Impersonation

[Paul P]

Can someone explain this to me

I have a web app I am trying to deploy for the Intranet of our company. I want to use integrated windows so
have <identity impersonate = "true" /> in my web.config file and under IIS for the website I only hav
integrated windows authentication checked. My problem is when it tries to retrieve data from the SQL Serve
database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL Server. This happens whe
someone else pulls up the site on their computer. My computer is hosting the website and when I go to the
website from my computer it works just fine. I get logged into SQL Server with my domain user name/password but i
anyone from another computer tries to go to the website and when the website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed error

Things I have tried are putting an account in the identity tag <identity impersonate="true" userName="domain\username" password="password" />
this works but I would rather know the username of the actual person going to the website and retrieving data than this default user

Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS LOGON failed error and give any suggestions on a fix.

Thank

[Kevin C]

This is a very common pitfall.

Here are a couple links.
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url] (there are
more at the bottom of this linked article too)
[url]http://blogs.geekdojo.net/justin/archive/2003/12/10/430.aspx[/url] .

Long story short, unless you plan to deploy AD or already running (but
obviously not configured for delegation) you will need to come up with a
different means of propagating the credentials.

"Paul P" <anonymous@discussions.microsoft.com> wrote in message
news:D88CEF6E-26AE-48A2-BE41-1474968A26DC@microsoft.com...

> Can someone explain this to me:
>
> I have a web app I am trying to deploy for the Intranet of our company. I

want to use integrated windows so I

> have <identity impersonate = "true" /> in my web.config file and under IIS

for the website I only have

> integrated windows authentication checked. My problem is when it tries to

retrieve data from the SQL Server

> database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL

Server. This happens when

> someone else pulls up the site on their computer. My computer is hosting

the website and when I go to the

> website from my computer it works just fine. I get logged into SQL Server

with my domain user name/password but if

> anyone from another computer tries to go to the website and when the

website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
error.

>
> Things I have tried are putting an account in the identity tag <identity

impersonate="true" userName="domain\username" password="password" />

> this works but I would rather know the username of the actual person going

to the website and retrieving data than this default user.

>
> Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS

LOGON failed error and give any suggestions on a fix.

>
> Thanks
>

[Ken Schaefer]

) if you do this, you will lose the benefits of connection pooling, as a
separate connection will be used for each security context (each user
account will have it's own pool). So, this solution will not scale to a
large number of users. It's OK if you have a small number of users

b) the problem is double-hop authentication. When using IWA, the webserver
does not have the user's password. It just gets a token from the DC, but the
token does not have permission to logon to network resources.

Options:
a) if you are using a Windows 2000 Domain, you can enable delegation. This
allows the IIS server to impersonate the Windows account, and logon to the
backend SQL Server. You need to use Kerberos authentication for this (not
NTLM v2)

b) if you are using a Windows 2003 Domain, when you enable constrained
delegation, you can use Protocol Transition. This allows the user to
authenticate using any of a number of mechanisms to the IIS server (eg
Digest, or NTLM), and the webserver can still get an Kerberos token to logon
to the SQL Server.

Here are a few articles to get you started:

IMPORTANT:
Read chapter 12 from the Building Secure ASP.Net Application Book - it has
very good information about building scalable, secure ASP.Net applications
(eg using a trusted subsystem model):
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true[/url]

[url]http://support.microsoft.com/?id=319723[/url]
INF: SQL Server 2000 Kerberos support including SQL Server virtual servers
on server clusters

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

[url]http://support.microsoft.com/?id=294382[/url]

Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name

[url]http://support.microsoft.com/default.aspx?kbid=325894[/url]
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

[url]http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/se_con_del_computer.asp[/url]
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)

Windows 2003 Protocol Transition
[url]http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx[/url]


Cheers
Ken


"Paul P" <anonymous@discussions.microsoft.com> wrote in message
news:D88CEF6E-26AE-48A2-BE41-1474968A26DC@microsoft.com...
: Can someone explain this to me:
:
: I have a web app I am trying to deploy for the Intranet of our company. I
want to use integrated windows so I
: have <identity impersonate = "true" /> in my web.config file and under IIS
for the website I only have
: integrated windows authentication checked. My problem is when it tries to
retrieve data from the SQL Server
: database I get the NT AUTHORITY\ANONYMOUS LOGON failed error on my SQL
Server. This happens when
: someone else pulls up the site on their computer. My computer is hosting
the website and when I go to the
: website from my computer it works just fine. I get logged into SQL Server
with my domain user name/password but if
: anyone from another computer tries to go to the website and when the
website tries to retrieve data I get the NT AUTHORITY\ANONYMOUS LOGON failed
error.
:
: Things I have tried are putting an account in the identity tag <identity
impersonate="true" userName="domain\username" password="password" />
: this works but I would rather know the username of the actual person going
to the website and retrieving data than this default user.
:
: Can anyone explain what is happening and why I get NT AUTHORITY\ANONYMOUS
LOGON failed error and give any suggestions on a fix.
:
: Thanks
:

