|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS passing server credentials rather than user credentialsWe are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
We are using VS2005 and building for .Net 2.0 framework. We set IIS up to use integrated security. However when I access the application through IE, it cannot connect to the server. When I check the SQL Server logs, I see a failed attempt to login by <domain name>\<web server name>. It looks like it is using the credentials under which the web server is running. he desired behavior is to use the profile of the domain user who is using IE. When I give <domain name>\<web server name> explicit access to the SQL Server DB it, *can* connect. This reeks of a misconfiguration. What could we be doing wrong? TIA You need to verify that:
a) the brower (IE) is actually using Kerberos to authenticate to IIS, not NTLM. NTLM is not natively delegatable. What is the URL you are using to connect to? If it is in the Internet security zone, you will need to manually add it to IE's Intranet security zone. b) you need to verify that the IIS server is permitted to delegate in Active Directory (either the machine account if you are running the web app pool as a built-in principal like Network Service, or the user account if you are using a custom domain account) c) you need to verify that your Kerberos SPNs (Service Principal Names) are correctly configured. This is done automatically if you are connecting to http://servername or http://servername.domain.com However if you have created an additional DNS CNAME or A record for this website, or you are using the IP address of the server, then you may need to change/update your Kerberos SPNs. Cheers Ken Show quoteHide quote "cfs" <way***@hotmail.com> wrote in message news:1152129654.720884.259350@v61g2000cwv.googlegroups.com... > We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. > We are using VS2005 and building for .Net 2.0 framework. > > We set IIS up to use integrated security. However when I access the > application through IE, it cannot connect to the server. When I check > the SQL Server logs, I see a failed attempt to login by <domain > name>\<web server name>. It looks like it is using the credentials > under which the web server is running. > > he desired behavior is to use the profile of the domain user who is > using IE. > > When I give <domain name>\<web server name> explicit access to the SQL > Server DB it, *can* connect. > > This reeks of a misconfiguration. What could we be doing wrong? > > TIA > Fixed it. Thanks...
Ken Schaefer wrote: Show quoteHide quote > You need to verify that: > a) the brower (IE) is actually using Kerberos to authenticate to IIS, not > NTLM. NTLM is not natively delegatable. What is the URL you are using to > connect to? If it is in the Internet security zone, you will need to > manually add it to IE's Intranet security zone. > > b) you need to verify that the IIS server is permitted to delegate in Active > Directory (either the machine account if you are running the web app pool as > a built-in principal like Network Service, or the user account if you are > using a custom domain account) > > c) you need to verify that your Kerberos SPNs (Service Principal Names) are > correctly configured. This is done automatically if you are connecting to > http://servername or http://servername.domain.com However if you have > created an additional DNS CNAME or A record for this website, or you are > using the IP address of the server, then you may need to change/update your > Kerberos SPNs. > > Cheers > Ken > > > "cfs" <way***@hotmail.com> wrote in message > news:1152129654.720884.259350@v61g2000cwv.googlegroups.com... > > We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. > > We are using VS2005 and building for .Net 2.0 framework. > > > > We set IIS up to use integrated security. However when I access the > > application through IE, it cannot connect to the server. When I check > > the SQL Server logs, I see a failed attempt to login by <domain > > name>\<web server name>. It looks like it is using the credentials > > under which the web server is running. > > > > he desired behavior is to use the profile of the domain user who is > > using IE. > > > > When I give <domain name>\<web server name> explicit access to the SQL > > Server DB it, *can* connect. > > > > This reeks of a misconfiguration. What could we be doing wrong? > > > > TIA > >
Show quote
Hide quote
On 5 Jul 2006 13:00:54 -0700, "cfs" <way***@hotmail.com> wrote: Is IE set to remember passwords? If so it may not pass the correct>We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. >We are using VS2005 and building for .Net 2.0 framework. > >We set IIS up to use integrated security. However when I access the >application through IE, it cannot connect to the server. When I check >the SQL Server logs, I see a failed attempt to login by <domain >name>\<web server name>. It looks like it is using the credentials > under which the web server is running. > >he desired behavior is to use the profile of the domain user who is >using IE. > >When I give <domain name>\<web server name> explicit access to the SQL >Server DB it, *can* connect. > >This reeks of a misconfiguration. What could we be doing wrong? credentials. Jeff
Show quote
Hide quote
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message True, but that would not result in the server's machine account being used news:44b07326.794595046@msnews.microsoft.com... > On 5 Jul 2006 13:00:54 -0700, "cfs" <way***@hotmail.com> wrote: > >>We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. >>We are using VS2005 and building for .Net 2.0 framework. >> >>We set IIS up to use integrated security. However when I access the >>application through IE, it cannot connect to the server. When I check >>the SQL Server logs, I see a failed attempt to login by <domain >>name>\<web server name>. It looks like it is using the credentials >> under which the web server is running. >> >>he desired behavior is to use the profile of the domain user who is >>using IE. >> >>When I give <domain name>\<web server name> explicit access to the SQL >>Server DB it, *can* connect. >> >>This reeks of a misconfiguration. What could we be doing wrong? > > Is IE set to remember passwords? If so it may not pass the correct > credentials. to login to SQL Server Cheers Ken On Thu, 6 Jul 2006 16:22:20 +1000, "Ken Schaefer"
