ACCESS AN ACCESS DATABASE FROM ASP.NET INTRANET SCENARIO

=?Utf-8?B?a21jY29za2V5?=

I'm trying to access an access database on the file server from a web server
using asp.net and IIS 6.0. I can do it when I have anonymous access enabled
in IIS 6.0 as in the public internet web site style. I want to do the same
with the intranet setup where IIS 6.0 is not setup to allow anonymous access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The user who
accesses a web page and tries to load information from a database is unable
to even when the user has access to the database through the user's domain
account. When anonymous access is enable in IIS 6.0 the IUSR account is used
to access the database and that works.

Apr 24 '07 #1

Ray Costanzo

Here's a link about impersonation in asp.net. I'd start there if it'll fit
your needs: http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is no
kerberos ticket created with integrated authentication (as opposed to basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...

I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's domain
account. When anonymous access is enable in IIS 6.0 the IUSR account is
used
to access the database and that works.

Apr 24 '07 #2

=?Utf-8?B?a21jY29za2V5?=

so iis never invokes an account for login to another host if anonymous access
isn't used. does that sound right. my guess is that you could do this if
you had sql server on the other host is that rght?

"Ray Costanzo" wrote:

Here's a link about impersonation in asp.net. I'd start there if it'll fit
your needs: http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is no
kerberos ticket created with integrated authentication (as opposed to basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...

I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's domain
account. When anonymous access is enable in IIS 6.0 the IUSR account is
used
to access the database and that works.

Apr 24 '07 #3

=?Utf-8?B?a21jY29za2V5?=

accessing the file server from the asp.net with integrated authentication
just doesn't work? Is this correct?

"Ray Costanzo" wrote:

Here's a link about impersonation in asp.net. I'd start there if it'll fit
your needs: http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is no
kerberos ticket created with integrated authentication (as opposed to basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...

I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's domain
account. When anonymous access is enable in IIS 6.0 the IUSR account is
used
to access the database and that works.

Apr 24 '07 #4

Ray Costanzo

I'm not sure internally what the other "host" sees when an authenticated
user tries to access it via the IIS server. I think that it still sees it
attempting to be the authenticated user and it makes a request for a
kerberos ticket, and since there is none, it denies access. But, this goes
beyond my scope of knowledge for sure!

Using SQL Server always comes with many benefits, but it's not always
realistic to use it.

You can try using the remote access driver for Access and see how that
goes...

"Provider=MS Remote; Remote Server=http://fileserverName; Remote
Provider=Microsoft.Jet.OLEDB.4.0; Data Source=C:\LocalPath\On\FileServer;"

It appears this would necessitate IIS being installed and running on the
remote server.

Ray at work


"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:6D**********************************@microsof t.com...

so iis never invokes an account for login to another host if anonymous
access
isn't used. does that sound right. my guess is that you could do this if
you had sql server on the other host is that rght?

"Ray Costanzo" wrote:

>Here's a link about impersonation in asp.net. I'd start there if it'll
fit
your needs:
http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is
no
kerberos ticket created with integrated authentication (as opposed to
basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your
code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microso ft.com...

I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The
user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's
domain
account. When anonymous access is enable in IIS 6.0 the IUSR account
is
used
to access the database and that works.

Apr 24 '07 #5

=?Utf-8?B?a21jY29za2V5?=

I wonder how microsoft proposes organization create intranet sites if you can
only have IIS access a remote host through anonymous authentication. I guess
that is a limitation.

"Ray Costanzo" wrote:

I'm not sure internally what the other "host" sees when an authenticated
user tries to access it via the IIS server. I think that it still sees it
attempting to be the authenticated user and it makes a request for a
kerberos ticket, and since there is none, it denies access. But, this goes
beyond my scope of knowledge for sure!

Using SQL Server always comes with many benefits, but it's not always
realistic to use it.

You can try using the remote access driver for Access and see how that
goes...

"Provider=MS Remote; Remote Server=http://fileserverName; Remote
Provider=Microsoft.Jet.OLEDB.4.0; Data Source=C:\LocalPath\On\FileServer;"

It appears this would necessitate IIS being installed and running on the
remote server.

