Integrated Security

[Srinivasa Reddy K Ganji]

Hi

I have come across this type of code at many places.

New SqlConnection("Data Source=(local);Initial Catalog=XYZ;Integrated
Security=SSPI;")

I assume that the database connection details are hidden here. What is
"Integrated Security=SSPI"? Can anyone guide me how to set this up using c#.
Also is it possible to set up this type of connections on web sites hosted
with commercial web hosting companies. Any examples, links highly
appreciated.

Thanks in advance,

Reddy

[S. Justin Gengo]

Integrated security mean that the connection to the sql server will be made
using the currently logged in user's credentials.

Here's a good article on how to use integrated security:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskAccessingSQLServerUsingMappedWindowsDomainUse r.asp[/url]

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
[url]www.aboutfortunate.com[/url]

"Out of chaos comes order."
Nietzche
"Srinivasa Reddy K Ganji" <gksreddy@adsgroup.com> wrote in message
news:ueFWvgPVDHA.2288@TK2MSFTNGP12.phx.gbl...

> Hi
>
> I have come across this type of code at many places.
>
> New SqlConnection("Data Source=(local);Initial Catalog=XYZ;Integrated
> Security=SSPI;")
>
> I assume that the database connection details are hidden here. What is
> "Integrated Security=SSPI"? Can anyone guide me how to set this up using

c#.

> Also is it possible to set up this type of connections on web sites hosted
> with commercial web hosting companies. Any examples, links highly
> appreciated.
>
> Thanks in advance,
>
> Reddy
>
>

[Arnold]

I'm trying to log on to SQL Server 2000 via an ASP.NET
page using SqlClient with integrated security. I get the
error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
believe I have all the correct web.config settigs correct
because I can get the page to work as long as it is on the
same computer as the WebServer (thie sqlserver is on a
different machine). As soon as access the page from a
client (browser not on same machine as web server) I get
the message. I'd appreciate any ideas.

TIA,

Arnold

[Stefan]

do you have the anonymous enabled in the iis?
if so --> disable anonymous
"Arnold" <acurry@softways.com> wrote in message
news:077e01c37861$9500bc00$a301280a@phx.gbl...

> I'm trying to log on to SQL Server 2000 via an ASP.NET
> page using SqlClient with integrated security. I get the
> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> believe I have all the correct web.config settigs correct
> because I can get the page to work as long as it is on the
> same computer as the WebServer (thie sqlserver is on a
> different machine). As soon as access the page from a
> client (browser not on same machine as web server) I get
> the message. I'd appreciate any ideas.
>
> TIA,
>
> Arnold

[Arnold]

Forgot to mention the fact that I did have that set but I
realized it and fixed that. So, in answer to your
question, no, anonymous is not enabled.

Arnold

>-----Original Message-----
>do you have the anonymous enabled in the iis?
>if so --> disable anonymous
>"Arnold" <acurry@softways.com> wrote in message
>news:077e01c37861$9500bc00$a301280a@phx.gbl...

>> I'm trying to log on to SQL Server 2000 via an ASP.NET
>> page using SqlClient with integrated security. I get the
>> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
>> believe I have all the correct web.config settigs

correct

>> because I can get the page to work as long as it is on

the

>> same computer as the WebServer (thie sqlserver is on a
>> different machine). As soon as access the page from a
>> client (browser not on same machine as web server) I get
>> the message. I'd appreciate any ideas.
>>
>> TIA,
>>
>> Arnold

>
>
>.
>

[Stefan]

try to use the impersonation attribute in the web.config file
<identity impersonate="true" />
so you get the identified token from the IIS
"Arnold" <acurry@softways.com> wrote in message
news:175901c3786b$1ed7aa70$a601280a@phx.gbl...

> Forgot to mention the fact that I did have that set but I
> realized it and fixed that. So, in answer to your
> question, no, anonymous is not enabled.
>
> Arnold

> >-----Original Message-----
> >do you have the anonymous enabled in the iis?
> >if so --> disable anonymous
> >"Arnold" <acurry@softways.com> wrote in message
> >news:077e01c37861$9500bc00$a301280a@phx.gbl...

