I have an application - where the UI is on the intranet server (IIS 6), the database is on the SQL server (SQL 2008), and the web service (which does the data access) is on another web service server.
Using delegation and impersonation and sending the credentials through in code - The program will work successfully if the web service server is my local IIS (IIS 7 - windows 7). Although when I attempt to publish the web service out to a windows 2008 server,
I am getting a "Connection failedLogin failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." error. I have compared the authentication in both IIS and those are the same.
Once I hit the web service, I email the windowsidentity.getcurrent.name to myself - and that is correctly sending the current logged in user on both web service servers. So if both web services servers have the correct credentials, what am I missing on
the 2008 server that will allow me to use windows authentication at the database level?
Sorry, always struggled with written communication.
What I am trying to accomplish is logging into the database with windows authentication, but not just some random windows account, the account of the user currently logged into the asp.net UI.
I have an asp.net UI and an asp.net web service. The UI is just the "pretty" interface that allows the user to view the information. The web service does the connection to the database and retrieval of data.
Both the UI and the web service have been set to deny anonymous access, and windows authentication has been enabled.
The UI and web service run on two seperate servers. So to get the credentials from the UI to the web service. I have set the UI server up for delegation. To send the credentials to the web service, I am using the credentials property like thus:
webserviceObject.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
All of this works just as it should, and I get data back IF the server that runs the web service is my laptop's IIS (windows 7).
But if I publish the web service to a windows 2008 server (the place it will ultimately reside), I am getting a 'NT AUTHORITY\ANONYMOUS LOGON' error when it attempts to log into the database and yet I know the credentials are passed to the web service.
So both web service servers are running IIS 7, and both have the same set up, as far as I can tell. So what am I missing on the windows 2008 server to make this whole process work?
Please let me know if you still need additional information.
I think issue is - " When you publish your webservice then it uses default user to connect and retrive information from database .... Now this defualt user don't have access to your database."
Now you may ask that how this is working properly on your desktop/laptop. One of the reason behind this issue is "this webservice my using local system windows user and it may have access to database".
Same type of issue I have faced while accessing database through windows service. I think above mentioned solution may help you but there might be chances that you have given proper right to data accessing user. Also please check webservice configuration
area.
Thanks & Regards
Mahesh Barge
Mark the post as Answer if it helped you so that others dont waste time looking for solution
Thank you for the reply, but I don't think this is the issue.
When I say that I am running the web service on the IIS of my laptop - I do NOT mean that I am running the web service via Visual Studio, which would in fact be my local account and would and does work.
I am literally running it under my IIS, and to my knowledge the default user in IIS is the IUSR account. Which means that my laptop's IUSR account would need to have access to the database for it to run as you are suggesting, and this is not the case.
So this verifies that I am correctly sending the logged on users credentials from my UI to the web service?
The web method in my web service does two things. One it attempts to open a connection to the database, and two returns the System.Security.Principal.WindowsIdentity.GetCurrent.Name. The Name that is returned is my name, the current logged in user of the
UI. I have verified that this is working by having another user log in, and the Name value did change. So I'm thinking this again tells me that the web service does have the credentials.
So if the web service does have the crendentials and is running as the current logged in user of the UI. Why am I getting an empty user when I attempt to open the database connection?
As of this point data access is not an issue; right now I am the only user that has tested and I can view the data in at least one of the configurations that I have tried.
What exactly am I supposed to check in the web service configuration area?
I have actually pulled this off using IIS 6. The key features for making it work were:
Went to active directory computer management console and set the property "Trust this computer for delegation to any service (Kerbrose only)" on the delegation tab for the application server computer.
On active directory registered the service principal name (SPN) for the computer and the application URL using SetSPN tool.
From group policy set all members of the security group to have the applicaiton in their trusted sights and to automatically log on to trusted sites.
In database connection string the security property is "Trusted_connection =True" providerName="System.Data.SqlClient"
User must have database credentials as well as be member of security group to automatically validate. All credentials are set to domain user accounts.
The result was that if a user in the security group points to the application site they are automatically validated to the SQL database. If a user who is not a both a memeber of the security group and added to the SQL server permissions tries to access
the web site they get a message in the status label for the site saying automatic logon failed for NT user "domain_name\user_name". By this we seemlessly validate three levels of security for our application. I hipe this helps.
Thank you, Victorious1, for your reply! I'm attempting to implement, but ...
Well, I might need a "for dummies" version for step 2. What computer did you register? The application server or the web services server or the database server or all three? I've taken several stabs at an SPN for just the web services server (as that
appears to be where my credentials are being lost), but I have not been successful as of yet.
While this article tells me how to enable windows authentication in IIS, I am not seeing where it talks about how to send credentials from one program to another and inevitably end up with logging into a database with windows authentication.
And while I appreciate you attempting to keep your forums clean, I do not understand why this is an IIS issue. I have a feeling if I post there and start talking about asp.net and web services that they'll ask me to post somewhere else. I know I'm not
completely off my rocker on this one, because I have seen posts similiar to my issue within this forum. IIS is just a piece of the entire security puzzle that is attempting to be solved here.
luv_kermie
Member
19 Points
15 Posts
Log into Database with current windows authentication - snag when publishing
Oct 25, 2012 10:44 PM|LINK
I have an application - where the UI is on the intranet server (IIS 6), the database is on the SQL server (SQL 2008), and the web service (which does the data access) is on another web service server.
Using delegation and impersonation and sending the credentials through in code - The program will work successfully if the web service server is my local IIS (IIS 7 - windows 7). Although when I attempt to publish the web service out to a windows 2008 server, I am getting a "Connection failedLogin failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." error. I have compared the authentication in both IIS and those are the same.
Once I hit the web service, I email the windowsidentity.getcurrent.name to myself - and that is correctly sending the current logged in user on both web service servers. So if both web services servers have the correct credentials, what am I missing on the 2008 server that will allow me to use windows authentication at the database level?
bargemahesh
Member
276 Points
66 Posts
Re: Log into Database with current windows authentication - snag when publishing
Oct 29, 2012 12:22 PM|LINK
Please explain in detail. There are lot's of fill in the blanks in your above query. Please help me to understand your problem. Thanks.
Mahesh Barge
luv_kermie
Member
19 Points
15 Posts
Re: Log into Database with current windows authentication - snag when publishing
Oct 29, 2012 01:36 PM|LINK
Sorry, always struggled with written communication.
What I am trying to accomplish is logging into the database with windows authentication, but not just some random windows account, the account of the user currently logged into the asp.net UI.
I have an asp.net UI and an asp.net web service. The UI is just the "pretty" interface that allows the user to view the information. The web service does the connection to the database and retrieval of data.
Both the UI and the web service have been set to deny anonymous access, and windows authentication has been enabled.
The UI and web service run on two seperate servers. So to get the credentials from the UI to the web service. I have set the UI server up for delegation. To send the credentials to the web service, I am using the credentials property like thus:
webserviceObject.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
All of this works just as it should, and I get data back IF the server that runs the web service is my laptop's IIS (windows 7).
But if I publish the web service to a windows 2008 server (the place it will ultimately reside), I am getting a 'NT AUTHORITY\ANONYMOUS LOGON' error when it attempts to log into the database and yet I know the credentials are passed to the web service.
So both web service servers are running IIS 7, and both have the same set up, as far as I can tell. So what am I missing on the windows 2008 server to make this whole process work?
Please let me know if you still need additional information.
bargemahesh
Member
276 Points
66 Posts
Re: Log into Database with current windows authentication - snag when publishing
Oct 29, 2012 01:51 PM|LINK
I think issue is - " When you publish your webservice then it uses default user to connect and retrive information from database .... Now this defualt user don't have access to your database."
Now you may ask that how this is working properly on your desktop/laptop. One of the reason behind this issue is "this webservice my using local system windows user and it may have access to database".
