Integrated Security

[Arnold]

I'm trying to log on to SQL Server 2000 via an ASP.NET
page using SqlClient with integrated security. I get the
error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
believe I have all the correct web.config settigs correct
because I can get the page to work as long as it is on the
same computer as the WebServer (thie sqlserver is on a
different machine). As soon as access the page from a
client (browser not on same machine as web server) I get
the message. I'd appreciate any ideas.

TIA,

Arnold

 

[Stefan]

do you have the anonymous enabled in the iis?
if so --> disable anonymous

 

[Arnold]

Forgot to mention the fact that I did have that set but I
realized it and fixed that. So, in answer to your
question, no, anonymous is not enabled.

Arnold

 

[Stefan]

try to use the impersonation attribute in the web.config file
<identity impersonate="true" />
so you get the identified token from the IIS

 

[Arnold]

Yes, that is set also.

-----Original Message-----
try to use the impersonation attribute in the web.config file
<identity impersonate="true" />
so you get the identified token from the IIS



.

 

[Lior Amar]

I'm pretty sure I know what the problem is but before I answer, just tell me
is the WebServer and SQL server on the same machine?

Lior

 

[Arnold]

No they are not.
Arnold

-----Original Message-----
I'm pretty sure I know what the problem is but before I answer, just tell me
is the WebServer and SQL server on the same machine?

Lior



.

 

[Lior Amar]

Strange, the only thing that can mean is no impersonation. When you print
out the System.Security.Principal.WindowsIdentity.GetCurrent.Name does it
show ASPNET, SYSTEM or the Logged on User? I've seen a couple of instances
where setting the Web.Config does not force impersonation but going into the
Machine.Config and setting the Identity tag to impersonate and the
authorization to Deny="?". Granted both times I saw this, the Machine.Config
had been setup to SYSTEM.

SSPI should not fail when on the same machine so I would look more at your
ASPNET setup. If you can send me the Web.Config and the Machine.Config I
could better help you with it.

Lior,

 

[Lewis Wang [MSFT]]

Thanks Stefan, Lior for the suggestions.

Hi Arnold,

It's a Double-Hop Issue. Please check the following links for more
information:

264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921

What is the Double-Hop Issue?
http://support.microsoft.com/?id=329986#3

Here are two workarounds:

Method A
When the Web.config file is set to identity impersonate="true"/ and
authentication mode="Windows", use the Anonymous account with the following
settings:

1. On the ASPX page, set the security mechanism to Anonymous only.
2. Clear the Allow IIS to control the password check box.
3. Set the Anonymous account to be a domain user.

Method B

When Web.config and Machine.config are set as follows:

1. When Web.config is set to identity impersonate="false"/ and
authentication mode="Windows"
2. When Machine.config is set to processModel
username=Domain\username,password=secret
3. If identity impersonate="false"/ in the Web.config file, the credentials
of the Base process are used. When you supply a domain user and password,
you make it possible for IIS to pass a primary token to the SQL Server.

Hope this helps.

Best regards,
Lewis

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "Arnold" <[email protected]>
| Sender: "Arnold" <[email protected]>
| Subject: Integrated Security
| Date: Thu, 11 Sep 2003 05:38:20 -0700
| Lines: 13
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6631
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I'm trying to log on to SQL Server 2000 via an ASP.NET
| page using SqlClient with integrated security. I get the
| error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
| believe I have all the correct web.config settigs correct
| because I can get the page to work as long as it is on the
| same computer as the WebServer (thie sqlserver is on a
| different machine). As soon as access the page from a
| client (browser not on same machine as web server) I get
| the message. I'd appreciate any ideas.
|
| TIA,
|
| Arnold
|

 

[Lior Amar]

That was where I was leaning towards but he said that the SQL server and IIS
reside on the same machine which removes the possibility of it being a
double hop. Double hops occur when credential delegation needs to be
transferred from the 1st remote server to subsequent remote servers. This
can only be accomplished using Kerberos v.5 which is available on 2K and up.

From the sound of his problem, I would think it's more in the impersonation
or the fact that ASPNET does just in time impersonation.

Lior,

 

[Arnold]

Lior,
What e-mail should I use to send you my config files?

Arnold

-----Original Message-----
Strange, the only thing that can mean is no impersonation. When you print
out the

System.Security.Principal.WindowsIdentity.GetCurrent.Name
does it