[Noël Thoelen]

I would like to use KERBEROS delegation to access an SQL Server database
from an ASP.NET application.
So, I have set up a website, disabled anonymous access and checked the
windows integrated security.
In the ASP.NET applicatie, the web config file contains
<authentication mode="Windows" />
<identity impersonate="true" />
Both the IIS and the SQL server are part of a domain. So, when I browse to
the site using an domain account
the site will open fine. However, when i try to open a database connection
using the 'Integrated security=SSPI option i always get the error:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.
When I open the database by using SQL authentication, everything works fine.
On the IIS, the Webservice is running under local system account, and so is
the SQL Server.
In AD I have set the 'Trust computer for delegation' flag for both the IIS
and the SQL as stated in the 'Troubleshoot KERBEROS delegation' document,
but still without any luck

Does somebody has encountered this problem already ?

[Noël Thoelen]

I was looking around in some of the other posts in this newsgoup and
something came up to me.
I am using an lmhost file to reach the site. So, the site is not reached
using DNS. Could this be the problem ?

"Noël Thoelen" <noel@itomni.com> schreef in bericht
news:eDuamBZvEHA.1984@TK2MSFTNGP14.phx.gbl...

>I would like to use KERBEROS delegation to access an SQL Server database
>from an ASP.NET application.
> So, I have set up a website, disabled anonymous access and checked the
> windows integrated security.
> In the ASP.NET applicatie, the web config file contains
> <authentication mode="Windows" />
> <identity impersonate="true" />
> Both the IIS and the SQL server are part of a domain. So, when I browse to
> the site using an domain account
> the site will open fine. However, when i try to open a database connection
> using the 'Integrated security=SSPI option i always get the error:
> Login failed for user '(null)'. Reason: Not associated with a trusted SQL
> Server connection.
> When I open the database by using SQL authentication, everything works
> fine.
> On the IIS, the Webservice is running under local system account, and so
> is the SQL Server.
> In AD I have set the 'Trust computer for delegation' flag for both the IIS
> and the SQL as stated in the 'Troubleshoot KERBEROS delegation' document,
> but still without any luck
>
> Does somebody has encountered this problem already ?
>

[Ken Schaefer]

If you are accessing the site using a name other than registered name, you
will need to use setSPN.exe and register a new service principal name:
[url]http://support.microsoft.com/?id=294382[/url]

Other things you should read/use to troubleshoot the issue:
[url]http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx[/url]
-and-
[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en[/url]

You basically need to work your way thoroughly from client through to
backend SQL Server to make sure everything is setup correctly, eg is IE
configured to use Kerberos? is IIS sending appropriate authentication
headers? are SPNs registered correctly? Is delegation enabled properly? etc

Cheers
Ken

"Noël Thoelen" <noel@itomni.com> wrote in message
news:O9edINZvEHA.3416@TK2MSFTNGP09.phx.gbl...

>I was looking around in some of the other posts in this newsgoup and
>something came up to me.
> I am using an lmhost file to reach the site. So, the site is not reached
> using DNS. Could this be the problem ?
>
> "Noël Thoelen" <noel@itomni.com> schreef in bericht
> news:eDuamBZvEHA.1984@TK2MSFTNGP14.phx.gbl...

>>I would like to use KERBEROS delegation to access an SQL Server database
>>from an ASP.NET application.
>> So, I have set up a website, disabled anonymous access and checked the
>> windows integrated security.
>> In the ASP.NET applicatie, the web config file contains
>> <authentication mode="Windows" />
>> <identity impersonate="true" />
>> Both the IIS and the SQL server are part of a domain. So, when I browse
>> to the site using an domain account
>> the site will open fine. However, when i try to open a database
>> connection using the 'Integrated security=SSPI option i always get the
>> error:
>> Login failed for user '(null)'. Reason: Not associated with a trusted SQL
>> Server connection.
>> When I open the database by using SQL authentication, everything works
>> fine.
>> On the IIS, the Webservice is running under local system account, and so
>> is the SQL Server.
>> In AD I have set the 'Trust computer for delegation' flag for both the
>> IIS and the SQL as stated in the 'Troubleshoot KERBEROS delegation'
>> document, but still without any luck
>>
>> Does somebody has encountered this problem already ?
>>

>
>

[Noël Thoelen]

Thank you Ken. The SETSPN did solve my problem

You realy made my day !!


"Ken Schaefer" <kenREMOVE@THISadopenstatic.com> schreef in bericht
news:OC2WMS9vEHA.1512@TK2MSFTNGP12.phx.gbl...

