Last post Mar 31, 2010 01:57 AM by dizruptor
Feb 25, 2010 07:45 PM|dizruptor|LINK
I'm using VS2010RC and Linq2SQL
Is it possible to use Windows authentication (i.e. domain accounts) with a Dynamic Data website when the users are logging into the site from the Internet and IIS and SQL-Server are on the same domain but different machines? If so how?
Both machines (Windows 2003 servers) are setup to use kerberos delegation and the web-app has identity impersonate = true.
Everything works fine when the users are already logged onto the domain but when they access the site from the Internet I get the following error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I've looked at the technet articles about "Authenticating Web Application Users" and using "Kerberos Protocol Transition and Constrained Delegation" and understand why I'm having this problem, but I still don't know how to correct it. How can I impersonate a domain
account for my SQL-Server connection?
Any help would be appreciated.
Feb 26, 2010 04:43 AM|Maate|LINK
Hey, I have a suggestion and a couple of questions :-)
First, you could probably work around this problem by specifying a domain user in your identity tag, e.g. <identity impersonate="true" userName="DOMAIN\USER" password="PASSWORD" /> (opposed to just <identity impersonate="true" />.
However, I'm not sure that I completely understand your setup, and thus to the questions:
1. Do you have Anonymous authentication enabled in IIS?
2. When you write that the user opens the app "from the internet", does this mean that they are not authenticated no the domain? E.g. that any user on the internet can access your app?
Feb 26, 2010 05:31 AM|sjnaughton|LINK
Hi Simon, have a look at this series of articles here:
These should work fine with the using the the Active Directory Membership and roles providers.
Securing Dynamic Data
Dynamic Data 4
VS2010 & .Net 4.0
Feb 27, 2010 07:51 PM|dizruptor|LINK
Hi Morten, thanks for the suggestion but I don't want to impersonate a fixed account. I want to impersonate the domain account of the user who logs in!
Anonymous authentication is disabled in IIS. Windows authentication is enabled.
When users access the site, if they are already logged into the domain with an authorised account then they are logged into the site automatically and this security context is used successfully to connect to SQL-Server from IIS.
When users access the site, if they are not already logged into the domain then they get the Windows login popup and can still log into the site. However, their domain security context is not used to connect to SQL-Server. This is the problem!
Hope, I'm being a bit more clear.
Feb 27, 2010 07:52 PM|dizruptor|LINK
Thanks for the links Steve, I'll have a go and report back.
Feb 27, 2010 09:18 PM|dizruptor|LINK
Hi Steve, I've had a look at your article but don't see how it addresses my issue.
I'm trying to find out how I can enable IIS to connect to SQL-Server dynamically under the security context of a domain user account.
Is there any way I can programmatically control the security context which IIS uses to connect to SQL-Server?
Feb 28, 2010 04:47 AM|Maate|LINK
You should be able to add an <identity impersonate="true" userName="someuser" password="yadayada" /> in web.config.
Feb 28, 2010 06:53 AM|sjnaughton|LINK
Sorry Simon, I don't think I read your e-mail properly, you need to setup IIS Authentication with ASP.NET
Impersonation I think that should do it [:)]
Dynamic Data 4
Mar 01, 2010 12:12 AM|dizruptor|LINK
Thanks for the suggestion but the msdn article you suggested doesn't address this issue. "Identity impersonate = true" doesn't impersonate the security context to SQL-Server when the user
isn't logged onto the domain (e.g. accessing the site from the Internet). That's the problem!
The msdn article
How To: Use Impersonation and Delegation in ASP.NET 2.0 says:
Use protocol transition. With this approach, you use a non-Kerberos authentication mechanism to authenticate your users, and then use the new
WindowsIdentity constructor to obtain a Windows token for the user on the server.
Use this approach when you cannot use Kerberos authentication to authenticate your users, for example because they connect to your application over the Internet, but your users do have Windows domain accounts. To get a delegate-level
token with this approach, you must be running on a Windows Server 2003 in a Windows 2003 domain and you need to configure your computer or process account in Active Directory as trusted for delegation and protocol transition. For more information, see
How To: Use Protocol Transition and Constrained Delegation with ASP.NET 2.0.
However, the article
How To: Use Protocol Transition and Constrained Delegation with ASP.NET 2.0 doesn't explain how to set the security context for the entire application. I was hoping that someone on the forum might know how to do it.
Anyhow, I'm about ready to give up trying to use domain user account security contexts to control access to my data. It would have provided a very simple solution. Guess I need to use a
fixed security context between IIS and SQL-Server with a full blown roles and schemas model instead.
Mar 01, 2010 02:19 PM|Maate|LINK
How about setting the user in the app pool identity instead?
Mar 01, 2010 02:39 PM|sjnaughton|LINK
Hi Simon, [:$] I'm not sure I am following you, are the uses when out on the net authenticating when accessing the site?
Mar 01, 2010 10:42 PM|dizruptor|LINK
I've tried to set the app pool identity by using the following code but not sure where to put it!
internal static WindowsImpersonationContext wic;
IIdentity WinId = HttpContext.Current.User.Identity;
WindowsIdentity wi = (WindowsIdentity)WinId;
wic = wi.Impersonate();
I guess it should run after the user logs in and that the WindowsImpersonationContext needs to be a global. I tried to put it in the master page and had strange results - I could access some tables but not others!!
Mar 01, 2010 10:55 PM|dizruptor|LINK
Yes, the users authenticate with Windows but not with Kerberos. It's a lower level of Windows authentication.
Since I can't find a simple solution to this problem I'm going to use the more traditional method of using a fixed security context between IIS and SQL-Server.
Thanks for taking an interest in and responding to this post.
Mar 02, 2010 03:57 AM|sjnaughton|LINK
Hi Simon, I suspect this is an issue we will eventually come accross so if you do find a soution the could you post it here [:)]
Mar 02, 2010 01:34 PM|Maate|LINK
Hey, please check out this :-)
Mar 02, 2010 09:00 PM|dizruptor|LINK
Thanks for posting the link which clearly describes the issue.
I've now abandoned Impersonation/Delegation for a Trusted Subsystem Model.
Many thanks for the input.
Mar 30, 2010 04:07 AM|dizruptor|LINK
I've managed to get everything to work fine according to your articles except for the hyperlink controls in Part 3. They don't appear to be implemented in your sample. Have I missed something?
Mar 30, 2010 06:07 AM|sjnaughton|LINK
Hi Simon, I've just downloaded tha sample and found the two controls there in the ~/DynamicData/Content folder, am I missing something? [:)]
Mar 31, 2010 01:57 AM|dizruptor|LINK
Aha, got it now. There's a couple of different links pointing to different versions. I had the DD_EF_SecuringDynamicData version instead of the DD_EF_SecuringDynamicData - 20090715 version.
Many Thanks, Simon