active Directory i did the following change:

Computers\serveriis -properties -delegation

- Trust this computer for delegation on these services. Any protocol. And
then I have added the www and w3svc services

But when connecting to the webpage, I always get this error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

any idea what is wrong?

Thanks
Patrick
Nov 16 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.