> If you are accessing the site using a name other than registered name, you
> will need to use setSPN.exe and register a new service principal name:
> [url]http://support.microsoft.com/?id=294382[/url]
>
> Other things you should read/use to troubleshoot the issue:
> [url]http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx[/url]
> -and-
> [url]http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en[/url]
>
> You basically need to work your way thoroughly from client through to
> backend SQL Server to make sure everything is setup correctly, eg is IE
> configured to use Kerberos? is IIS sending appropriate authentication
> headers? are SPNs registered correctly? Is delegation enabled properly?
> etc
>
> Cheers
> Ken
>
> "Noël Thoelen" <noel@itomni.com> wrote in message
> news:O9edINZvEHA.3416@TK2MSFTNGP09.phx.gbl...

>>I was looking around in some of the other posts in this newsgoup and
>>something came up to me.
>> I am using an lmhost file to reach the site. So, the site is not reached
>> using DNS. Could this be the problem ?
>>
>> "Noël Thoelen" <noel@itomni.com> schreef in bericht
>> news:eDuamBZvEHA.1984@TK2MSFTNGP14.phx.gbl...

>>>I would like to use KERBEROS delegation to access an SQL Server database
>>>from an ASP.NET application.
>>> So, I have set up a website, disabled anonymous access and checked the
>>> windows integrated security.
>>> In the ASP.NET applicatie, the web config file contains
>>> <authentication mode="Windows" />
>>> <identity impersonate="true" />
>>> Both the IIS and the SQL server are part of a domain. So, when I browse
>>> to the site using an domain account
>>> the site will open fine. However, when i try to open a database
>>> connection using the 'Integrated security=SSPI option i always get the
>>> error:
>>> Login failed for user '(null)'. Reason: Not associated with a trusted
>>> SQL Server connection.
>>> When I open the database by using SQL authentication, everything works
>>> fine.
>>> On the IIS, the Webservice is running under local system account, and so
>>> is the SQL Server.
>>> In AD I have set the 'Trust computer for delegation' flag for both the
>>> IIS and the SQL as stated in the 'Troubleshoot KERBEROS delegation'
>>> document, but still without any luck
>>>
>>> Does somebody has encountered this problem already ?
>>>

>>
>>

>
>

[sgelfmann@yahoo.com]

I am a little confused about the difference between two ways of
implementing impersonation.

Some sources say that if one needs to run application under a specific
account, he should use this
<identity impersonate="true" username="username" password="password" />

Others state that the impersonate attribute should be set to false and
username and password then have to be provided as in:
<identity impersonate="false" username="username" password="password"
/>

What's the difference?

[Ken Schaefer]

In your .NET Framework SDK documentation, paste the following address:
ms-help://MS.NETFrameworkSDKv1.1/cpgenref/html/gngrfidentitysection.htm

Otherwise expand: Reference -> Configuration File Schema -> ASP.NET Settings
Schema -> click <Identity> Element

The explanation seems pretty straightforward to me. If it is unclear, please
post again.

Thanks

Cheers
Ken


<sgelfmann@yahoo.com> wrote in message
news:1106771535.236207.67740@z14g2000cwz.googlegro ups.com...

>I am a little confused about the difference between two ways of
> implementing impersonation.
>
> Some sources say that if one needs to run application under a specific
> account, he should use this
> <identity impersonate="true" username="username" password="password" />
>
> Others state that the impersonate attribute should be set to false and
> username and password then have to be provided as in:
> <identity impersonate="false" username="username" password="password"
> />
>
> What's the difference?
>

[Viorel Ghilas]

Hi all

I have webserver that share common services and i set in web config
<identity impersonate="true" /> and on IIS I set specific user account that
will be used. The main problem that when the IIS start applicaton and
execute the methods from Global.asax.cs it use ASPNET account but not my,
after that it switch to impersonate account. But in my situation I use WSE2
where I need to check password in UsernameTokenManager for that I need to
connect to DB, but I use SSPI connection (with user from impersonate) that
fail. How to solve this problem, I need trusted connection that use my user
from IIS. I need only one user everywhere, how to do that in
UsernameTokenManager.AuthenticateToken(UsernameTok en token) to use
impersonate account ?

with best reagrd
Viorel

[Viorel Ghilas]

Hi all

I have webserver that share common services and i set in web config
<identity impersonate="true" /> and on IIS I set specific user account that
will be used. The main problem that when the IIS start applicaton and
execute the methods from Global.asax.cs it use ASPNET account but not my,
after that it switch to impersonate account. But in my situation I use WSE2
where I need to check password in UsernameTokenManager for that I need to
connect to DB, but I use SSPI connection (with user from impersonate) that
fail. How to solve this problem, I need trusted connection that use my user
from IIS. I need only one user everywhere, how to do that in
UsernameTokenManager.AuthenticateToken(UsernameTok en token) to use
impersonate account ?

