M
matt
I have started to put together an ASP.NET 2.0 application which
connects to a SQL server using the logged on identity.
I have read the articles on how to configure the connection string ,
web config and active directory servers.
It all seems to work fine from most machines on our network. However I
have found that the connection will fail with a 'Login failed for user
'NT AUTHORITY\ANONYMOUS LOGON' error if the client machine is 'trusted
for delegation' from within active directory.
I have been testing the following small bit of code with runs as an app
on one of the internal webservers:-
Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As
System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity,
System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()
Response.Write("anon=" & currentWindowsIdentity.IsAnonymous.ToString
& "<BR>")
Response.Write("level=" &
currentWindowsIdentity.ImpersonationLevel.ToString & "<BR>")
Try
Dim connection As New SqlConnection
connection.ConnectionString = "packet size=4096;data
source=mydbserver;persist security info=True;initial
catalog=northwind;Integrated Security=SSPI"
connection.Open()
Response.Write("connection made ok " &
Date.Now.ToShortDateString & " " & Date.Now.TimeOfDay.ToString)
Catch ex As Exception
Response.Write(ex.Message)
End Try
If i view the page from a number of clients (XP workstations) on the
network i get the following
anon=False
level=Delegation
connection made ok 30/10/2006 09:34:57.6818835
which is fine, all seems ok.
If I access the same page from the webserver itself the impersonation
level changes but the connection still works :
anon=False
level=Impersonation
connection made ok 30/10/2006 09:58:39.1254460
However if I access the page from another server which is set as
'trusted for delegation' the connection fails
anon=False
level=Impersonation
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Is there any reason why this would occur ? It seems an application
cannot use delegation in this way if the client accessing it may be
another server which is 'trusted fro delegation', such as another
webserver on the network or a domain controller for example.
Any help would be much appreciated,
Matt.
connects to a SQL server using the logged on identity.
I have read the articles on how to configure the connection string ,
web config and active directory servers.
It all seems to work fine from most machines on our network. However I
have found that the connection will fail with a 'Login failed for user
'NT AUTHORITY\ANONYMOUS LOGON' error if the client machine is 'trusted
for delegation' from within active directory.
I have been testing the following small bit of code with runs as an app
on one of the internal webservers:-
Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As
System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity,
System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()
Response.Write("anon=" & currentWindowsIdentity.IsAnonymous.ToString
& "<BR>")
Response.Write("level=" &
currentWindowsIdentity.ImpersonationLevel.ToString & "<BR>")
Try
Dim connection As New SqlConnection
connection.ConnectionString = "packet size=4096;data
source=mydbserver;persist security info=True;initial
catalog=northwind;Integrated Security=SSPI"
connection.Open()
Response.Write("connection made ok " &
Date.Now.ToShortDateString & " " & Date.Now.TimeOfDay.ToString)
Catch ex As Exception
Response.Write(ex.Message)
End Try
If i view the page from a number of clients (XP workstations) on the
network i get the following
anon=False
level=Delegation
connection made ok 30/10/2006 09:34:57.6818835
which is fine, all seems ok.
If I access the same page from the webserver itself the impersonation
level changes but the connection still works :
anon=False
level=Impersonation
connection made ok 30/10/2006 09:58:39.1254460
However if I access the page from another server which is set as
'trusted for delegation' the connection fails
anon=False
level=Impersonation
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Is there any reason why this would occur ? It seems an application
cannot use delegation in this way if the client accessing it may be
another server which is 'trusted fro delegation', such as another
webserver on the network or a domain controller for example.
Any help would be much appreciated,
Matt.