Hall of Fame

1. jason1178195,145
2. shalomc129,250
3. Ray_Pas...117,096
4. mplungjan116,827
5. selvol113,414
6. Kravimir94,693
7. abel69,732
8. HonorGod63,709
9. carrzkiss62,622
10. hielo58,750
11. cxr48,898
12. Graphixer42,457
13. caterham...41,520
14. gwkg40,844
15. b0lsc0tt39,960
16. kadaba36,600
17. gawai34,000
18. azadisaryev32,960
19. logudotcom32,695
20. renazonse32,110
21. Hube0229,932
22. ahoffmann29,220
23. x_com28,780
24. objects28,580
25. HainKurt27,325

1. rdivilbiss786,964
2. COBOLdi...505,389
3. jason1178456,983
4. b0lsc0tt449,778
5. OliWarner422,264
6. LeeKowal...375,305
7. amit_g363,377
8. shalomc330,749
9. PraxisWeb313,539
10. cheekycj284,037
11. hielo277,629
12. julianmatz266,426
13. mplungjan264,576
14. mrichmon256,287
15. humeniuk240,131
16. Roonaan226,890
17. webwoman204,862
18. mrcoffee...195,448
19. avidya185,643
20. Zyloch174,022
21. rsdn167,615
22. sajuks165,692
23. Ray_Pas...164,913
24. pinaldave161,935
25. callrs160,467

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.8

ASP / Visual Basic / SQL Server Authentication

Asked by EdMacke in Miscellaneous Web Development, Microsoft Programming, E-Commerce Security

Tags: vb6, authentication, connection

I am tasked with converting our ASP app from SQL Server authentication to Windows Integrated authentication.

Currently, the app works like this:
- An .asp logon screen is presented (not asp .net, just asp)
- The user enters their SQL Server 2000 userid and password, and clicks OK
- An instance of a Visual Basic 6 ActiveX component is created, the user-entered userid and password are passed to a function within the ActiveX component.
- The ActiveX component creates an instance of ADODB.Connection, and uses the following connection string (broken apart for easier reading):
Provider=SQLOLEDB;
Initial Catalog=<dbname>;
data source=<servername>;
user id=<passed userid>;
password=<passed password>
- After the connection is established, a user security table is read, using the passed user-entered userid.

Everything works great.

Now, I am attempting to convert from a user-entered password to integerated security. The logon screen is gone, and the connection string's "user id" and "password" fields have been replaced in the ActiveX with integrated security (note the last 3 fields). The ASP page no longer passes uid and pwd to the VB function.

Provider=SQLOLEDB;
Initial Catalog=<dbname>;
data source=<servername>;
integrated security=sspi;
persist security info=false;
trusted_connection=yes

When I run this on my local machine, everything works great. I have already set up an MS SQL Server ID to match my network ID (e.g. DOMAIN\ed), and I can use the MS SQL Server Profiler app to see that, yes indeed, I am logged onto the database using integrated security.

The problem happens when I move the app to the test environment. Everything works as it did on my local machine, except for the userid (and password)... instead of using *MY* Windows userid and password, it is now using the *IIS* userid and password.

In other words, on my local machine, IIS is running under *MY* Windows ID, so that is the ID used for integrated security by the ActiveX app. When put into the test environment, IIS is running under a different domain\userid, and *THAT* is the ID used for integrated security.

What I want is, obviously, for the ActiveX component to use the *CLIENT* credentials instead of the *IIS SERVER* credentials.

From what I've already gathered on the Web, I cannot use the Windows NT Challenge / Response because it does not support "double-hop impersonations", leaving my only option as Kerberos-based integrated security (???).

Since the options available seem to very much depend on your version of software, here's my vitals:
Windows 2000 Professional Clients
IE 5.0+ browsers only
Classic ASP (no .net)
Home-grown Active X Components, created in VB6
ADO / OLE DB (SQLOLEDB)
MS SQL Server 2000
IIS 5

Remember, the .asp script is simply creating an VB6-created ActiveX object, it is the ActiveX object that's establishing the database connection to MS SQL Server.

And, BTW, the IIS server and the MS SQL Server are on different physical boxes, but same domain.

This seems like such a simple problem, but I haven't found anywhere on the web that has a solution.

500 points to the person who can solve this riddle!

View the Solution FREE for 30 Days

20091021-EE-VQP-81

ASP / Visual Basic / SQL Server Authentication

Asked by EdMacke in Miscellaneous Web Development, Microsoft Programming, E-Commerce Security

Tags: vb6, authentication, connection

About this solution