Solved

kerberos authentication asp.net 2.0

Posted on 2007-11-20
32
861 Views
Last Modified: 2013-11-07
i want to have the credentials of my user account passed on to iis and then passed onto sql server.

iis is on one machine
sql server 2005 is on another

i have anonymous access unchecked
i have added the tags to web.config to impersonate and have windows authentication.
i have checked delegation for the iis server in active directory on the domain and rebooted the iis server

i keep getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON'

i am reading that i may need to do something with kerberos authentication and enable credential forwarding, but i have no clue what this means or where i do it.
0
Comment
Question by:Fraser_Admin
  • 20
  • 11
32 Comments
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20319967
Add under the  authentication element in your web.config file add ...

<identity impersonate="True" />

This will pass the user's credentials to the SQL 2005 without using kerberos authentication.
0
 
LVL 15

Expert Comment

by:spprivate
ID: 20319990
Under the virtual directory properties,Directory Security make sure that the Enable Anonymous login check box is UNCHECKED.
0
 

Author Comment

by:Fraser_Admin
ID: 20320063
yes anonymous access is unchecked in iis
also i have identity impersonate set to true.

this works fine on my test box, it is just when i execute from any other machine i get this error.
0
 

Author Comment

by:Fraser_Admin
ID: 20320724
Can someone PLEASE provide step by step how to acheive this.  I'm so confused when reading all the information on the net about this.  There must be a step by step guide that explains this in simple english.

my setup

client, computer A,  domain A
web ap, computer B,  domain A
iis, computer B, domain A
sql server, computer C, domain B

HELP!!!!!!!!!!!!!!!!!!
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20321126
had a Fire drill....
Is your test box in domain A or B?  Also, is there a trust connection between the two domains? Does your SQL uses the authentication for different authorizations schemas and/or auditing functions?

These links have the steps you described in your scenario on MSDN.  
The delegation portion of describes the different scenarios and what approach is needed.
http://msdn2.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation

http://msdn2.microsoft.com/en-us/library/ms998355.aspx

There is a lot of information on this since there are so many senarios and permission issues that are defined by the environment and the application requirements.
0
 

Author Comment

by:Fraser_Admin
ID: 20321172
my test box which is running IIS is in domain A.  it also has the web application on it which is referencing the sql server database (below).  my IIS Admin Service is running as Local System account.  The service can run as something else if i need it to to get this working.

my sql server is in domain B.  this is running as a domain account on the domain B.  it allows windows and sql server authentication, but i need the web ap to connect using windows authentication.

yes there is a trust between these 2 domains.
0
 

Author Comment

by:Fraser_Admin
ID: 20321201
also i don't need constrained delegation.  i just opened the test server up to delegate all (in active directory).  i did not do any user delegation or and delegation on the sql server computer since i can't figure out if i need them.

the test server running iis and web ap is windows 2003.
0
 

Author Comment

by:Fraser_Admin
ID: 20321239
I'm also using this in my connection string,
Integrated Security=SPPI

but some example I see have
Integrated Security=True
0
 

Author Comment

by:Fraser_Admin
ID: 20321255
just read on MS site that SPPi is equivlant to true, so not that either 8-(
0
 

Author Comment

by:Fraser_Admin
ID: 20321286
the second site you posted does not apply to me becuase i am using a windows intranet environment, no forms authentication.
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20321300
On the SQL Server, do you need to know the exact user or the user is authorized to use the web app?
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20321345
Are you getting the error the login failed for 'NT AUTHORITY\ANONYMOUS LOGON' from the SQL Server?  In IIS, which authenticated access are you using?
0
 

Author Comment

by:Fraser_Admin
ID: 20321387
i don't understand your question.  in sqlserver i am using the windows logins to assign object permissions.  when the user logs into the web ap using windows authentication, i want it to be able to select from a table on sql server for example, using that login.

yes i get that error only from another pc.  when i run off the test server (the one with the web ap and iis) i have no problems.  if the user has select permissions it works, if not then an error is thrown back indicating they do not have permissions to select on the table.

i'm using sppi.  in IIS i'm using windows authentication when i look at the directory security properties.
0
 

Author Comment

by:Fraser_Admin
ID: 20321525
also....would the site that has the sql server database need to have active directory also, or is it just the site with IIS?
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20322202
Are the SQL account local or domain accounts?
0
 

Author Comment

by:Fraser_Admin
ID: 20322317
login accounts are domain

the sql service is also a domain account.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20322337
Both domain A and you get the anonymous login error when connecting to the Sql Server.
0
 

Author Comment

by:Fraser_Admin
ID: 20322471
yes eventually i want them on diff domains, but today the test i'm doing has iis on one machine, sql server on another machine both within the same domain.  and i get that error if i'm not executing the web ap on the iis machine.  if i try it from my own pc that is the error i see.
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20322565
Is your web app running in its own app pool on IIS?  
0
 

