kerberos authentication asp.net 2.0

Add under the  authentication element in your web.config file add ...

<identity impersonate="True" />

This will pass the user's credentials to the SQL 2005 without using kerberos authentication.

Under the virtual directory properties,Directory Security make sure that the Enable Anonymous login check box is UNCHECKED.

yes anonymous access is unchecked in iis
also i have identity impersonate set to true.

this works fine on my test box, it is just when i execute from any other machine i get this error.

Can someone PLEASE provide step by step how to acheive this.  I'm so confused when reading all the information on the net about this.  There must be a step by step guide that explains this in simple english.

my setup

client, computer A,  domain A
web ap, computer B,  domain A
iis, computer B, domain A
sql server, computer C, domain B

HELP!!!!!!!!!!!!!!!!!!

had a Fire drill....
Is your test box in domain A or B?  Also, is there a trust connection between the two domains? Does your SQL uses the authentication for different authorizations schemas and/or auditing functions?

These links have the steps you described in your scenario on MSDN.  
The delegation portion of describes the different scenarios and what approach is needed.
http://msdn2.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation

http://msdn2.microsoft.com/en-us/library/ms998355.aspx

There is a lot of information on this since there are so many senarios and permission issues that are defined by the environment and the application requirements.

my test box which is running IIS is in domain A.  it also has the web application on it which is referencing the sql server database (below).  my IIS Admin Service is running as Local System account.  The service can run as something else if i need it to to get this working.

my sql server is in domain B.  this is running as a domain account on the domain B.  it allows windows and sql server authentication, but i need the web ap to connect using windows authentication.

yes there is a trust between these 2 domains.

also i don't need constrained delegation.  i just opened the test server up to delegate all (in active directory).  i did not do any user delegation or and delegation on the sql server computer since i can't figure out if i need them.

the test server running iis and web ap is windows 2003.

I'm also using this in my connection string,
Integrated Security=SPPI

but some example I see have
Integrated Security=True

just read on MS site that SPPi is equivlant to true, so not that either 8-(

the second site you posted does not apply to me becuase i am using a windows intranet environment, no forms authentication.

On the SQL Server, do you need to know the exact user or the user is authorized to use the web app?

Are you getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON' from the SQL Server?  In IIS, which authenticated access are you using?

i don't understand your question.  in sqlserver i am using the windows logins to assign object permissions.  when the user logs into the web ap using windows authentication, i want it to be able to select from a table on sql server for example, using that login.

yes i get that error only from another pc.  when i run off the test server (the one with the web ap and iis) i have no problems.  if the user has select permissions it works, if not then an error is thrown back indicating they do not have permissions to select on the table.

i'm using sppi.  in IIS i'm using windows authentication when i look at the directory security properties.

also....would the site that has the sql server database need to have active directory also, or is it just the site with IIS?

Are the SQL account local or domain accounts?

login accounts are domain

the sql service is also a domain account.

Both domain A and you get the anonymous login error when connecting to the Sql Server.

yes eventually i want them on diff domains, but today the test i'm doing has iis on one machine, sql server on another machine both within the same domain.  and i get that error if i'm not executing the web ap on the iis machine.  if i try it from my own pc that is the error i see.

Is your web app running in its own app pool on IIS?  

defaultapppool i created the virtual directory under the default web site section.

Are you using the same account on your pc and the iis machine?

the other thing on the test server it works fine when i browse http://localhost/myap/default.aspx but if i have the machine name in, instead of the localhost it give the same error.

Sounds like a problem with the IIS settings/network configuration which, unfortunately, is getting out of my expertise.

have you ever succesfully installed iis on one machine and sql server on another machine?

Yes.  All my ASP.NET web applications and services have always been with IIS and SQL Server on different machines since 2001.  The majority of them also reside in different DMZs setup by my network techs.  I have used a mixture of SQL and windows authentication for the SQL Server.

I have a current operational intranet application that uses the Integrated Window authenication option under the Authenticated access with the partial snippet of the web.config file.

<configuration>
  <connectionStrings>
  <add name="HunterEdReadConn" connectionString="Data Source=SQLMachine;Initial Catalog=DatabaseName;Integrated Security=True" providerName="System.Data.SqlClient"/>
   </connectionStrings>
  <system.web>
     <compilation debug="false" strict="false" explicit="true" />
    <pages>
      <namespaces>
        <clear/>
        <add namespace="System"/>
        <add namespace="System.Collections"/>
        <add namespace="System.Collections.Specialized"/>
        <add namespace="System.Configuration"/>
        <add namespace="System.Text"/>
        <add namespace="System.Text.RegularExpressions"/>
        <add namespace="System.Web"/>
        <add namespace="System.Web.Caching"/>
        <add namespace="System.Web.SessionState"/>
        <add namespace="System.Web.Security"/>
        <add namespace="System.Web.Profile"/>
        <add namespace="System.Web.UI"/>
        <add namespace="System.Web.UI.WebControls"/>
        <add namespace="System.Web.UI.WebControls.WebParts"/>
        <add namespace="System.Web.UI.HtmlControls"/>
      </namespaces>
    </pages>
    <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
    <authentication mode="Windows"/>
    <identity impersonate="true" />
 
  </system.web>
</configuration>

Select allOpen in new window

well i wonder what i have that is different.  everything i read says i need to use kerberos but i can't make sense of how to set it up.  my connection string uses sppi instead of true, and i don't have provider specified.  those are the only things that look different.  i will try to change the string tomorrow and see if that makes a difference.

also i don't have any namespaces in my web.config.  i'm making my connection string in code, i don't have it setup in web.config.

nope that didn't make a difference either.  did you guys need to worry about spn stuff in order to get this all working properly?  i downloaded the setspn utility, but i don't really understand what i'm suppose to be looking for.

how do you have your application pool setup?  maybe your identity is different.  Mine i sNetwork Service, but I also tried Local System.

Do you have your web server setup to delegate in active directory?

ok i had it setup as a virtual directory, moved to a web site and now it works.  but when i set it up as a web site, i can't browse to http://testserver/myap/default.aspx, i can only go to http://testserver/default.aspx.  how do i get my ap name put in there?

i posted another question on this
https://www.experts-exchange.com/questions/22975452/IIS-6-0-Assign-Name-to-Web-Site.html

this is getting too long 8-)

thanks for your help