471,338 Members | 1,302 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,338 software developers and data experts.

ASP.NET Integrated Authentication

I'm developing a web application for our local intranet that will allow users
to pull up a webpage and update or deleted or insert records into a database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the integrated
authentication from the client's machine (through their domain login). The
user has been granted all the correct permission to the database server and
the database that will be updated. However it seems like the authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do the
update/delete/select we can get the app to work just fine. However, what we
want to do is to pass the clients authentication on to the database server...
not the web server’s authentication.

Any help I could get would be much appreciated..... this is driving me nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh

Jul 21 '05 #1
8 1833
What logon information are you putting in your connection string to connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
I'm developing a web application for our local intranet that will allow
users
to pull up a webpage and update or deleted or insert records into a
database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the
integrated
authentication from the client's machine (through their domain login).
The
user has been granted all the correct permission to the database server
and
the database that will be updated. However it seems like the
authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is
DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do
the
update/delete/select we can get the app to work just fine. However, what
we
want to do is to pass the clients authentication on to the database
server...
not the web server's authentication.

Any help I could get would be much appreciated..... this is driving me
nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh

Jul 21 '05 #2
What logon information are you putting in your connection string to connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
I'm developing a web application for our local intranet that will allow
users
to pull up a webpage and update or deleted or insert records into a
database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the
integrated
authentication from the client's machine (through their domain login).
The
user has been granted all the correct permission to the database server
and
the database that will be updated. However it seems like the
authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is
DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do
the
update/delete/select we can get the app to work just fine. However, what
we
want to do is to pass the clients authentication on to the database
server...
not the web server's authentication.

Any help I could get would be much appreciated..... this is driving me
nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh

Jul 21 '05 #3
Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;
"Brendan Green" wrote:
What logon information are you putting in your connection string to connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
I'm developing a web application for our local intranet that will allow
users
to pull up a webpage and update or deleted or insert records into a
database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the
integrated
authentication from the client's machine (through their domain login).
The
user has been granted all the correct permission to the database server
and
the database that will be updated. However it seems like the
authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is
DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do
the
update/delete/select we can get the app to work just fine. However, what
we
want to do is to pass the clients authentication on to the database
server...
not the web server's authentication.

Any help I could get would be much appreciated..... this is driving me
nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh


Jul 21 '05 #4
Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;
"Brendan Green" wrote:
What logon information are you putting in your connection string to connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
I'm developing a web application for our local intranet that will allow
users
to pull up a webpage and update or deleted or insert records into a
database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the
integrated
authentication from the client's machine (through their domain login).
The
user has been granted all the correct permission to the database server
and
the database that will be updated. However it seems like the
authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is
DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do
the
update/delete/select we can get the app to work just fine. However, what
we
want to do is to pass the clients authentication on to the database
server...
not the web server's authentication.

Any help I could get would be much appreciated..... this is driving me
nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh


Jul 21 '05 #5
So, you're probably connecting to the database as the user that runs the
ASP.NET worker process.

You probably need to turn on impersonation in the web.config file to "pass
through" the credentials.

Add this to your web.config file:

<identity impersonate="true"/>
<authentication mode="Windows"/>

Let us know how you go.

"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:8C**********************************@microsof t.com...
Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;
"Brendan Green" wrote:
What logon information are you putting in your connection string to
connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
> I'm developing a web application for our local intranet that will allow
> users
> to pull up a webpage and update or deleted or insert records into a
> database
> as well as run reports etc...
>
> Our DB server is on a Win2k3 OS using SQL Server 2000
> Our Web server is on a separate Win2kr OS using IIS 6
> Both the servers and the clients are part of the same domain.
>
> We've turned anonymous access off on the web and are passing the
> integrated
> authentication from the client's machine (through their domain login).
> The
> user has been granted all the correct permission to the database server
> and
> the database that will be updated. However it seems like the
> authentication
> is being passed to the web server and then the web server is passing a
> different set of authentication on to the database server? The
> authentication it is passing on to the database server is
> DOMAIN\MACHINENAME$.
>
> If we add that machine name to the SQL Server as having permission to
> do
> the
> update/delete/select we can get the app to work just fine. However,
> what
> we
> want to do is to pass the clients authentication on to the database
> server...
> not the web server's authentication.
>
> Any help I could get would be much appreciated..... this is driving me
> nuts
> and seems like a pretty common practice (having the db and the web on
> two
> separate machines).
>
> Thanks in advance.
> Josh
>


Jul 21 '05 #6
So, you're probably connecting to the database as the user that runs the
ASP.NET worker process.

You probably need to turn on impersonation in the web.config file to "pass
through" the credentials.

