Integrated Authentication.

[Tom B]

In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Jim Cheshire [MSFT]]

Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

 

[Tom B]

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.

Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Jim Cheshire [MSFT]]

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.

Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Tom B]

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.

Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication,

in
IIS

I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Jim Cheshire [MSFT]]

Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.


Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication, in
IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Tom B]

OK, so in my scenario.....
machineA is W2K3 IIS machine
machineB is SQL

I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?

Man, I think it was easier when I just used sa and a blank password

The other option, is to just set up a user account, and impersonate that
account, right?

Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.

Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------
From: "Tom B" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.


Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the

authentication,
in

IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Tom B]

OK, I found this
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT05.asp?frame=true

I think that should do it.

Thank you so much for your help.

Tom B

Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------
From: "Tom B" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.


Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the

authentication,
in

IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Tom B]

Actually, this ones better.
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp?frame=true

Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really required, I
guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.

Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------
From: "Tom B" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.


Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the

authentication,
in

IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000

 

[Jim Cheshire [MSFT]]

Tom,

Inline.

I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?

Yes, but only if you are using Windows authentication in SQL Server.

The other option, is to just set up a user account, and impersonate that
account, right?

You can, but if you are using Windows authentication in SQL Server, you
will still need to use Kerberos or Basic authentication on the site or it
won't work.

Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.

This is not related to whether or not SQL Server and IIS are on the same
box. If you enable impersonation and don't have anonymous access enabled,
it will work this way.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>
<[email protected]>
<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 13:21:52 -0400
Lines: 203
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 207.61.174.60
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184981
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

OK, so in my scenario.....
machineA is W2K3 IIS machine
machineB is SQL

I want to use Windows authentication.... So I need to set up delegation and
Kerberos authentication, correct?

Man, I think it was easier when I just used sa and a blank password

The other option, is to just set up a user account, and impersonate that
account, right?

Your last paragraph--"it will run under the person who is logged into the
machine"--I assume you mean in the IIS/SQL on the same machine scenario.

Tom,

It can get kind of confusing. Here's more information.

First off, concerning the steps you provided, using Windows authentication
against SQL Server is fine as long as you avoid any delegation of
credentials issues. If SQL Server is on the same box as the Web server, it
will work fine. If you move SQL Server to another box, it will fail
because your credentials will be delegated. Just keep that in mind. If
you move SQL Server, you can still use Windows authentication against it,
but you will need to use delegation and Kerberos authentication.

If you have anonymous enabled in IIS, if you are NOT impersonating, the
application will run under the ASPNET account. If you turn on
impersonation but don't specify a username and password, the application
will run under the anonymous account (IUSR by default). If you specify a
username and password, obviously the application will run under that user.

If you do NOT have anonymous enabled in IIS and you are NOT impersonating,
the application will run under ASPNET. If you do have impersonation
enabled, it will run under the person who is logged into the machine.

One more thing. Above when I say "the application will run under...",
that's really a little misleading. What this really means is that the
WindowsIdentity will refer to the user specified above.

Hope all of that makes some sense.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Tom B" <[email protected]>
References: <#[email protected]>

<[email protected]>

Subject: Re: Integrated Authentication.
Date: Fri, 17 Oct 2003 08:23:22 -0400
Lines: 114
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:184889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Impersonate! That's what it is.

It's an intranet, and I'm trying to use Windows Authentication. The odd
thing, is it was working the other day, but when I added some stuff to one
of my classes it stopped working ?!?

So would you (or someone else) be able to sum up the steps required?


1. web.config set authentication to "Windows"
2. SQL Server - set authentication to Windows Only (not really

required,

I

guess)
3. SQL Server - set permissions for Domain Users
4. IIS Manager set authentication to Integrated Authentication
5. web.config set impersonate on???????????????????????? <-- That's the
part I'm not sure of.


Tom,

Are you using SQL Server authentication or Windows authentication against
SQL Server? Sounds like you are using Windows, and in that case, you
either need to give the ASP.NET process account access to the SQL Server
database, or you need to impersonate.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------
From: "Tom B" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: Integrated Authentication.
Date: Thu, 16 Oct 2003 16:00:47 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184756
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Well, I catch the error and write out the Message, which is.....

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

and Profiler shows the same.


Tom,

What do you mean when you say that your SQL connection is still showing
anonymous?

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Tom B" <[email protected]>
Subject: Integrated Authentication.
Date: Thu, 16 Oct 2003 11:19:41 -0400
Lines: 12
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 216.46.141.98
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet:184652
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

In my web.config file I've specified Windows for the authentication,
in
IIS
I've set it to Integrated Authentication.

But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?

Thanks


Win 2003, SQL Server 2000