|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Impersonation and Delegation with ASP.NET 2.0 on 2 ServersI have the following scenario - SQL 2005 server (serversql) - Windows 2003 with IIS (serveriis) - Windows 2003 ADS (serverads) I want to connect to an intranet application using NTML with impersonation and delegation. so for this I made the following change in web.config <identity impersonate="true"/> <authentication mode="Windows"/> Then in the Active Directory i did the following change: Computers\serveriis -> properties -> delegation - Trust this computer for delegation on these services. Any protocol. And then I have added the www and w3svc services But when connecting to the webpage, I always get this error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. any idea what is wrong? Thanks Patrick Did you enable Integrated Authentication and disable Anonymous
authentication in IIS? Because when you set <authentication mode="Windows"/> it means ASP.Net does no authentication and uses IIS to negotiate authentication, so you need to configure IIS to require NTLM. Then, you need <identity impersonate="true"/> for ASP.Net to use the user token negotiated by IIS instead of stripping it off like it does by default. Only by doing these two steps do you end up with a NT user token to be able to begin the game of Delegation and Protocol Transitioning with AD... And to clarify what you are describing -- you have three separate servers (one with SQL, one with IIS, one with AD), the web page is on IIS, it is trying to access the SQL server, and getting that logon failure when you access the web page from a machine on the same network segment as IIS? //David http Patrick wrote: Show quoteHide quote > Hello > > I have the following scenario > - SQL 2005 server (serversql) > - Windows 2003 with IIS (serveriis) > - Windows 2003 ADS (serverads) > > I want to connect to an intranet application using NTML with impersonation > and delegation. so for this I made the following change in web.config > <identity impersonate="true"/> > > <authentication mode="Windows"/> > > Then in the Active Directory i did the following change: > > Computers\serveriis -> properties -> delegation > > - Trust this computer for delegation on these services. Any protocol. And > then I have added the www and w3svc services > > > > But when connecting to the webpage, I always get this error: > > Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. > > any idea what is wrong? > > Thanks > Patrick Hi David
i checked my settings again. And everything is as you described. But the funny thing is, that it works now. Is it possible that ADS needs some time to propagate the delegation of that server? Regards Show quoteHide quote "David Wang" <w3.4***@gmail.com> schrieb im Newsbeitrag news:1163590275.658582.251750@i42g2000cwa.googlegroups.com... > Did you enable Integrated Authentication and disable Anonymous > authentication in IIS? Because when you set <authentication > mode="Windows"/> it means ASP.Net does no authentication and uses IIS > to negotiate authentication, so you need to configure IIS to require > NTLM. Then, you need <identity impersonate="true"/> for ASP.Net to use > the user token negotiated by IIS instead of stripping it off like it > does by default. Only by doing these two steps do you end up with a NT > user token to be able to begin the game of Delegation and Protocol > Transitioning with AD... > > And to clarify what you are describing -- you have three separate > servers (one with SQL, one with IIS, one with AD), the web page is on > IIS, it is trying to access the SQL server, and getting that logon > failure when you access the web page from a machine on the same network > segment as IIS? > > > //David > http > > > Patrick wrote: >> Hello >> >> I have the following scenario >> - SQL 2005 server (serversql) >> - Windows 2003 with IIS (serveriis) >> - Windows 2003 ADS (serverads) >> >> I want to connect to an intranet application using NTML with >> impersonation >> and delegation. so for this I made the following change in web.config >> <identity impersonate="true"/> >> >> <authentication mode="Windows"/> >> >> Then in the Active Directory i did the following change: >> >> Computers\serveriis -> properties -> delegation >> >> - Trust this computer for delegation on these services. Any protocol. And >> then I have added the www and w3svc services >> >> >> >> But when connecting to the webpage, I always get this error: >> >> Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. >> >> any idea what is wrong? >> >> Thanks >> Patrick > Glad it is working.
I don't work with AD a lot so I really cannot comment on why. I have seen the propagation both be lightning fast (in minutes) and snail slow (>24 hours). //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Patrick wrote: Show quoteHide quote > Hi David > > i checked my settings again. And everything is as you described. But the > funny thing is, that it works now. Is it possible that ADS needs some time > to propagate the delegation of that server? > > Regards > > > "David Wang" <w3.4***@gmail.com> schrieb im Newsbeitrag > news:1163590275.658582.251750@i42g2000cwa.googlegroups.com... > > Did you enable Integrated Authentication and disable Anonymous > > authentication in IIS? Because when you set <authentication > > mode="Windows"/> it means ASP.Net does no authentication and uses IIS > > to negotiate authentication, so you need to configure IIS to require > > NTLM. Then, you need <identity impersonate="true"/> for ASP.Net to use > > the user token negotiated by IIS instead of stripping it off like it > > does by default. Only by doing these two steps do you end up with a NT > > user token to be able to begin the game of Delegation and Protocol > > Transitioning with AD... > > > > And to clarify what you are describing -- you have three separate > > servers (one with SQL, one with IIS, one with AD), the web page is on > > IIS, it is trying to access the SQL server, and getting that logon > > failure when you access the web page from a machine on the same network > > segment as IIS? > > > > > > //David > > http > > > > > > Patrick wrote: > >> Hello > >> > >> I have the following scenario > >> - SQL 2005 server (serversql) > >> - Windows 2003 with IIS (serveriis) > >> - Windows 2003 ADS (serverads) > >> > >> I want to connect to an intranet application using NTML with > >> impersonation > >> and delegation. so for this I made the following change in web.config > >> <identity impersonate="true"/> > >> > >> <authentication mode="Windows"/> > >> > >> Then in the Active Directory i did the following change: > >> > >> Computers\serveriis -> properties -> delegation > >> > >> - Trust this computer for delegation on these services. Any protocol. And > >> then I have added the www and w3svc services > >> > >> > >> > >> But when connecting to the webpage, I always get this error: > >> > >> Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. > >> > >> any idea what is wrong? > >> > >> Thanks > >> Patrick > > 
Other interesting topics
Force Relogin. IIS6, ASP.NET app, IE6+ browser
credentials not going to IIS automatically aspnet_isapi.dll security limit access to all but 1 file inhability to display http://localhost How do I make a local machine client certificate available to all users? NTLM Authentication on IIS 6.0 access to network file server through web server denied [IIS 5] Homemade cert and SSL Access Denied connecting to remote share through IIS Security while publishing an website in Frontpage |
|||||||||||||||||||||||
