iis windows authenticated

Hi

I have an web application running in a web server (eg webserver01) that uses windows authenticated account to connect to sql server. However, I encountered the error "login failed for user 'NT authrityanonymous logon' when i tried to access the website from my own machine.  It seems that the error will be gone only after I did a terminal service to the webserver01 using my own nt id then running the web application as localhost.  Sequence of events:

1) open http://webserver01/app from my own machine, got the login error. Refresh the page doesn't help.

2) terminal service to webserver01 using my own id,

3) open http://webserver01/app from my own machine, got the login error again.

4) open http://localhost/app in webserver01

5) open http://webserver01/app from my own machine, error gone.

I think somehow the id & password wasn't being passed through to sql server when i first access the website from my own machine.  I tried it for many times already, it's always after step 4 then the error will be gone.

Here's my configurations:

1) dsn = "Server=myserver;Database=mydb;Trusted_Connection=True;" or "data source=myserver;Initial Catalog=mydb;Integrated Security=SSPI;"   (tried both but same result)

2) iis - directory setting - check "Integrated Windows authentication", uncheck "enable anonymous access"

3) web.config - added <authentication mode="Windows" />  & <identity impersonate="true" />

4) grant my own id to access the sql server as windows account

Can anyone please help?

 

Many thanks.

This could due to some minor security misconfiguration of web application.  Try this.

Put Authorization element in web.config to force to use Windows credentials.  ASP.NET runtime will not attempt to find out the credentials of windows user, until anonymous is denied access to the application.

<system.web>

       <authorization>

               <deny users="?" />

       </authorization>

</system.web>

Maung Maung

Okay, you have turned off Anonymous on the IIS, so it should be using Integrated Windows Authentication by default, even if you are not denying the anonymous users in web.config.  So, the above solution might not be applicable.

After careful consideration, I thought of another issue on the client-side which might cause this problem.

Your browser (Internet Explorer) does not pass the security token to remote web sites by default.  It only respond to web site from Local Intranet zone.

You can try adding your sever address (http://webserver01) to Local Intranet zone of the client PC's Internet Explorer security settings.

Follow the below steps if you are not sure how to achieve this.

1. Select Tools menu, Internet Options...
2. Select Security tab
3. Select Local Intranet and click on "Sites" button
4. Type in http://webserver01 and click on Add button.
5. Click OK to exit the dialog box.

Do post it here and let us know which solution works for you.

Maung Maung

Thanks for your quick reply. Appreciate it

I tired changing web.config to deny anonymous users and also add the server add to the local intranet zone but both methods didn't help. Same error pops up.

I think my browser did pass the security token to the website, it's the sql server that did not receive the token. I printed out the value for User.Identity.Name &  Principal.WindowsIdentity.GetCurrent.Name, both shows my login id correctly.

Any other clue? I'm stucked

Is this a domain user account, or the same local SAM account with the same password existing on all three client, web server, database server machines?

It's a domain user account

Some additional news: looks like NTLM credentials can only be passed at most one hop (client to web server). Passing on to a remote SQL server is considered a second hop and not allowed, which coincides with the failure. If the SQL server was installed on the same machine, then it can authenticate as it would still be considered one hop.

http://www.devhood.com/messages/message_view-2.aspx?thread_id=72204

Okay... I get your situation.

Your SQL Server and IIS are in two different machines.

You are trying to use the impersonated account to access SQL Server database on the another machine.  To do so, you must be using Kerberos authentication, not NTLM as you need to use delegation.

Integrated Security is SPNEGO (Simple Protected Negotiation) and it does not always use Kerberos.  It tries to use Kerberos first and if it fails, it will automatically downgrade to NTLM.

One very important thing you must take note is that NTLM cannot do delegation, which allow the impersonated credentials to call  the service or access resources of another machine.

To successfully use the Kerberos authentication, your machines involved in communication must be both Win 2K minimum and domain must be in Native mode.

Check out this URL for how to upgrade to Native Win 2K domain.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/upgrdmigrate/upgrnt.mspx

The next thing you need to ensure is that domain controller is aware of what service account your SQL Server is running as so that your web application know how to encrypt the ticket to pass to the SQL Server service.  In another word, you have to set SPN (Service Principal Name) with the domain to register your service account so that Kerberos can be successfully used.

You can use the SetSPN.exe (tools available from Windows 2K resource kit) to achieve this.

Check out this URL for how to use the SetSPN.exe.

http://technet2.microsoft.com/WindowsServer/en/Library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx

Download SetSPN.exe from here.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp

Hope it helps.

Thanks for all the explaination and your precious time.

Hmm...kerberos authentication sounds a bit more complicated. I think I would create a new sql login id use this account to login to sql instead of the integrated windows account.  It should also be the fastest and easiest way

Really appreciate all your help.

If you are using SQL Authentication in your web application, you may want to ensure that the credentials in web.config are protected with appropriate encryption.

You can use AspNet_RegIIS.exe to encrypt it if you are using ASP.NET 2.0.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000010.asp