Ray at work


"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:6D**********************************@microsof t.com...

so iis never invokes an account for login to another host if anonymous
access
isn't used. does that sound right. my guess is that you could do this if
you had sql server on the other host is that rght?

"Ray Costanzo" wrote:

Here's a link about impersonation in asp.net. I'd start there if it'll
fit
your needs:
http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is
no
kerberos ticket created with integrated authentication (as opposed to
basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your
code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...
I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The
user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's
domain
account. When anonymous access is enable in IIS 6.0 the IUSR account
is
used
to access the database and that works.

Apr 24 '07 #6

=?Utf-8?B?a21jY29za2V5?=

The article allow
(http://msdn2.microsoft.com/en-us/lib...39(VS.71).aspx) gave me a
hint and I was able to connect the the database on the remot host from the
asp.net. I set identity impersonate to false in the web.config file. I had
to assign the domain Authenticated Users group to the permissions to the
database in order for it to work. I don't want to do that because that means
anyone who authenticates to the domain has access to that database. I want a
little more control then that. Any ideas?

"Ray Costanzo" wrote:

I'm not sure internally what the other "host" sees when an authenticated
user tries to access it via the IIS server. I think that it still sees it
attempting to be the authenticated user and it makes a request for a
kerberos ticket, and since there is none, it denies access. But, this goes
beyond my scope of knowledge for sure!

Using SQL Server always comes with many benefits, but it's not always
realistic to use it.

You can try using the remote access driver for Access and see how that
goes...

"Provider=MS Remote; Remote Server=http://fileserverName; Remote
Provider=Microsoft.Jet.OLEDB.4.0; Data Source=C:\LocalPath\On\FileServer;"

It appears this would necessitate IIS being installed and running on the
remote server.

Ray at work


"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:6D**********************************@microsof t.com...

so iis never invokes an account for login to another host if anonymous
access
isn't used. does that sound right. my guess is that you could do this if
you had sql server on the other host is that rght?

"Ray Costanzo" wrote:

Here's a link about impersonation in asp.net. I'd start there if it'll
fit
your needs:
http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is
no
kerberos ticket created with integrated authentication (as opposed to
basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your
code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...
I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The
user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's
domain
account. When anonymous access is enable in IIS 6.0 the IUSR account
is
used
to access the database and that works.

Apr 24 '07 #7

=?Utf-8?B?a21jY29za2V5?=

Well Problem solved.

I got exectly what I wanted.

Here's how it worked

1) f:\contacts (folder with web app) has the following permissions setup
allow read and script access to a domain user or group and the local
iis_wpg group who is allowed access to the intranet page
a local asptest account added to the IIS_WPG group.
2) IIS not allowing anonymous
3) Application Pool running under a local account (asptest) and same local
account and password on file server

I was able to control the domain user account who desires access to the
website
and my local asptest account provides access to the database.
Finally.
"Ray Costanzo" wrote:

Here's a link about impersonation in asp.net. I'd start there if it'll fit
your needs: http://msdn2.microsoft.com/en-us/lib...18(VS.71).aspx

When you use the integrated authentication, you, unfortunately, cannot
daisychain that authentication to another host in the domain. There is no
kerberos ticket created with integrated authentication (as opposed to basic
authentication, for example, which will prompt your users to enter
credentials), and that is why you can't access a remote server in your code
in spite of the users' having rights to access the share and everything.

Ray at work

"kmccoskey" <km*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...

I'm trying to access an access database on the file server from a web
server
using asp.net and IIS 6.0. I can do it when I have anonymous access
enabled
in IIS 6.0 as in the public internet web site style. I want to do the
same
with the intranet setup where IIS 6.0 is not setup to allow anonymous
access.
The way the intranet works is the user authenticates to the IIS 6.0 web
server through group membership in an active directory domain. The user
who
accesses a web page and tries to load information from a database is
unable
to even when the user has access to the database through the user's domain
account. When anonymous access is enable in IIS 6.0 the IUSR account is
used
to access the database and that works.

Apr 30 '07 #8