Hi
I have an web application running in a web server (eg webserver01) that uses windows authenticated account to connect to sql server. However, I encountered the error "login failed for user 'NT authrityanonymous logon' when i tried to access the website from my own machine. It seems that the error will be gone only after I did a terminal service to the webserver01 using my own nt id then running the web application as localhost. Sequence of events:
1) open http://webserver01/app from my own machine, got the login error. Refresh the page doesn't help.
2) terminal service to webserver01 using my own id,
3) open http://webserver01/app from my own machine, got the login error again.
4) open
5) open http://webserver01/app from my own machine, error gone.
I think somehow the id & password wasn't being passed through to sql server when i first access the website from my own machine. I tried it for many times already, it's always after step 4 then the error will be gone.
Here's my configurations:
1) dsn = "Server=myserver;Database=mydb;Trusted_Connection=True;" or "data source=myserver;Initial Catalog=mydb;Integrated Security=SSPI;" (tried both but same result)
2) iis - directory setting - check "Integrated Windows authentication", uncheck "enable anonymous access"
3) web.config - added <authentication mode="Windows" /> & <identity impersonate="true" />
4) grant my own id to access the sql server as windows account
Can anyone please help?
Many thanks.
This could due to some minor security misconfiguration of web application. Try this.
Put Authorization element in web.config to force to use Windows credentials. ASP.NET runtime will not attempt to find out the credentials of windows user, until anonymous is denied access to the application.
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Maung Maung
Okay, you have turned off Anonymous on the IIS, so it should be using Integrated Windows Authentication by default, even if you are not denying the anonymous users in web.config. So, the above solution might not be applicable.
After careful consideration, I thought of another issue on the client-side which might cause this problem.
Your browser (Internet Explorer) does not pass the security token to remote web sites by default. It only respond to web site from Local Intranet zone.
You can try adding your sever address (http://webserver01) to Local Intranet zone of the client PC's Internet Explorer security settings.
Follow the below steps if you are not sure how to achieve this.
Do post it here and let us know which solution works for you.
Thanks for your quick reply. Appreciate it
I tired changing web.config to deny anonymous users and also add the server add to the local intranet zone but both methods didn't help. Same error pops up.
I think my browser did pass the security token to the website, it's the sql server that did not receive the token. I printed out the value for User.Identity.Name & Principal.WindowsIdentity.GetCurrent.Name, both shows my login id correctly.
Any other clue? I'm stucked
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
Okay... I get your situation.
Your SQL Server and IIS are in two different machines.
You are trying to use the impersonated account to access SQL Server database on the another machine. To do so, you must be using Kerberos authentication, not NTLM as you need to use delegation.
Integrated Security is SPNEGO (Simple Protected Negotiation) and it does not always use Kerberos. It tries to use Kerberos first and if it fails, it will automatically downgrade to NTLM.
One very important thing you must take note is that NTLM cannot do delegation, which allow the impersonated credentials to call the service or access resources of another machine.
To successfully use the Kerberos authentication, your machines involved in communication must be both Win 2K minimum and domain must be in Native mode.
Check out this URL for how to upgrade to Native Win 2K domain.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/upgrdmigrate/upgrnt.mspx
The next thing you need to ensure is that domain controller is aware of what service account your SQL Server is running as so that your web application know how to encrypt the ticket to pass to the SQL Server service. In another word, you have to set SPN (Service Principal Name) with the domain to register your service account so that Kerberos can be successfully used.
You can use the SetSPN.exe (tools available from Windows 2K resource kit) to achieve this.
Check out this URL for how to use the SetSPN.exe.
http://technet2.microsoft.com/WindowsServer/en/Library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
Download SetSPN.exe from here.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp
Hope it helps.
Thanks for all the explaination and your precious time.
Hmm...kerberos authentication sounds a bit more complicated. I think I would create a new sql login id use this account to login to sql instead of the integrated windows account. It should also be the fastest and easiest way
Really appreciate all your help.
If you are using SQL Authentication in your web application, you may want to ensure that the credentials in web.config are protected with appropriate encryption.
You can use AspNet_RegIIS.exe to encrypt it if you are using ASP.NET 2.0.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000010.asp