I'd like to have full window authentication on a 3 tiers ASP.NEt applications (IE as a client, IIS on a server, SQL database on
another server).
The 3 machines are on the same domain.
I've turned on windows authentication on IIS for my application, I've put "Integrated Security=SSPI" in my connexion string, and my domain user has been granted in the database.
When I navigate to my application, I get en exception Échec de l'ouverture de session de l'utilisateur 'AUTORITE NT\ANONYMOUS LOGON'.
( Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in english I think)
It seems that the windows identity is not transmited to SQL Server.
I've read about kerberos delegation but I don't really understand... Do I need to add <identity impersonate="true"/> in my web.config ?
You need to configure constrained delegation at the AD level for the account running the web server and grant it access to the other server it's allowed to talk to. And then yes, in the app you need to impersonate but you should not do it via config -- you
should write the explicit code to impersonate like this:
public void DoWorkWithClientCreds()
{
// grab client identity
WindowsIdentity id =
(WindowsIdentity)Context.User.Identity;
// impersonation is automaticall undone by
// WindowsImpersonationContext.Dispose
using (WindowsImpersonationContext wic = id.Impersonate())
{
using (SqlConnection con = new SqlConnection(
"data source=BackEnd...;Integrated Security=SSPI"))
{
// access remote sql server
// client identity flows off the box
}
}
}
What du you mean with "the account running the web server" ?
IS it the domain account of the client connected to my web site ?
IIS runs your code in a something called an application pool -- this is a process running on the server and it runs as some identity (some windows account). This account needs to be trusted by the domain to perform delegation. Since the domain controller
needs to know about the identity you typically configure the app pool to be a dedicated domain account. This also means that you need to
configure a SPN for the web server under that account.
Oxiane
0 Points
3 Posts
Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 12, 2012 01:50 PM|LINK
Hi,
I'd like to have full window authentication on a 3 tiers ASP.NEt applications (IE as a client, IIS on a server, SQL database on another server).
The 3 machines are on the same domain.
I've turned on windows authentication on IIS for my application, I've put "Integrated Security=SSPI" in my connexion string, and my domain user has been granted in the database.
When I navigate to my application, I get en exception Échec de l'ouverture de session de l'utilisateur 'AUTORITE NT\ANONYMOUS LOGON'.
( Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in english I think)
It seems that the windows identity is not transmited to SQL Server.
I've read about kerberos delegation but I don't really understand... Do I need to add <identity impersonate="true"/> in my web.config ?
thanks for your help
BrockAllen
All-Star
28072 Points
4996 Posts
MVP
Re: Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 12, 2012 02:12 PM|LINK
You need to configure constrained delegation at the AD level for the account running the web server and grant it access to the other server it's allowed to talk to. And then yes, in the app you need to impersonate but you should not do it via config -- you should write the explicit code to impersonate like this:
public void DoWorkWithClientCreds() { // grab client identity WindowsIdentity id = (WindowsIdentity)Context.User.Identity; // impersonation is automaticall undone by // WindowsImpersonationContext.Dispose using (WindowsImpersonationContext wic = id.Impersonate()) { using (SqlConnection con = new SqlConnection( "data source=BackEnd...;Integrated Security=SSPI")) { // access remote sql server // client identity flows off the box } } }DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Oxiane
0 Points
3 Posts
Re: Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 13, 2012 03:35 PM|LINK
Hi BrockAllen, thank you for your answer.
What du you mean with "the account running the web server" ?
IS it the domain account of the client connected to my web site ?
If yes, I would have to configure the delegation for hundreds of people in my company...
BrockAllen
All-Star
28072 Points
4996 Posts
MVP
Re: Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 13, 2012 04:19 PM|LINK
IIS runs your code in a something called an application pool -- this is a process running on the server and it runs as some identity (some windows account). This account needs to be trusted by the domain to perform delegation. Since the domain controller needs to know about the identity you typically configure the app pool to be a dedicated domain account. This also means that you need to configure a SPN for the web server under that account.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Oxiane
0 Points
3 Posts
Re: Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 13, 2012 04:40 PM|LINK
I have now enough elements to think about my problem.