Professional Web Applications Themes

ASP.NET + SQL Server Windows authentication - ASP.NET General

Hey All, Trying to understand why I can not get SQL server to trust my IIS server. I have two machines set up, 1 App and 1 DB, and I'm trying to validate the applications access to the DB server via NT Authentication. The App comes in via NTLM which from my understanding only supports Single hop security delegation. So far I understand why it doesn't work, although seems to me like a very bad problem. Now, Basic Authentication will transfer the PW and the UID which will allow IIS to login to the DB server and then NT Authentication ...

  1. #1

    Default ASP.NET + SQL Server Windows authentication

    Hey All,

    Trying to understand why I can not get SQL server to trust my IIS server. I
    have two machines set up, 1 App and 1 DB, and I'm trying to validate the
    applications access to the DB server via NT Authentication. The App comes in
    via NTLM which from my understanding only supports Single hop security
    delegation. So far I understand why it doesn't work, although seems to me
    like a very bad problem. Now, Basic Authentication will transfer the PW and
    the UID which will allow IIS to login to the DB server and then NT
    Authentication will work. But we all know how non-secure Basic
    Authentication is.

    Here's the confusion, if Kerberos permits token transferring with no
    limitation why can't IIS receive a token via NTLM and transfer it to the DB
    server?

    I've been reading all of these articles

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
    vbconaccessingsqlserverfromwebapplication.asp
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/
    vbtskaccessingsqlserverusingwindowsintegratedsecur ity.asp
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
    /dnauth_security.asp
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
    /signfaq.asp
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q176377

    and a bunch of other doents and they all come down to two valid
    solutions: Basic Authentication or SQL Users. These are only valid if the
    level of security you wish to achieve is not something that needs to pass a
    certain level of security (would not pass in industries that require maximum
    security).

    If I am bound to NT Authentication, is my only option Basic Authentication
    (of course under SSL)? And why is it that we don't have these problems with
    other Database vendors? Is there any way we can utilize ADSI to get the
    users NTLM credentials to pass on to SQL server?

    Any help or suggestions will be very appreciated.

    Thank you,




    Lior Guest

  2. #2

    Default Re: ASP.NET + SQL Server Windows authentication

    Things that you have to check are:


    1- What is the account the webserver is using? in asp.net using default
    configuration (no impersonation), it is ASPNET, it can be the
    IUSR_MachineName account, or any other account.
    in asp.net you can easily find out with this code
    Response.Write(System.Security.Principal.WindowsId entity.GetCurrent().Name);
    to change the username underwhich the code executes for asp.net change the
    <identity> in machine.config

    2- Is this account a local account or a domain account?

    If it is a domain account, then check that in the SQL server security that
    the is permitted to access the server, and has access to the its default
    database (or the database specified in the connection string).

    If it is a local account, then use a domain account.

    If there is no domain, then the username and password for the local account
    must be valid on the database server, ie the same username and password on
    both machines, I think when ASPNET account is created a random password is
    generated for it. so the password is not the same for both machines, and
    changing the ASPNET account password is not recommended.

    In all cases make sure that the account has access to SQL Server.



    "Lior Amar" <com> wrote in message
    news:uHPZbT#phx.gbl... 

    in 
    and 
    DB 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 

    maximum 
    with 


    Sherif Guest

  3. #3

    Default Re: ASP.NET + SQL Server Windows authentication

    Think the problem is just a limitation of NTLM single hop. Don't think there
    is a way around it other than using SSL and Basic Authentication. ASPNET is
    set up properly and is impersonating the user approriately. Don't think
    there is anyway around this limitation.

    Thanks for the help though

    Lior


    "Lior Amar" <com> wrote in message
    news:uHPZbT#phx.gbl... 

    in 
    and 
    DB 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 

    maximum 
    with 


    Lior Guest

  4. #4

    Default Re: ASP.NET + SQL Server Windows authentication

    Think the problem is just a limitation of NTLM single hop. Don't think there
    is a way around it other than using SSL and Basic Authentication. ASPNET is
    set up properly and is impersonating the user approriately. Don't think
    there is anyway around this limitation.

    Thanks for the help though

    Lior


    "Lior Amar" <com> wrote in message
    news:uHPZbT#phx.gbl... 

    in 
    and 
    DB 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/ 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html 

    maximum 
    with 


    Lior Guest

Similar Threads

  1. Authentication on Windows NT Server w/IIS 5 or 6
    By kodemonki in forum Coldfusion Server Administration
    Replies: 2
    Last Post: September 29th, 08:51 PM
  2. Windows Authentication with ASP.Net and SQL Server
    By Siobhan in forum ASP.NET Security
    Replies: 2
    Last Post: October 31st, 04:51 AM
  3. SQL Server uses Windows authentication
    By Astra in forum ASP Database
    Replies: 9
    Last Post: September 17th, 12:44 AM
  4. ASP.NET + SQL Server Windows authentication
    By Lior Amar in forum ASP.NET Security
    Replies: 4
    Last Post: September 4th, 03:20 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139