[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 878
  • Last Modified:

kerberos authentication asp.net 2.0

i want to have the credentials of my user account passed on to iis and then passed onto sql server.

iis is on one machine
sql server 2005 is on another

i have anonymous access unchecked
i have added the tags to web.config to impersonate and have windows authentication.
i have checked delegation for the iis server in active directory on the domain and rebooted the iis server

i keep getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON'

i am reading that i may need to do something with kerberos authentication and enable credential forwarding, but i have no clue what this means or where i do it.
0
Fraser_Admin
Asked:
Fraser_Admin
  • 20
  • 11
1 Solution
 
CmdoProg2Commented:
Add under the  authentication element in your web.config file add ...

<identity impersonate="True" />

This will pass the user's credentials to the SQL 2005 without using kerberos authentication.
0
 
spprivateCommented:
Under the virtual directory properties,Directory Security make sure that the Enable Anonymous login check box is UNCHECKED.
0
 
Fraser_AdminAuthor Commented:
yes anonymous access is unchecked in iis
also i have identity impersonate set to true.

this works fine on my test box, it is just when i execute from any other machine i get this error.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Fraser_AdminAuthor Commented:
Can someone PLEASE provide step by step how to acheive this.  I'm so confused when reading all the information on the net about this.  There must be a step by step guide that explains this in simple english.

my setup

client, computer A,  domain A
web ap, computer B,  domain A
iis, computer B, domain A
sql server, computer C, domain B

HELP!!!!!!!!!!!!!!!!!!
0
 
CmdoProg2Commented:
had a Fire drill....
Is your test box in domain A or B?  Also, is there a trust connection between the two domains? Does your SQL uses the authentication for different authorizations schemas and/or auditing functions?

These links have the steps you described in your scenario on MSDN.  
The delegation portion of describes the different scenarios and what approach is needed.
http://msdn2.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation

http://msdn2.microsoft.com/en-us/library/ms998355.aspx

There is a lot of information on this since there are so many senarios and permission issues that are defined by the environment and the application requirements.
0
 
Fraser_AdminAuthor Commented:
my test box which is running IIS is in domain A.  it also has the web application on it which is referencing the sql server database (below).  my IIS Admin Service is running as Local System account.  The service can run as something else if i need it to to get this working.

my sql server is in domain B.  this is running as a domain account on the domain B.  it allows windows and sql server authentication, but i need the web ap to connect using windows authentication.

yes there is a trust between these 2 domains.
0
 
Fraser_AdminAuthor Commented:
also i don't need constrained delegation.  i just opened the test server up to delegate all (in active directory).  i did not do any user delegation or and delegation on the sql server computer since i can't figure out if i need them.

the test server running iis and web ap is windows 2003.
0
 
Fraser_AdminAuthor Commented:
I'm also using this in my connection string,
Integrated Security=SPPI

but some example I see have
Integrated Security=True
0
 
Fraser_AdminAuthor Commented:
just read on MS site that SPPi is equivlant to true, so not that either 8-(
0
 
Fraser_AdminAuthor Commented:
the second site you posted does not apply to me becuase i am using a windows intranet environment, no forms authentication.
0
 
CmdoProg2Commented:
On the SQL Server, do you need to know the exact user or the user is authorized to use the web app?
0
 
CmdoProg2Commented:
Are you getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON' from the SQL Server?  In IIS, which authenticated access are you using?
0
 
Fraser_AdminAuthor Commented:
i don't understand your question.  in sqlserver i am using the windows logins to assign object permissions.  when the user logs into the web ap using windows authentication, i want it to be able to select from a table on sql server for example, using that login.

yes i get that error only from another pc.  when i run off the test server (the one with the web ap and iis) i have no problems.  if the user has select permissions it works, if not then an error is thrown back indicating they do not have permissions to select on the table.

i'm using sppi.  in IIS i'm using windows authentication when i look at the directory security properties.
0
 
Fraser_AdminAuthor Commented:
also....would the site that has the sql server database need to have active directory also, or is it just the site with IIS?
0
 
CmdoProg2Commented:
Are the SQL account local or domain accounts?
0
 
Fraser_AdminAuthor Commented:
login accounts are domain

the sql service is also a domain account.
0
 
CmdoProg2Commented:
Both domain A and you get the anonymous login error when connecting to the Sql Server.
0
 