Same type of issue I have faced while accessing database through windows service. I think above mentioned solution may help you but there might be chances that you have given proper right to data accessing user. Also please check webservice configuration area.
Mahesh Barge
luv_kermie
Member
19 Points
15 Posts
Re: Log into Database with current windows authentication - snag when publishing
Oct 29, 2012 03:39 PM|LINK
Thank you for the reply, but I don't think this is the issue.
When I say that I am running the web service on the IIS of my laptop - I do NOT mean that I am running the web service via Visual Studio, which would in fact be my local account and would and does work.
I am literally running it under my IIS, and to my knowledge the default user in IIS is the IUSR account. Which means that my laptop's IUSR account would need to have access to the database for it to run as you are suggesting, and this is not the case.
So this verifies that I am correctly sending the logged on users credentials from my UI to the web service?
The web method in my web service does two things. One it attempts to open a connection to the database, and two returns the System.Security.Principal.WindowsIdentity.GetCurrent.Name. The Name that is returned is my name, the current logged in user of the UI. I have verified that this is working by having another user log in, and the Name value did change. So I'm thinking this again tells me that the web service does have the credentials.
So if the web service does have the crendentials and is running as the current logged in user of the UI. Why am I getting an empty user when I attempt to open the database connection?
As of this point data access is not an issue; right now I am the only user that has tested and I can view the data in at least one of the configurations that I have tried.
What exactly am I supposed to check in the web service configuration area?
Victorious1
Member
5 Points
5 Posts
Re: Log into Database with current windows authentication - snag when publishing
Nov 01, 2012 01:19 AM|LINK
I have actually pulled this off using IIS 6. The key features for making it work were:
The result was that if a user in the security group points to the application site they are automatically validated to the SQL database. If a user who is not a both a memeber of the security group and added to the SQL server permissions tries to access the web site they get a message in the status label for the site saying automatic logon failed for NT user "domain_name\user_name". By this we seemlessly validate three levels of security for our application. I hipe this helps.
-Derek
molly_c
Participant
1590 Points
401 Posts
Re: Log into Database with current windows authentication - snag when publishing
Nov 01, 2012 09:40 AM|LINK
It's IIS issue, right ? You need to set something in IIS...
Molly
It's time to start living the life you are imagined.
luv_kermie
Member
19 Points
15 Posts
Re: Log into Database with current windows authentication - snag when publishing
Nov 07, 2012 07:44 PM|LINK
Thank you, Victorious1, for your reply! I'm attempting to implement, but ...
Well, I might need a "for dummies" version for step 2. What computer did you register? The application server or the web services server or the database server or all three? I've taken several stabs at an SPN for just the web services server (as that appears to be where my credentials are being lost), but I have not been successful as of yet.
Chen Yu - MS...
All-Star
21600 Points
2493 Posts
Microsoft
Re: Log into Database with current windows authentication - snag when publishing
Nov 09, 2012 01:55 AM|LINK
Hi,
As you use IIS 7, you could reference on below article to use windows authentication.
http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication
Cause this issue is related to IIS, please go to IIS forum, http://forums.iis.net/.
Thanks for your understanding.
Thanks.
Feedback to us
Develop and promote your apps in Windows Store
luv_kermie
Member
19 Points
15 Posts
Re: Log into Database with current windows authentication - snag when publishing
Nov 13, 2012 07:42 PM|LINK
While this article tells me how to enable windows authentication in IIS, I am not seeing where it talks about how to send credentials from one program to another and inevitably end up with logging into a database with windows authentication.
And while I appreciate you attempting to keep your forums clean, I do not understand why this is an IIS issue. I have a feeling if I post there and start talking about asp.net and web services that they'll ask me to post somewhere else. I know I'm not completely off my rocker on this one, because I have seen posts similiar to my issue within this forum. IIS is just a piece of the entire security puzzle that is attempting to be solved here.