> >> I'm trying to log on to SQL Server 2000 via an ASP.NET
> >> page using SqlClient with integrated security. I get the
> >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> >> believe I have all the correct web.config settigs

> correct

> >> because I can get the page to work as long as it is on

> the

> >> same computer as the WebServer (thie sqlserver is on a
> >> different machine). As soon as access the page from a
> >> client (browser not on same machine as web server) I get
> >> the message. I'd appreciate any ideas.
> >>
> >> TIA,
> >>
> >> Arnold

> >
> >
> >.
> >

[Arnold]

Yes, that is set also.

>-----Original Message-----
>try to use the impersonation attribute in the web.config

file

><identity impersonate="true" />
>so you get the identified token from the IIS
>"Arnold" <acurry@softways.com> wrote in message
>news:175901c3786b$1ed7aa70$a601280a@phx.gbl...

>> Forgot to mention the fact that I did have that set but

I

>> realized it and fixed that. So, in answer to your
>> question, no, anonymous is not enabled.
>>
>> Arnold

>> >-----Original Message-----
>> >do you have the anonymous enabled in the iis?
>> >if so --> disable anonymous
>> >"Arnold" <acurry@softways.com> wrote in message
>> >news:077e01c37861$9500bc00$a301280a@phx.gbl...
>> >> I'm trying to log on to SQL Server 2000 via an

ASP.NET

>> >> page using SqlClient with integrated security. I get

the

>> >> error message "invalid login

NT_AUTHORITY/ANNONYMOUS". I

>> >> believe I have all the correct web.config settigs

>> correct

>> >> because I can get the page to work as long as it is

on

>> the

>> >> same computer as the WebServer (thie sqlserver is on

a

>> >> different machine). As soon as access the page from a
>> >> client (browser not on same machine as web server) I

get

>> >> the message. I'd appreciate any ideas.
>> >>
>> >> TIA,
>> >>
>> >> Arnold
>> >
>> >
>> >.
>> >

>
>
>.
>

[Lior Amar]

I'm pretty sure I know what the problem is but before I answer, just tell me
is the WebServer and SQL server on the same machine?

Lior
"Arnold" <acurry@softways.com> wrote in message
news:077e01c37861$9500bc00$a301280a@phx.gbl...

> I'm trying to log on to SQL Server 2000 via an ASP.NET
> page using SqlClient with integrated security. I get the
> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> believe I have all the correct web.config settigs correct
> because I can get the page to work as long as it is on the
> same computer as the WebServer (thie sqlserver is on a
> different machine). As soon as access the page from a
> client (browser not on same machine as web server) I get
> the message. I'd appreciate any ideas.
>
> TIA,
>
> Arnold

[Arnold]

No they are not.
Arnold

>-----Original Message-----
>I'm pretty sure I know what the problem is but before I

answer, just tell me

>is the WebServer and SQL server on the same machine?
>
>Lior
>"Arnold" <acurry@softways.com> wrote in message
>news:077e01c37861$9500bc00$a301280a@phx.gbl...

>> I'm trying to log on to SQL Server 2000 via an ASP.NET
>> page using SqlClient with integrated security. I get the
>> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
>> believe I have all the correct web.config settigs

correct

>> because I can get the page to work as long as it is on

the

>> same computer as the WebServer (thie sqlserver is on a
>> different machine). As soon as access the page from a
>> client (browser not on same machine as web server) I get
>> the message. I'd appreciate any ideas.
>>
>> TIA,
>>
>> Arnold

>
>
>.
>

[Lior Amar]

Strange, the only thing that can mean is no impersonation. When you print
out the System.Security.Principal.WindowsIdentity.GetCurre nt.Name does it
show ASPNET, SYSTEM or the Logged on User? I've seen a couple of instances
where setting the Web.Config does not force impersonation but going into the
Machine.Config and setting the Identity tag to impersonate and the
authorization to Deny="?". Granted both times I saw this, the Machine.Config
had been setup to SYSTEM.

