I'm not an expert - but:
Yes - this is the classic double-hop scenario. I live with it everyday.
A lot depends on the Windows versions of the servers:
Windows 2000 - this requires Kerberos or the use of network service
accounts used between servers (or if the back-end service is SQL - SQL
logins).
Windows 2003 - you can use the Protocol Transition features to delegate
credentials without Kerberos.
See:
http://technet2.microsoft.com/WindowsServer/en/library/dac7ecea-7c82-43c0-847b-3a1a81454cfe1033.mspx
Difficult to help without more details, but if your using Windows 2000
servers and NTLM only, you will need to create a service account for
the Front End server to communicate with the Back End.
In a typical Web Server (A) talks to Application Server (B) that talks
to SQL Server (C) scenario...
1) Web Site (A) uses NTLM authentication and ASP(.NET) code to
impersonate <user>.
2) App Server B serves use NTLM authentication to grant access to
<user>, but is not allowed to pass these credentials to C. So either:
a) the DCOM or .NET services on B are configured to run under a
service account <_service1> which has access rights on the SQL Server
(C) and necessary Databases objects
or
b) the services on B use SQL authentication to login and access (C).
Note: If you use this approach, and you need to audit for security; you
should log accesses to C on server B - so that you know who really was
accessing C (All C sees is the same user, all the time).
If your using Windows Server 2003, you can use delagation as explained
in the links I provided earlier.
punjab_tom@.hotmail.com wrote:
> Sleepy
> can you please tell more? my english is poor
> I have had security problems with Services of Reporting; I can see
> 'user is null' even though we are using NT Authentication.
> Tom
>
|||Hi,
I have a very similar problem. I've been through a lot of articles, but
something is still missing.
This is my setup:
All servers are Windows Server 2003.
IE6 connects to IIS using basic authentication. In ASP.NET code, using Win32
LogonUser, I impersonate a domain user and then make a call to the database
server. For some reason the impersonated user is not delegated to SQL server.
This is how I configured everything so far:
Created a domain account for the aspnet worker process (edited
machine.config on IIS server and edited <processmodel>:
<processModel enable="true" userName="domain\ASPNETuser" password="xxx"/>
The ASPNETuser is set to be Trusted for Delegation on the domain controller.
The IIS server is set to be Trusted for Delegation on the domain controller.
The users that are to be impersonated are NOT set as sensitive on the domain
controller.
The connection string to SQL looks like:"server=sqlserver;initial
catalog=dbname;integrated security=SSPI".
When connecting to the database, I get "Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'".
What am I missing? How do I know the Kerberos is working.
"SleepyLab" wrote:
> Difficult to help without more details, but if your using Windows 2000
> servers and NTLM only, you will need to create a service account for
> the Front End server to communicate with the Back End.
> In a typical Web Server (A) talks to Application Server (B) that talks
> to SQL Server (C) scenario...
> 1) Web Site (A) uses NTLM authentication and ASP(.NET) code to
> impersonate <user>.
> 2) App Server B serves use NTLM authentication to grant access to
> <user>, but is not allowed to pass these credentials to C. So either:
> a) the DCOM or .NET services on B are configured to run under a
> service account <_service1> which has access rights on the SQL Server
> (C) and necessary Databases objects
> or
> b) the services on B use SQL authentication to login and access (C).
> Note: If you use this approach, and you need to audit for security; you
> should log accesses to C on server B - so that you know who really was
> accessing C (All C sees is the same user, all the time).
> If your using Windows Server 2003, you can use delagation as explained
> in the links I provided earlier.
>
> punjab_tom@.hotmail.com wrote:
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment