.NET Windows authentication

Bryan · Oct 8, 2003

I have a vb.net application that connects to Web Service
pages *.asmx running on a local instance of IIS. These
webservices connect to a SQL server on another machine.
The web services are set to impersonate user, and Windows
authentication. All is well.

Next, I moved the webservices to another server running
IIS, which happens to be the SAME machine as SQL server
that these services connect to. My app can connect to the
Web service pages, but the web service fails to propgate
the CLIENT user/login credentials to the SQL server, and
it uses the NT AUTHORITY\Anonymous account for some reason.

I can't figure it out, but I've heard mention of similar
issues being solved with modifications to
Machine.config... any ideas?

The point of this is that I want to use the SQL SUSER_SNAME
() functions to restrict/change the views in SQL, so that
function needs to return the username of the authenticated
client.

Chris Botha · Oct 9, 2003

If you did not change anything in the Web Services connection string for the
database, nor in the Web.config file, then it may be that you forgot to turn
off Anonymous access for the virtual directory on the new server. To test
the user connecting to the Web Service, add a function GetConnectingUser or
something to it, and return
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Just call it with IE and check what it returns.

Kevin Yu [MSFT] · Oct 9, 2003

Hi Bryan,

This issue might be caused by anonymous acess in IIS. Try to turn off
anonymous access in IIS to see if it works. When your webservice connects
to a SQL server, it uses the impersonated account to create a connection.
If the anonymous access is turned on, the account is impersonated as IUSER
on the machine. IUSER might don't have the privilege to connect to the SQL
server. So the connection failed.

To turn off anonymous access, right click you webservice in IIS and choose
properties in popup menu. Choose Directory Security tab, and click Edit
button. Uncheck Anonymous Access and click OK.

If anything is unclear, please feel free to reply to the post.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Bryan" <[email protected]>
| Sender: "Bryan" <[email protected]>
| Subject: .NET Windows authentication
| Date: Wed, 8 Oct 2003 13:41:18 -0700
| Lines: 21
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcON3IaOF0znyWCvR+S8mtdjfOg/2Q==
| Newsgroups: microsoft.public.dotnet.framework.windowsforms
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.windowsforms:54006
| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| X-Tomcat-NG: microsoft.public.dotnet.framework.windowsforms
|
| I have a vb.net application that connects to Web Service
| pages *.asmx running on a local instance of IIS. These
| webservices connect to a SQL server on another machine.
| The web services are set to impersonate user, and Windows
| authentication. All is well.
|
| Next, I moved the webservices to another server running
| IIS, which happens to be the SAME machine as SQL server
| that these services connect to. My app can connect to the
| Web service pages, but the web service fails to propgate
| the CLIENT user/login credentials to the SQL server, and
| it uses the NT AUTHORITY\Anonymous account for some reason.
|
| I can't figure it out, but I've heard mention of similar
| issues being solved with modifications to
| Machine.config... any ideas?
|
| The point of this is that I want to use the SQL SUSER_SNAME
| () functions to restrict/change the views in SQL, so that
| function needs to return the username of the authenticated
| client.
|

Bryan · Oct 9, 2003

Gentlemen,
IIS anonymous is turned off (I should have mentioned
that); only windows integrated security is turned on, and
Integrated Security is specified in the connection string.

Upon further investigation (SQL Trace) I found that the
proper login credentials ARE passed to SQL because the
first two procedures run properly on SQL.

When my application starts, it displays a splash screen
while connecting/initializing. It runs the two startup
procedures, writes an event log entry (with data from the
procedures), then I get an "Application has generated an
exception that can not be handled" dialog box with a
thread and process ID, forcing a quit.

The above code is in a Sub Main(). Sub Main ends with the
following line, which may be the culprit:

Application.Run(pxMainForm)

Where pxMainForm is the primary MDI form.

I'm new to the whole code access security stuff, so I
tested giving all code Full Access, but that didn't work
either.

Thanks for your help,
Bryan

Kevin Yu [MSFT] · Oct 10, 2003

Hi Bryan,

I'm currently researching on this issue and will update you as soon as I
get any progress.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Bryan" <[email protected]>
| Sender: "Bryan" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: .NET Windows authentication
| Date: Thu, 9 Oct 2003 05:41:05 -0700
| Lines: 31
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcOOYptBIE2iehfIRSKSU18HQokBIQ==
| Newsgroups: microsoft.public.dotnet.framework.windowsforms
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.windowsforms:54052
| NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| X-Tomcat-NG: microsoft.public.dotnet.framework.windowsforms
|
| Gentlemen,
| IIS anonymous is turned off (I should have mentioned
| that); only windows integrated security is turned on, and
| Integrated Security is specified in the connection string.
|
| Upon further investigation (SQL Trace) I found that the
| proper login credentials ARE passed to SQL because the
| first two procedures run properly on SQL.
|
| When my application starts, it displays a splash screen
| while connecting/initializing. It runs the two startup
| procedures, writes an event log entry (with data from the
| procedures), then I get an "Application has generated an
| exception that can not be handled" dialog box with a
| thread and process ID, forcing a quit.
|
| The above code is in a Sub Main(). Sub Main ends with the
| following line, which may be the culprit:
|
| Application.Run(pxMainForm)
|
| Where pxMainForm is the primary MDI form.
|
| I'm new to the whole code access security stuff, so I
| tested giving all code Full Access, but that didn't work
| either.
|
| Thanks for your help,
| Bryan
|
|
|

Scot Rose [MSFT] · Oct 10, 2003

Are you getting any authentication errors? Do you have the same Web.config file? Did you check Chris's suggestion of making sure you have Annon Access turned of on the
virtual directory?