SSPI should not fail when on the same machine so I would look more at your
ASPNET setup. If you can send me the Web.Config and the Machine.Config I
could better help you with it.

Lior,



"Arnold" <acurry@softways.com> wrote in message
news:088701c37885$3c654880$a001280a@phx.gbl...

> No they are not.
> Arnold

> >-----Original Message-----
> >I'm pretty sure I know what the problem is but before I

> answer, just tell me

> >is the WebServer and SQL server on the same machine?
> >
> >Lior
> >"Arnold" <acurry@softways.com> wrote in message
> >news:077e01c37861$9500bc00$a301280a@phx.gbl...

> >> I'm trying to log on to SQL Server 2000 via an ASP.NET
> >> page using SqlClient with integrated security. I get the
> >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> >> believe I have all the correct web.config settigs

> correct

> >> because I can get the page to work as long as it is on

> the

> >> same computer as the WebServer (thie sqlserver is on a
> >> different machine). As soon as access the page from a
> >> client (browser not on same machine as web server) I get
> >> the message. I'd appreciate any ideas.
> >>
> >> TIA,
> >>
> >> Arnold

> >
> >
> >.
> >

[Lewis Wang [MSFT]]

Thanks Stefan, Lior for the suggestions.

Hi Arnold,

It's a Double-Hop Issue. Please check the following links for more
information:

264921 INFO: How IIS Authenticates Browser Clients
[url]http://support.microsoft.com/?id=264921[/url]

What is the Double-Hop Issue?
[url]http://support.microsoft.com/?id=329986#3[/url]

Here are two workarounds:

Method A
When the Web.config file is set to identity impersonate="true"/ and
authentication mode="Windows", use the Anonymous account with the following
settings:

1. On the ASPX page, set the security mechanism to Anonymous only.
2. Clear the Allow IIS to control the password check box.
3. Set the Anonymous account to be a domain user.

Method B

When Web.config and Machine.config are set as follows:

1. When Web.config is set to identity impersonate="false"/ and
authentication mode="Windows"
2. When Machine.config is set to processModel
username=Domain\username,password=secret
3. If identity impersonate="false"/ in the Web.config file, the credentials
of the Base process are used. When you supply a domain user and password,
you make it possible for IIS to pass a primary token to the SQL Server.

Hope this helps.

Best regards,
Lewis

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "Arnold" <acurry@softways.com>
| Sender: "Arnold" <acurry@softways.com>
| Subject: Integrated Security
| Date: Thu, 11 Sep 2003 05:38:20 -0700
| Lines: 13
| Message-ID: <077e01c37861$9500bc00$a301280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 6631
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I'm trying to log on to SQL Server 2000 via an ASP.NET
| page using SqlClient with integrated security. I get the
| error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
| believe I have all the correct web.config settigs correct
| because I can get the page to work as long as it is on the
| same computer as the WebServer (thie sqlserver is on a
| different machine). As soon as access the page from a
| client (browser not on same machine as web server) I get
| the message. I'd appreciate any ideas.
|
| TIA,
|
| Arnold
|

[Lior Amar]

That was where I was leaning towards but he said that the SQL server and IIS
reside on the same machine which removes the possibility of it being a
double hop. Double hops occur when credential delegation needs to be
transferred from the 1st remote server to subsequent remote servers. This
can only be accomplished using Kerberos v.5 which is available on 2K and up.

From the sound of his problem, I would think it's more in the impersonation
or the fact that ASPNET does just in time impersonation.

Lior,


"Lewis Wang [MSFT]" <v-lwang@online.microsoft.com> wrote in message
news:nNRgxtOeDHA.1112@cpmsftngxa06.phx.gbl...

