User credentials passing from IIS to SQL Server

User credentials passing from IIS to SQL Server

am 17.04.2008 19:54:23 von scott

I am developing an ASP.NET (2.0) application and I want to use
Integrated Windows Authentication. The application connects to a SQL
Server 2000 database. I envisioned the application working this way: a
user logs onto a Windows client (computer A) under his/her Active
Directory account and opens a browser to the ASP.NET application which
resides on server B (Windows 2003). The ASP.NET application in turn
connects to a SQL Server 2000 database running on server C (Windows
2000). The SQL Server database has a listing of Active Directory
accounts that have access. I want the user's credentials on computer A
to be checked against the security on the SQL Server.

Now for what is actually happening: the user logs onto computer A and
accesses the application. Whenever the application is asked for data
from the SQL Server (server C), an exception is encountered
(System.Data.SqlClient.SqlException) with the message: Cannot open
database requested in login ' failed for user '\$'. So this tells me that the
IIS computer is passing its own computer account for access to the SQL
Server. And furthermore, if I allow this computer account to access
the SQL Server database, the application will successfully retrieve
the data from SQL Server. This is not what I want to happen. I need to
know which user is trying to access the database. Can someone please
help? Thanks!

Scott Adams
no, not the Dilbert guy

Re: User credentials passing from IIS to SQL Server

am 18.04.2008 04:05:20 von Ken Schaefer

You need to do a couple of things:

a) configure Impersonation in your ASP.NET application
b) configure Kerberos Delegation in your environment

You need to read "Part 4" (the delegation scenario). You may wish to read
the earlier parts if you need to read up on how Kerberos works:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/18/ 8460.aspx

Cheers
Ken

"scott" wrote in message
news:8cf8b841-d1f8-4555-b6d7-294dadedf85d@l42g2000hsc.google groups.com...
>I am developing an ASP.NET (2.0) application and I want to use
> Integrated Windows Authentication. The application connects to a SQL
> Server 2000 database. I envisioned the application working this way: a
> user logs onto a Windows client (computer A) under his/her Active
> Directory account and opens a browser to the ASP.NET application which
> resides on server B (Windows 2003). The ASP.NET application in turn
> connects to a SQL Server 2000 database running on server C (Windows
> 2000). The SQL Server database has a listing of Active Directory
> accounts that have access. I want the user's credentials on computer A
> to be checked against the security on the SQL Server.
>
> Now for what is actually happening: the user logs onto computer A and
> accesses the application. Whenever the application is asked for data
> from the SQL Server (server C), an exception is encountered
> (System.Data.SqlClient.SqlException) with the message: Cannot open
> database requested in login ' > failed for user '\$'. So this tells me that the
> IIS computer is passing its own computer account for access to the SQL
> Server. And furthermore, if I allow this computer account to access
> the SQL Server database, the application will successfully retrieve
> the data from SQL Server. This is not what I want to happen. I need to
> know which user is trying to access the database. Can someone please
> help? Thanks!
>
> Scott Adams
> no, not the Dilbert guy