Fraser_AdminAuthor Commented:
yes eventually i want them on diff domains, but today the test i'm doing has iis on one machine, sql server on another machine both within the same domain.  and i get that error if i'm not executing the web ap on the iis machine.  if i try it from my own pc that is the error i see.
0
 
CmdoProg2Commented:
Is your web app running in its own app pool on IIS?  
0
 
Fraser_AdminAuthor Commented:
defaultapppool i created the virtual directory under the default web site section.
0
 
CmdoProg2Commented:
Are you using the same account on your pc and the iis machine?
0
 
Fraser_AdminAuthor Commented:
the other thing on the test server it works fine when i browse http://localhost/myap/default.aspx but if i have the machine name in, instead of the localhost it give the same error.
0
 
CmdoProg2Commented:
Sounds like a problem with the IIS settings/network configuration which, unfortunately, is getting out of my expertise.
0
 
Fraser_AdminAuthor Commented:
have you ever succesfully installed iis on one machine and sql server on another machine?
0
 
CmdoProg2Commented:
Yes.  All my ASP.NET web applications and services have always been with IIS and SQL Server on different machines since 2001.  The majority of them also reside in different DMZs setup by my network techs.  I have used a mixture of SQL and windows authentication for the SQL Server.

I have a current operational intranet application that uses the Integrated Window authenication option under the Authenticated access with the partial snippet of the web.config file.





<configuration>
  <connectionStrings>
  <add name="HunterEdReadConn" connectionString="Data Source=SQLMachine;Initial Catalog=DatabaseName;Integrated Security=True" providerName="System.Data.SqlClient"/>
   </connectionStrings>
  <system.web>
     <compilation debug="false" strict="false" explicit="true" />
    <pages>
      <namespaces>
        <clear/>
        <add namespace="System"/>
        <add namespace="System.Collections"/>
        <add namespace="System.Collections.Specialized"/>
        <add namespace="System.Configuration"/>
        <add namespace="System.Text"/>
        <add namespace="System.Text.RegularExpressions"/>
        <add namespace="System.Web"/>
        <add namespace="System.Web.Caching"/>
        <add namespace="System.Web.SessionState"/>
        <add namespace="System.Web.Security"/>
        <add namespace="System.Web.Profile"/>
        <add namespace="System.Web.UI"/>
        <add namespace="System.Web.UI.WebControls"/>
        <add namespace="System.Web.UI.WebControls.WebParts"/>
        <add namespace="System.Web.UI.HtmlControls"/>
      </namespaces>
    </pages>
    <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
    <authentication mode="Windows"/>
    <identity impersonate="true" />
 
  </system.web>
</configuration>

Open in new window

0
 
Fraser_AdminAuthor Commented:
well i wonder what i have that is different.  everything i read says i need to use kerberos but i can't make sense of how to set it up.  my connection string uses sppi instead of true, and i don't have provider specified.  those are the only things that look different.  i will try to change the string tomorrow and see if that makes a difference.
0
 
Fraser_AdminAuthor Commented:
also i don't have any namespaces in my web.config.  i'm making my connection string in code, i don't have it setup in web.config.
0
 
Fraser_AdminAuthor Commented:
nope that didn't make a difference either.  did you guys need to worry about spn stuff in order to get this all working properly?  i downloaded the setspn utility, but i don't really understand what i'm suppose to be looking for.
0
 
Fraser_AdminAuthor Commented:
how do you have your application pool setup?  maybe your identity is different.  Mine i sNetwork Service, but I also tried Local System.

Do you have your web server setup to delegate in active directory?
0
 
Fraser_AdminAuthor Commented:
ok i had it setup as a virtual directory, moved to a web site and now it works.  but when i set it up as a web site, i can't browse to http://testserver/myap/default.aspx, i can only go to http://testserver/default.aspx.  how do i get my ap name put in there?
0
 
CmdoProg2Commented:
1. In the directory of local path your web site, setup a myap subdirectory.
2. Move your website into this directory.
3. In the IIS Manager, open the properties of the myap directory under the website. Click on the Create button, and set the directory security as before.  

Here is a site that maybe helpful to you  
http://msdn2.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_authhowtousekerberosauthenticationinaspnet
0
 
Fraser_AdminAuthor Commented:
i posted another question on this
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_22975452.html

this is getting too long 8-)

thanks for your help
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 20
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now