IIS 6 and Windows Authentication to SQL Server 2000

[mcollier]

I am running a Windows Server 2003 machine as my web server. I would
like to use Windows authentication for connections to my SQL Server
2000 instance on a Windows 2000 server. I've read where mirroring the
ASPNET account and password on the web server and SQL server would
work. However, with IIS 6, ASP.NET runs under the 'NT
AUTHORITY\NETWORK SERVICE' account. Should I change the password of
the 'NT AUTHORITY\NETWORK SERVICE' account to something I know, and
create a mirrored 'NETWORK SERVICE' account on my SQL server? Or,
should I create another user like 'MY_WEB_USER' and mirror that on both
machines?

In short, how do I get Windows authentication to work between a Windows
Server 2003 web server and a Windows 2000 SQL server?

Thanks!

 

[Guest]

If you are truly using Windows Authentication, ie a user has an account on
the domain as well as SQL Server, you will do the following:

1. Ensure the user cannot sign in as anonymous
2. Add their account to a group that has SQL rights

You may mean "bastardized windows authentication", meaning SQL Server uses
WIndows Authentication, but you are using anon accounts in IIS. If you go
this route, you are advised to impersonate an account rather than give a
local account rights on another box. One way to easily do this is to place
the assembly in COM+ and declaratively assign a domain account to the
application.


---

Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***************************
Think Outside the Box!
***************************

 

[Vikram Vamshi]

Hi,
Are both the servers in the same domain?
If so create a domain user account and switch the identity of the ASP.NET
worker process to this acccount. You can do this by creating a new
application pool in IIS6.

Now configure this acccount as a login for sql server.

Don't forget to add this user to the IIS_WPG group on your Win2K3 machine.

HTH

 

[mcollier]

Both servers are not in the same domain. I've done this before when I
had two Windows 2000 servers. Having one Windows 2003 and one Windows
2000 server seems to be somewhat more confusing.

 

[Vikram Vamshi]

What you did for WIndows 2000 should still work for Win2K3.

Create a user on both the machines with the same username and password.
Then configure the ASP.NET worker process to run under this user account on
win2k3 machine
and configure sql on win2k machine to accept this user as a valid login.

As long as the username/password are same on both the machines this should
work.

hth

 

[mcollier]

Ok, I think I see where you're going with this. I was thinking I could
use the ASPNET or NETWORK SERVICE account for both servers. But, that
doesn't appear to be the case. What you're saying is that I could
create a user on both servers, for example MY_WEB_USER. Then, set the
ASP.NET worker process to run as this account. I would also need to
give that user the correct permissions (similar to NETWORK SERVICE
probably). Sound about right?

 

[Vikram Vamshi]

Yep,
That is what I had in mind.
Let us know how it goes.

Thanks