Fraser_Admin
asked on
kerberos authentication asp.net 2.0
i want to have the credentials of my user account passed on to iis and then passed onto sql server.
iis is on one machine
sql server 2005 is on another
i have anonymous access unchecked
i have added the tags to web.config to impersonate and have windows authentication.
i have checked delegation for the iis server in active directory on the domain and rebooted the iis server
i keep getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON'
i am reading that i may need to do something with kerberos authentication and enable credential forwarding, but i have no clue what this means or where i do it.
iis is on one machine
sql server 2005 is on another
i have anonymous access unchecked
i have added the tags to web.config to impersonate and have windows authentication.
i have checked delegation for the iis server in active directory on the domain and rebooted the iis server
i keep getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON'
i am reading that i may need to do something with kerberos authentication and enable credential forwarding, but i have no clue what this means or where i do it.
Under the virtual directory properties,Directory Security make sure that the Enable Anonymous login check box is UNCHECKED.
ASKER
yes anonymous access is unchecked in iis
also i have identity impersonate set to true.
this works fine on my test box, it is just when i execute from any other machine i get this error.
also i have identity impersonate set to true.
this works fine on my test box, it is just when i execute from any other machine i get this error.
ASKER
Can someone PLEASE provide step by step how to acheive this. I'm so confused when reading all the information on the net about this. There must be a step by step guide that explains this in simple english.
my setup
client, computer A, domain A
web ap, computer B, domain A
iis, computer B, domain A
sql server, computer C, domain B
HELP!!!!!!!!!!!!!!!!!!
my setup
client, computer A, domain A
web ap, computer B, domain A
iis, computer B, domain A
sql server, computer C, domain B
HELP!!!!!!!!!!!!!!!!!!
had a Fire drill....
Is your test box in domain A or B? Also, is there a trust connection between the two domains? Does your SQL uses the authentication for different authorizations schemas and/or auditing functions?
These links have the steps you described in your scenario on MSDN.
The delegation portion of describes the different scenarios and what approach is needed.
http://msdn2.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation
http://msdn2.microsoft.com/en-us/library/ms998355.aspx
There is a lot of information on this since there are so many senarios and permission issues that are defined by the environment and the application requirements.
Is your test box in domain A or B? Also, is there a trust connection between the two domains? Does your SQL uses the authentication for different authorizations schemas and/or auditing functions?
These links have the steps you described in your scenario on MSDN.
The delegation portion of describes the different scenarios and what approach is needed.
http://msdn2.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation
http://msdn2.microsoft.com/en-us/library/ms998355.aspx
There is a lot of information on this since there are so many senarios and permission issues that are defined by the environment and the application requirements.
ASKER
my test box which is running IIS is in domain A. it also has the web application on it which is referencing the sql server database (below). my IIS Admin Service is running as Local System account. The service can run as something else if i need it to to get this working.
my sql server is in domain B. this is running as a domain account on the domain B. it allows windows and sql server authentication, but i need the web ap to connect using windows authentication.
yes there is a trust between these 2 domains.
my sql server is in domain B. this is running as a domain account on the domain B. it allows windows and sql server authentication, but i need the web ap to connect using windows authentication.
yes there is a trust between these 2 domains.
ASKER
also i don't need constrained delegation. i just opened the test server up to delegate all (in active directory). i did not do any user delegation or and delegation on the sql server computer since i can't figure out if i need them.
the test server running iis and web ap is windows 2003.
the test server running iis and web ap is windows 2003.
ASKER
I'm also using this in my connection string,
Integrated Security=SPPI
but some example I see have
Integrated Security=True
Integrated Security=SPPI
but some example I see have
Integrated Security=True
ASKER
just read on MS site that SPPi is equivlant to true, so not that either 8-(
ASKER
the second site you posted does not apply to me becuase i am using a windows intranet environment, no forms authentication.
On the SQL Server, do you need to know the exact user or the user is authorized to use the web app?
Are you getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON' from the SQL Server? In IIS, which authenticated access are you using?