> Thanks Stefan, Lior for the suggestions.
>
> Hi Arnold,
>
> It's a Double-Hop Issue. Please check the following links for more
> information:
>
> 264921 INFO: How IIS Authenticates Browser Clients
> [url]http://support.microsoft.com/?id=264921[/url]
>
> What is the Double-Hop Issue?
> [url]http://support.microsoft.com/?id=329986#3[/url]
>
> Here are two workarounds:
>
> Method A
> When the Web.config file is set to identity impersonate="true"/ and
> authentication mode="Windows", use the Anonymous account with the

following

> settings:
>
> 1. On the ASPX page, set the security mechanism to Anonymous only.
> 2. Clear the Allow IIS to control the password check box.
> 3. Set the Anonymous account to be a domain user.
>
> Method B
>
> When Web.config and Machine.config are set as follows:
>
> 1. When Web.config is set to identity impersonate="false"/ and
> authentication mode="Windows"
> 2. When Machine.config is set to processModel
> username=Domain\username,password=secret
> 3. If identity impersonate="false"/ in the Web.config file, the

credentials

> of the Base process are used. When you supply a domain user and password,
> you make it possible for IIS to pass a primary token to the SQL Server.
>
> Hope this helps.
>
> Best regards,
> Lewis
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> --------------------
> | Content-Class: urn:content-classes:message
> | From: "Arnold" <acurry@softways.com>
> | Sender: "Arnold" <acurry@softways.com>
> | Subject: Integrated Security
> | Date: Thu, 11 Sep 2003 05:38:20 -0700
> | Lines: 13
> | Message-ID: <077e01c37861$9500bc00$a301280a@phx.gbl>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="iso-8859-1"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> | Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | Path: cpmsftngxa06.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 6631
> | NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | I'm trying to log on to SQL Server 2000 via an ASP.NET
> | page using SqlClient with integrated security. I get the
> | error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> | believe I have all the correct web.config settigs correct
> | because I can get the page to work as long as it is on the
> | same computer as the WebServer (thie sqlserver is on a
> | different machine). As soon as access the page from a
> | client (browser not on same machine as web server) I get
> | the message. I'd appreciate any ideas.
> |
> | TIA,
> |
> | Arnold
> |
>

[Arnold]

Lior,
What e-mail should I use to send you my config files?

Arnold

>-----Original Message-----
>Strange, the only thing that can mean is no

impersonation. When you print

>out the

System.Security.Principal.WindowsIdentity.GetCurre nt.Name
does it

>show ASPNET, SYSTEM or the Logged on User? I've seen a

couple of instances

>where setting the Web.Config does not force impersonation

but going into the

>Machine.Config and setting the Identity tag to

impersonate and the

>authorization to Deny="?". Granted both times I saw this,

the Machine.Config

>had been setup to SYSTEM.
>
>SSPI should not fail when on the same machine so I would

look more at your

>ASPNET setup. If you can send me the Web.Config and the

Machine.Config I

>could better help you with it.
>
>Lior,
>
>
>
>"Arnold" <acurry@softways.com> wrote in message
>news:088701c37885$3c654880$a001280a@phx.gbl...

>> No they are not.
>> Arnold

>> >-----Original Message-----
>> >I'm pretty sure I know what the problem is but before I

>> answer, just tell me

>> >is the WebServer and SQL server on the same machine?
>> >
>> >Lior
>> >"Arnold" <acurry@softways.com> wrote in message
>> >news:077e01c37861$9500bc00$a301280a@phx.gbl...
>> >> I'm trying to log on to SQL Server 2000 via an

ASP.NET

>> >> page using SqlClient with integrated security. I get

the

>> >> error message "invalid login

NT_AUTHORITY/ANNONYMOUS". I

>> >> believe I have all the correct web.config settigs

>> correct

>> >> because I can get the page to work as long as it is

on

>> the

>> >> same computer as the WebServer (thie sqlserver is on

a

>> >> different machine). As soon as access the page from a
>> >> client (browser not on same machine as web server) I

get

>> >> the message. I'd appreciate any ideas.
>> >>
>> >> TIA,
>> >>
>> >> Arnold
>> >
>> >
>> >.
>> >

>
>
>.
>