Add this to your web.config file:

<identity impersonate="true"/>
<authentication mode="Windows"/>

Let us know how you go.

"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:8C**********************************@microsof t.com...
Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;
"Brendan Green" wrote:
What logon information are you putting in your connection string to
connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
> I'm developing a web application for our local intranet that will allow
> users
> to pull up a webpage and update or deleted or insert records into a
> database
> as well as run reports etc...
>
> Our DB server is on a Win2k3 OS using SQL Server 2000
> Our Web server is on a separate Win2kr OS using IIS 6
> Both the servers and the clients are part of the same domain.
>
> We've turned anonymous access off on the web and are passing the
> integrated
> authentication from the client's machine (through their domain login).
> The
> user has been granted all the correct permission to the database server
> and
> the database that will be updated. However it seems like the
> authentication
> is being passed to the web server and then the web server is passing a
> different set of authentication on to the database server? The
> authentication it is passing on to the database server is
> DOMAIN\MACHINENAME$.
>
> If we add that machine name to the SQL Server as having permission to
> do
> the
> update/delete/select we can get the app to work just fine. However,
> what
> we
> want to do is to pass the clients authentication on to the database
> server...
> not the web server's authentication.
>
> Any help I could get would be much appreciated..... this is driving me
> nuts
> and seems like a pretty common practice (having the db and the web on
> two
> separate machines).
>
> Thanks in advance.
> Josh
>


Jul 21 '05 #7
It is a restriction of the NTLM authentication protocol - your users
credentials cannot make a double hop across the network. The first hop is
from the users workstation to your webserver. The second hop is to the
database. To implement this, you need to use Kerberos authentication.

There are some good articles on MSDN on security that will be able to
explain the situation, and your options, much better than I can.

HTH
Dan

"tcg_gilbert" wrote:
I'm developing a web application for our local intranet that will allow users
to pull up a webpage and update or deleted or insert records into a database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the integrated
authentication from the client's machine (through their domain login). The
user has been granted all the correct permission to the database server and
the database that will be updated. However it seems like the authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do the
update/delete/select we can get the app to work just fine. However, what we
want to do is to pass the clients authentication on to the database server...
not the web server’s authentication.

Any help I could get would be much appreciated..... this is driving me nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh

Jul 21 '05 #8
Thanks a bunch for the help... unfortunatley... after I do that I start
getting permission denied for user <NULL> error. After doing some more
research I think this issue is more around the comments that Dan Kelley had
posted below. THough I believe I am using Kerebos authentication (since I'm
on a active directory domain). I'll post what I find here on the site once I
figure it out. THanks again... and if you have any additional thoughts
please let me know.
Josh
"Brendan Green" wrote:
So, you're probably connecting to the database as the user that runs the
ASP.NET worker process.

You probably need to turn on impersonation in the web.config file to "pass
through" the credentials.

Add this to your web.config file:

<identity impersonate="true"/>
<authentication mode="Windows"/>

Let us know how you go.

"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:8C**********************************@microsof t.com...
Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;
"Brendan Green" wrote:
What logon information are you putting in your connection string to
connect
to the database?
"tcg_gilbert" <tc********@discussions.microsoft.com> wrote in message
news:3D**********************************@microsof t.com...
> I'm developing a web application for our local intranet that will allow
> users
> to pull up a webpage and update or deleted or insert records into a
> database
> as well as run reports etc...
>
> Our DB server is on a Win2k3 OS using SQL Server 2000
> Our Web server is on a separate Win2kr OS using IIS 6
> Both the servers and the clients are part of the same domain.
>
> We've turned anonymous access off on the web and are passing the
> integrated
> authentication from the client's machine (through their domain login).
> The
> user has been granted all the correct permission to the database server
> and
> the database that will be updated. However it seems like the
> authentication
> is being passed to the web server and then the web server is passing a
> different set of authentication on to the database server? The
> authentication it is passing on to the database server is
> DOMAIN\MACHINENAME$.
>
> If we add that machine name to the SQL Server as having permission to
> do
> the
> update/delete/select we can get the app to work just fine. However,
> what
> we
> want to do is to pass the clients authentication on to the database
> server...
> not the web server's authentication.
>
> Any help I could get would be much appreciated..... this is driving me
> nuts
> and seems like a pretty common practice (having the db and the web on
> two
> separate machines).
>
> Thanks in advance.
> Josh
>


Jul 21 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by Tom B | last post: by
3 posts views Thread by Patrick.O.Ige | last post: by
2 posts views Thread by Amedee Van Gasse | last post: by
5 posts views Thread by tcg_gilbert | last post: by
3 posts views Thread by =?Utf-8?B?RGFuZGFuIFpoYW5n?= | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.