ASKER
i don't understand your question. in sqlserver i am using the windows logins to assign object permissions. when the user logs into the web ap using windows authentication, i want it to be able to select from a table on sql server for example, using that login.
yes i get that error only from another pc. when i run off the test server (the one with the web ap and iis) i have no problems. if the user has select permissions it works, if not then an error is thrown back indicating they do not have permissions to select on the table.
i'm using sppi. in IIS i'm using windows authentication when i look at the directory security properties.
yes i get that error only from another pc. when i run off the test server (the one with the web ap and iis) i have no problems. if the user has select permissions it works, if not then an error is thrown back indicating they do not have permissions to select on the table.
i'm using sppi. in IIS i'm using windows authentication when i look at the directory security properties.
ASKER
also....would the site that has the sql server database need to have active directory also, or is it just the site with IIS?
Are the SQL account local or domain accounts?
ASKER
login accounts are domain
the sql service is also a domain account.
the sql service is also a domain account.
Both domain A and you get the anonymous login error when connecting to the Sql Server.
ASKER
yes eventually i want them on diff domains, but today the test i'm doing has iis on one machine, sql server on another machine both within the same domain. and i get that error if i'm not executing the web ap on the iis machine. if i try it from my own pc that is the error i see.
Is your web app running in its own app pool on IIS?
ASKER
defaultapppool i created the virtual directory under the default web site section.
Are you using the same account on your pc and the iis machine?
ASKER
the other thing on the test server it works fine when i browse http://localhost/myap/default.aspx but if i have the machine name in, instead of the localhost it give the same error.
Sounds like a problem with the IIS settings/network configuration which, unfortunately, is getting out of my expertise.
ASKER
have you ever succesfully installed iis on one machine and sql server on another machine?
Yes. All my ASP.NET web applications and services have always been with IIS and SQL Server on different machines since 2001. The majority of them also reside in different DMZs setup by my network techs. I have used a mixture of SQL and windows authentication for the SQL Server.
I have a current operational intranet application that uses the Integrated Window authenication option under the Authenticated access with the partial snippet of the web.config file.
I have a current operational intranet application that uses the Integrated Window authenication option under the Authenticated access with the partial snippet of the web.config file.
<configuration>
<connectionStrings>
<add name="HunterEdReadConn" connectionString="Data Source=SQLMachine;Initial Catalog=DatabaseName;Integrated Security=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<compilation debug="false" strict="false" explicit="true" />
<pages>
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows"/>
<identity impersonate="true" />
</system.web>
</configuration>
ASKER
well i wonder what i have that is different. everything i read says i need to use kerberos but i can't make sense of how to set it up. my connection string uses sppi instead of true, and i don't have provider specified. those are the only things that look different. i will try to change the string tomorrow and see if that makes a difference.
ASKER
also i don't have any namespaces in my web.config. i'm making my connection string in code, i don't have it setup in web.config.
ASKER
nope that didn't make a difference either. did you guys need to worry about spn stuff in order to get this all working properly? i downloaded the setspn utility, but i don't really understand what i'm suppose to be looking for.
ASKER
how do you have your application pool setup? maybe your identity is different. Mine i sNetwork Service, but I also tried Local System.
Do you have your web server setup to delegate in active directory?
Do you have your web server setup to delegate in active directory?
ASKER
ok i had it setup as a virtual directory, moved to a web site and now it works. but when i set it up as a web site, i can't browse to http://testserver/myap/default.aspx, i can only go to http://testserver/default.aspx. how do i get my ap name put in there?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i posted another question on this
https://www.experts-exchange.com/questions/22975452/IIS-6-0-Assign-Name-to-Web-Site.html
this is getting too long 8-)
thanks for your help
https://www.experts-exchange.com/questions/22975452/IIS-6-0-Assign-Name-to-Web-Site.html
this is getting too long 8-)
thanks for your help
<identity impersonate="True" />
This will pass the user's credentials to the SQL 2005 without using kerberos authentication.