<kenREM***@THISadOpenStatic.com> wrote: Show quoteHide quote > It happens here. IE is used to access a domain that isn't in the>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message >news:44b07326.794595046@msnews.microsoft.com... >> On 5 Jul 2006 13:00:54 -0700, "cfs" <way***@hotmail.com> wrote: >> >>>We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. >>>We are using VS2005 and building for .Net 2.0 framework. >>> >>>We set IIS up to use integrated security. However when I access the >>>application through IE, it cannot connect to the server. When I check >>>the SQL Server logs, I see a failed attempt to login by <domain >>>name>\<web server name>. It looks like it is using the credentials >>> under which the web server is running. >>> >>>he desired behavior is to use the profile of the domain user who is >>>using IE. >>> >>>When I give <domain name>\<web server name> explicit access to the SQL >>>Server DB it, *can* connect. >>> >>>This reeks of a misconfiguration. What could we be doing wrong? >> >> Is IE set to remember passwords? If so it may not pass the correct >> credentials. > >True, but that would not result in the server's machine account being used >to login to SQL Server intranet zone. User logs in and IE remembers the password. From there on, the credentials become whatever account was used on the server. Using Windows authentication in SQL, it passes the server's login, not the user's. Bugged the heck out of us for about three weeks until we tracked it down. Even after the domain is added to the intranet zone, the user becomes the server account for some reason. Haven't done any diagnostocs beyond this to track down what's going on, so can't say it's his issue. Jeff
Show quote
Hide quote
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message This has nothing to do with "remember credentials". The user account doesn't news:44b1ee82.160039828@msnews.microsoft.com... > On Thu, 6 Jul 2006 16:22:20 +1000, "Ken Schaefer" > <kenREM***@THISadOpenStatic.com> wrote: > >> >>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message >>news:44b07326.794595046@msnews.microsoft.com... >>> On 5 Jul 2006 13:00:54 -0700, "cfs" <way***@hotmail.com> wrote: >>> >>>>We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. >>>>We are using VS2005 and building for .Net 2.0 framework. >>>> >>>>We set IIS up to use integrated security. However when I access the >>>>application through IE, it cannot connect to the server. When I check >>>>the SQL Server logs, I see a failed attempt to login by <domain >>>>name>\<web server name>. It looks like it is using the credentials >>>> under which the web server is running. >>>> >>>>he desired behavior is to use the profile of the domain user who is >>>>using IE. >>>> >>>>When I give <domain name>\<web server name> explicit access to the SQL >>>>Server DB it, *can* connect. >>>> >>>>This reeks of a misconfiguration. What could we be doing wrong? >>> >>> Is IE set to remember passwords? If so it may not pass the correct >>> credentials. >> >>True, but that would not result in the server's machine account being used >>to login to SQL Server > > It happens here. IE is used to access a domain that isn't in the > intranet zone. User logs in and IE remembers the password. From > there on, the credentials become whatever account was used on the > server. Using Windows authentication in SQL, it passes the server's > login, not the user's. Bugged the heck out of us for about three > weeks until we tracked it down. Even after the domain is added to the > intranet zone, the user becomes the server account for some reason. "become" the server's credentials automagically because you've choosen to remember some credentials in IE. The server has no knowledge of whether the user has manually entered credentials, or the browser is auto-submitting them. The machine account is used when you are running into a double-hop authentication issue. The user has authenticated to IIS, but IIS doesn't have any way of using those credentials to logon to the backend server. In which case the machine account is used. Cheers Ken So your web.config or machine.config is specifying impersonation, right?
(and we seem to be assuming that this is not allowing anonymous access). -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "cfs" <way***@hotmail.com> wrote in message news:1152129654.720884.259350@v61g2000cwv.googlegroups.com... > We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box. > We are using VS2005 and building for .Net 2.0 framework. > > We set IIS up to use integrated security. However when I access the > application through IE, it cannot connect to the server. When I check > the SQL Server logs, I see a failed attempt to login by <domain > name>\<web server name>. It looks like it is using the credentials > under which the web server is running. > > he desired behavior is to use the profile of the domain user who is > using IE. > > When I give <domain name>\<web server name> explicit access to the SQL > Server DB it, *can* connect. > > This reeks of a misconfiguration. What could we be doing wrong? > > TIA > 
Other interesting topics
Security templates and IUSR account log on locally
IE does not offer to open item downloaded via https Can i make personal ssl cert from verisign's one? Filtering Query String SelfSSL and multiple sites in IIS6? how can I stop attempted logons by hackers through IIS? IIS logs show domain laptop logging into WEBDAV monitor access to docs on IIS Passing credentials from ASP.NET website to webservice Change Password Site in IIS 6.0 |
|||||||||||||||||||||||
