Subject: impersonate="True" gives login (null) for SQL Server acce

[Pedro Gonçalves]

Hi,

I've an application using ASP.NET 2.0 that is deployied in IIS 6.0 in a
Win2003 application server.

For that application I'm using windows authentication and impersonation to
access to an SQL Server 2000 on other Win2003 application server througth a
integrated security connection string. The domain is Win 2000.

On web.config file I've:
<identity impersonate="true"/>
<authentication mode="Windows"/>

The problem is that when the application try to open the connection gets an
error saying that can't logon because user '(null) ' is not configured to a
trust connection.

How can I configure this application and/or IIS to able this functionality?

Impersonate a specific user doesn't work because the stored procedures that
my web application use in the database uses a lot of caller user identity for
permit or not access to tables and inserts or updates. same times the
processing is very different according to the user that call the SP.

I've read that migth be a problem of configuring the ASP account to "Act as
part of OS", but I don't know exactlt how to do it and where to do it. Both
machines, Web Server and Database Server, are in a domain, but they are only
application servers. The domain server is on other computer. The ASP account
on the web server is a local account (on the web server). Do I have to change
the account for asp_wp to a domain account? And where I give the permition to
"Act as part of OS"? In the Local Group policy of the web server or in the
Domain group policy?

Regards,
Pedro Gonçalves

 

[Dominick Baier [DevelopMentor]]

Thats a typical two-hop problem


http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

 

[Pedro Gonçalves]

Hi Dominick,

In fact the document you metioned was very, very good.

But I still have a problem:

The application is also to be accessed by the internet on any computer.

The application users travel a lot, and some times need to access to the
application in a computer on a internet cafee or something like that.

The problem that I found is that when you enter the site in a computer where
you are not logged as a our domain user, the browser ask you to identifiy
yourself, which is good, but when the application tries to access the Data
server the login (null) problem raises again.

Is there a way to solve this?

Regards,
Pedro Gonçalves

 

[Dominick Baier [DevelopMentor]]

Hi,

besides i wouldn't want any of my users to type in their domain password
at public terminals (key loggers, cache etc...) -

as the article mentions this only works if you are doing kerberos end-to-end
- something you cannot do if the client does not have access to the DC.

If your web server is Windows 2003 and your domain has 2003 functionality
level - you can use a feature called protocol transition to translate NTLM
logins to kerberos credentials. Otherwise you are out of luck and you have
to re-design the security part of your application.

 

[Pedro Gonçalves]

Thanks Dominick,

Yes, I'm out of luck! Althougth my web server is Windows 2003, my domain
controller is Win2000.

Regarding your first comment, I know your're rigth but that's what they are
doing when accessing the Outlook Web Access...

Regards,
Pedro Gonçalves

 

[Joe Kaplan \(MVP - ADSI\)]

As long as you have Win2K DCs, you are stuck with Kerberos to Kerberos
delegation and cannot use constrained delegation either (which is better
from a security standpoint). Once your org migrates to 2K3 native DCs, then
you can use protocol transition and can take advantage of some of these
features.

For the internet version of the site, you might consider using basic
authentication with SSL. That would allow you to capture the user's
plaintext credentials if you need them and could be used as a means of
impersonation as well.

Joe K.