Author Comment

by:Fraser_Admin
ID: 20322669
defaultapppool i created the virtual directory under the default web site section.
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20322753
Are you using the same account on your pc and the iis machine?
0
 

Author Comment

by:Fraser_Admin
ID: 20322772
the other thing on the test server it works fine when i browse http://localhost/myap/default.aspx but if i have the machine name in, instead of the localhost it give the same error.
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20322839
Sounds like a problem with the IIS settings/network configuration which, unfortunately, is getting out of my expertise.
0
 

Author Comment

by:Fraser_Admin
ID: 20323053
have you ever succesfully installed iis on one machine and sql server on another machine?
0
 
LVL 12

Expert Comment

by:CmdoProg2
ID: 20323405
Yes.  All my ASP.NET web applications and services have always been with IIS and SQL Server on different machines since 2001.  The majority of them also reside in different DMZs setup by my network techs.  I have used a mixture of SQL and windows authentication for the SQL Server.

I have a current operational intranet application that uses the Integrated Window authenication option under the Authenticated access with the partial snippet of the web.config file.





<configuration>

  <connectionStrings>

  <add name="HunterEdReadConn" connectionString="Data Source=SQLMachine;Initial Catalog=DatabaseName;Integrated Security=True" providerName="System.Data.SqlClient"/>

   </connectionStrings>

  <system.web>

     <compilation debug="false" strict="false" explicit="true" />

    <pages>

      <namespaces>

        <clear/>

        <add namespace="System"/>

        <add namespace="System.Collections"/>

        <add namespace="System.Collections.Specialized"/>

        <add namespace="System.Configuration"/>

        <add namespace="System.Text"/>

        <add namespace="System.Text.RegularExpressions"/>

        <add namespace="System.Web"/>

        <add namespace="System.Web.Caching"/>

        <add namespace="System.Web.SessionState"/>

        <add namespace="System.Web.Security"/>

        <add namespace="System.Web.Profile"/>

        <add namespace="System.Web.UI"/>

        <add namespace="System.Web.UI.WebControls"/>

        <add namespace="System.Web.UI.WebControls.WebParts"/>

        <add namespace="System.Web.UI.HtmlControls"/>

      </namespaces>

    </pages>

    <!--

            The <authentication> section enables configuration 

            of the security authentication mode used by 

            ASP.NET to identify an incoming user. 

        -->

    <authentication mode="Windows"/>

    <identity impersonate="true" />

 

  </system.web>

</configuration>

Open in new window

0
 

Author Comment

by:Fraser_Admin
ID: 20324725
well i wonder what i have that is different.  everything i read says i need to use kerberos but i can't make sense of how to set it up.  my connection string uses sppi instead of true, and i don't have provider specified.  those are the only things that look different.  i will try to change the string tomorrow and see if that makes a difference.
0
 

Author Comment

by:Fraser_Admin
ID: 20324743
also i don't have any namespaces in my web.config.  i'm making my connection string in code, i don't have it setup in web.config.
0
 

Author Comment

by:Fraser_Admin
ID: 20327024
nope that didn't make a difference either.  did you guys need to worry about spn stuff in order to get this all working properly?  i downloaded the setspn utility, but i don't really understand what i'm suppose to be looking for.
0
 

Author Comment

by:Fraser_Admin
ID: 20327140
how do you have your application pool setup?  maybe your identity is different.  Mine i sNetwork Service, but I also tried Local System.

Do you have your web server setup to delegate in active directory?
0
 

Author Comment

by:Fraser_Admin
ID: 20327638
ok i had it setup as a virtual directory, moved to a web site and now it works.  but when i set it up as a web site, i can't browse to http://testserver/myap/default.aspx, i can only go to http://testserver/default.aspx.  how do i get my ap name put in there?
0
 
LVL 12

Accepted Solution

by:
CmdoProg2 earned 500 total points
ID: 20327941
1. In the directory of local path your web site, setup a myap subdirectory.
2. Move your website into this directory.
3. In the IIS Manager, open the properties of the myap directory under the website. Click on the Create button, and set the directory security as before.  

Here is a site that maybe helpful to you  
http://msdn2.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_authhowtousekerberosauthenticationinaspnet
0
 

Author Comment

by:Fraser_Admin
ID: 20328000
i posted another question on this
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_22975452.html

this is getting too long 8-)

thanks for your help
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

This document covers how to connect to SQL Server and browse its contents.  It is meant for those new to Visual Studio and/or working with Microsoft SQL Server.  It is not a guide to building SQL Server database connections in your code.  This is mo…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now