with best reagrd
Viorel

[Viorel Ghilas]

Hi all

I have webserver that share common services and i set in web config
<identity impersonate="true" /> and on IIS I set specific user account that
will be used. The main problem that when the IIS start applicaton and
execute the methods from Global.asax.cs it use ASPNET account but not my,
after that it switch to impersonate account. But in my situation I use WSE2
where I need to check password in UsernameTokenManager for that I need to
connect to DB, but I use SSPI connection (with user from impersonate) that
fail. How to solve this problem, I need trusted connection that use my user
from IIS. I need only one user everywhere, how to do that in
UsernameTokenManager.AuthenticateToken(UsernameTok en token) to use
impersonate account ?

with best reagrd
Viorel

[Bad Beagle]

IIS 6.0

Our developer created a asp.net application. I keep getting an error on the
website:

Exception Details: System.UnauthorizedAccessException: Access to the path
"D:\Websites\intradev\peoplefind_net\csv\200504281 03335.csv" is denied.

I have used filemon and found that it is trying to access that directory
structure using nt authority\network service. I need it to use the local
aspnet account. How can I force it to use the aspnet account?

[Brock Allen]

If you are running in IIS6, then by default your code is running as "Network
Service". You can change the security DACL on the target file to allow MACHINENAME$
access tot he file and it should work for you. The ASPNET account is only
used (again, by default) when you're running on an IIS5 or 5.1 box -- so
Windows 2000 or XP. If you really want your application in IIS6 to run as
ASPNET, you can change the identity in the IIS admin tool for the AppPool
that your app has been configured as. But every other app in the same AppPool
will also be affected. If you choose this approach, then you might want to
create a seperate AppPool specifically for your application.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

> IIS 6.0
>
> Our developer created a asp.net application. I keep getting an error
> on the website:
>
> Exception Details: System.UnauthorizedAccessException: Access to the
> path "D:\Websites\intradev\peoplefind_net\csv\200504281 03335.csv" is
> denied.
>
> I have used filemon and found that it is trying to access that
> directory structure using nt authority\network service. I need it to
> use the local aspnet account. How can I force it to use the aspnet
> account?
>

[Dominick Baier [DevelopMentor]]

Hello Brock,

Machine$ is only relevant if you are accessing remote files. You can indeed
ACL local files directly with "NT AUTHORITY\NETWORK SERVICE"

---------------------------------------
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

> If you are running in IIS6, then by default your code is running as
> "Network Service". You can change the security DACL on the target file
> to allow MACHINENAME$ access tot he file and it should work for you.
> The ASPNET account is only used (again, by default) when you're
> running on an IIS5 or 5.1 box -- so Windows 2000 or XP. If you really
> want your application in IIS6 to run as ASPNET, you can change the
> identity in the IIS admin tool for the AppPool that your app has been
> configured as. But every other app in the same AppPool will also be
> affected. If you choose this approach, then you might want to create a
> seperate AppPool specifically for your application.
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]

>> IIS 6.0
>>
>> Our developer created a asp.net application. I keep getting an error
>> on the website:
>>
>> Exception Details: System.UnauthorizedAccessException: Access to the
>> path "D:\Websites\intradev\peoplefind_net\csv\200504281 03335.csv" is
>> denied.
>>
>> I have used filemon and found that it is trying to access that
>> directory structure using nt authority\network service. I need it to
>> use the local aspnet account. How can I force it to use the aspnet
>> account?
>>

[Brock Allen]

> Machine$ is only relevant if you are accessing remote files. You can

> indeed ACL local files directly with "NT AUTHORITY\NETWORK SERVICE"

Oh good point. For some reason I just assumed he was accessing a network
share, but a mapped drive wouldn't make any sense from ASP.NET anyway. Duh.

Yeah, listen to what Dom says -- he knows best :)

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

[Bad Beagle]

Thanks guys!
"Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message
news:580179632502948550082880@msnews.microsoft.com ...

>> Machine$ is only relevant if you are accessing remote files. You can
>> indeed ACL local files directly with "NT AUTHORITY\NETWORK SERVICE"

>
> Oh good point. For some reason I just assumed he was accessing a network
> share, but a mapped drive wouldn't make any sense from ASP.NET anyway.
> Duh.
>
> Yeah, listen to what Dom says -- he knows best :)
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]
>
>
>
>

[Unregistered]

I faced the same problem while deploying my application in intranet. I spent good 2 days searching for solution to the problem with no luck. One of my seniors gave a solution which solved my problem.
I was using windows authentication in my application and had windows authentication in sql server as well. What solved my problem is using sql server authentication mode in sql server. What i did is created a new user in database and used that users credentials to login to the database in my connectionstring. And application worked fine without any problem. Hope this helps some one with the same problem.