Scot Rose, MCSD
Microsoft Visual Basic Developer Support
Email : (e-mail address removed) <Remove word online. from address>

This posting is provided “AS IS”, with no warranties, and confers no rights.

Get Secure!
http://www.microsoft.com/security
http://www.microsoft.com/protect

--------------------

Bryan · Oct 10, 2003

Scot,

My reply under Kevin's has more info, including the turned
off virtual directory.

No authentication errors are logged. Again, it does
connect to SQL with the login, but then throws an
exception.

I copied the bin directory from the development machine to
the target server. Then, I updated the "client" app.config
file to point to the new URL of it's web reference, which,
by getting data from SQL, appears to be working.. for two
DB calls, that is.

Are you getting any authentication errors? Do you have

the same Web.config file? Did you check Chris's suggestion
of making sure you have Annon Access turned of on the

Bryan · Oct 10, 2003

Well, you're not going to belive this, but I found it to
be a missing reference to a shared library...

I have the following line

AddHandler AppDomain.CurrentDomain.UnhandledException,
AddressOf MyUnhandledException

at the beginning of sub Main() but it failed to trap the
exception. I found this "global error handler" on msdn
and it seems to work in most cases, but not all.

Michael Bray · Oct 10, 2003

Well, you're not going to belive this, but I found it to
be a missing reference to a shared library...

I have the following line

AddHandler AppDomain.CurrentDomain.UnhandledException,
AddressOf MyUnhandledException

at the beginning of sub Main() but it failed to trap the
exception. I found this "global error handler" on msdn
and it seems to work in most cases, but not all.

My experience with this handler is that you can't stop the application from
crashing, but you can perform additional handling, such as reporting the
error to a log server or similar feedback. If you don't do anything in the
handler (such as MessageBox.Show(...)) then you may not realize that the
handler has indeed fired.

-mbray

Kevin Yu [MSFT] · Oct 13, 2003

Hi Bryan,

I'm glad to hear that you've found a problem. Is this the reason why no
authentication errors are logged or cannot log on to SQL server? If you
still cannot get it work, please give me some logged error message, I'll be
glad to help.

If anything is unclear, please feel free to reply to the post.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Bryan" <[email protected]>
| Sender: "Bryan" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: RE: .NET Windows authentication
| Date: Fri, 10 Oct 2003 10:03:23 -0700
| Lines: 11
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcOPUGncFa0M6Y/0Rqewlf2mVew6Dw==
| Newsgroups: microsoft.public.dotnet.framework.windowsforms
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.windowsforms:54174
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.dotnet.framework.windowsforms
|
| Well, you're not going to belive this, but I found it to
| be a missing reference to a shared library...
|
| I have the following line
|
| AddHandler AppDomain.CurrentDomain.UnhandledException,
| AddressOf MyUnhandledException
|
| at the beginning of sub Main() but it failed to trap the
| exception. I found this "global error handler" on msdn
| and it seems to work in most cases, but not all.
|

Kevin Yu [MSFT] · Oct 17, 2003

Hi Bryan,

I'd like to know if this issue has been resolve. Is there anything that I
can help? I'm still monitoring on this issue.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Bryan" <[email protected]>
| Sender: "Bryan" <[email protected]>
| Subject: .NET Windows authentication
| Date: Wed, 8 Oct 2003 13:41:18 -0700
| Lines: 21
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcON3IaOF0znyWCvR+S8mtdjfOg/2Q==
| Newsgroups: microsoft.public.dotnet.framework.windowsforms
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.windowsforms:54006
| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| X-Tomcat-NG: microsoft.public.dotnet.framework.windowsforms
|
| I have a vb.net application that connects to Web Service
| pages *.asmx running on a local instance of IIS. These
| webservices connect to a SQL server on another machine.
| The web services are set to impersonate user, and Windows
| authentication. All is well.
|
| Next, I moved the webservices to another server running
| IIS, which happens to be the SAME machine as SQL server
| that these services connect to. My app can connect to the
| Web service pages, but the web service fails to propgate
| the CLIENT user/login credentials to the SQL server, and
| it uses the NT AUTHORITY\Anonymous account for some reason.
|
| I can't figure it out, but I've heard mention of similar
| issues being solved with modifications to
| Machine.config... any ideas?
|
| The point of this is that I want to use the SQL SUSER_SNAME
| () functions to restrict/change the views in SQL, so that
| function needs to return the username of the authenticated
| client.
|

Bryan · Oct 17, 2003

Kevin, it's closed... Thanks for your help.

Regards,
Bryan C. Weis

Kevin Yu [MSFT] · Oct 18, 2003

.NET Windows authentication

Bryan

Chris Botha

Kevin Yu [MSFT]

Bryan

Kevin Yu [MSFT]

Scot Rose [MSFT]

Bryan

Bryan

Michael Bray

Kevin Yu [MSFT]

Kevin Yu [MSFT]

Bryan

Kevin Yu [MSFT]