ASP.NET Integrated Authentication

[Guest]

I'm developing a web application for our local intranet that will allow users
to pull up a webpage and update or deleted or insert records into a database
as well as run reports etc...

Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.

We've turned anonymous access off on the web and are passing the integrated
authentication from the client's machine (through their domain login). The
user has been granted all the correct permission to the database server and
the database that will be updated. However it seems like the authentication
is being passed to the web server and then the web server is passing a
different set of authentication on to the database server? The
authentication it is passing on to the database server is DOMAIN\MACHINENAME$.

If we add that machine name to the SQL Server as having permission to do the
update/delete/select we can get the app to work just fine. However, what we
want to do is to pass the clients authentication on to the database server...
not the web server’s authentication.

Any help I could get would be much appreciated..... this is driving me nuts
and seems like a pretty common practice (having the db and the web on two
separate machines).

Thanks in advance.
Josh

 

[Brendan Green]

What logon information are you putting in your connection string to connect
to the database?

 

[Guest]

Here's the connection string:

server=SERVER001.dom.corp.azs.com;initial catalog = 2dbmn;Integrated
Security = SSPI; database=2dbmn;

 

[Brendan Green]

So, you're probably connecting to the database as the user that runs the
ASP.NET worker process.

You probably need to turn on impersonation in the web.config file to "pass
through" the credentials.

Add this to your web.config file:

<identity impersonate="true"/>
<authentication mode="Windows"/>

Let us know how you go.

 

[Guest]

It is a restriction of the NTLM authentication protocol - your users
credentials cannot make a double hop across the network. The first hop is
from the users workstation to your webserver. The second hop is to the
database. To implement this, you need to use Kerberos authentication.

There are some good articles on MSDN on security that will be able to
explain the situation, and your options, much better than I can.

HTH
Dan

 

[Guest]

Thanks a bunch for the help... unfortunatley... after I do that I start
getting permission denied for user <NULL> error. After doing some more
research I think this issue is more around the comments that Dan Kelley had
posted below. THough I believe I am using Kerebos authentication (since I'm
on a active directory domain). I'll post what I find here on the site once I
figure it out. THanks again... and if you have any additional thoughts
please let me know.
Josh