Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / August 2003

Tip: Looking for answers? Try searching our database.

Impersonation and delegation

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Kelly D. Jones - 19 Aug 2003 19:56 GMT
I've read many messages and even more technotes, but I still can't get the
following scenario to work:

I have a Windows 2003 web server and a separate Windows 2000/SQL server,
both in the same Active Directory on our LAN.  I need to flow the user
credentials from 2000/XP clients, to the web server, and then onto the SQL
server.

IIS is set to only allow Windows integrated authentication.

My connection string is "workstation id=C3PO;packet size=4096;integrated
security=SSPI;data source=BUNSEN;persist security info=False;initial
catalog=Website" (I'm using VS.Net 2003)

I set the user account to be "Trusted for delegation".  I set both server
computer accounts to be Trusted for delegation also.

I set the web.config file to:
<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
   <allow users="*" />
   <disallow users="?" />

Authentication works to the web server, but I get the following error when I
try to access the SQL server :
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

Any tips/help would be greatly appreciated,
---
Kelly D. Jones
kdjones74@hotmail.com
Reply to this Message
Eric - 20 Aug 2003 03:15 GMT
Try adding "Network Library=DBMSSOCN" for TCP/IP access or "Network
Library=DBNMPNTW" for named pipe access to your connect string.  Most of the
stuff says named pipes won't work so use TCP/IP but we found the opposite to
be true.  Something else to check into is something called a service
principal name.  I'm not to clear on how to set it up or what it does
exactly, our DBA figured out and set that up.  It has something to do with
helping the credentials get from one server to another when using the web
application.

Eric

> I've read many messages and even more technotes, but I still can't get the
> following scenario to work:
[quoted text clipped - 28 lines]
> Kelly D. Jones
> kdjones74@hotmail.com
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.