«

I'm trying to log on to SQL Server 2000 via an ASP.NET
page using SqlClient with integrated security. I get the
error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
believe I have all the correct web.config settigs correct
because I can get the page to work as long as it is on the
same computer as the WebServer (thie sqlserver is on a
different machine). As soon as access the page from a
client (browser not on same machine as web server) I get
the message. I'd appreciate any ideas.

TIA,

Arnold

do you have the anonymous enabled in the iis?
if so --> disable anonymous
"Arnold" <> wrote in message
news:077e01c37861$9500bc00$...
> I'm trying to log on to SQL Server 2000 via an ASP.NET
> page using SqlClient with integrated security. I get the
> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> believe I have all the correct web.config settigs correct
> because I can get the page to work as long as it is on the
> same computer as the WebServer (thie sqlserver is on a
> different machine). As soon as access the page from a
> client (browser not on same machine as web server) I get
> the message. I'd appreciate any ideas.
>
> TIA,
>
> Arnold

Forgot to mention the fact that I did have that set but I
realized it and fixed that. So, in answer to your
question, no, anonymous is not enabled.

Arnold
>-----Original Message-----
>do you have the anonymous enabled in the iis?
>if so --> disable anonymous
>"Arnold" <> wrote in message
>news:077e01c37861$9500bc00$...
>> I'm trying to log on to SQL Server 2000 via an ASP.NET
>> page using SqlClient with integrated security. I get the
>> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
>> believe I have all the correct web.config settigs
correct
>> because I can get the page to work as long as it is on
the
>> same computer as the WebServer (thie sqlserver is on a
>> different machine). As soon as access the page from a
>> client (browser not on same machine as web server) I get
>> the message. I'd appreciate any ideas.
>>
>> TIA,
>>
>> Arnold
>
>
>.
>

try to use the impersonation attribute in the web.config file
<identity impersonate="true" />
so you get the identified token from the IIS
"Arnold" <> wrote in message
news:175901c3786b$1ed7aa70$...
> Forgot to mention the fact that I did have that set but I
> realized it and fixed that. So, in answer to your
> question, no, anonymous is not enabled.
>
> Arnold
> >-----Original Message-----
> >do you have the anonymous enabled in the iis?
> >if so --> disable anonymous
> >"Arnold" <> wrote in message
> >news:077e01c37861$9500bc00$...
> >> I'm trying to log on to SQL Server 2000 via an ASP.NET
> >> page using SqlClient with integrated security. I get the
> >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> >> believe I have all the correct web.config settigs
> correct
> >> because I can get the page to work as long as it is on
> the
> >> same computer as the WebServer (thie sqlserver is on a
> >> different machine). As soon as access the page from a
> >> client (browser not on same machine as web server) I get
> >> the message. I'd appreciate any ideas.
> >>
> >> TIA,
> >>
> >> Arnold
> >
> >
> >.
> >

Yes, that is set also.
>-----Original Message-----
>try to use the impersonation attribute in the web.config
file
><identity impersonate="true" />
>so you get the identified token from the IIS
>"Arnold" <> wrote in message
>news:175901c3786b$1ed7aa70$...
>> Forgot to mention the fact that I did have that set but
I
>> realized it and fixed that. So, in answer to your
>> question, no, anonymous is not enabled.
>>
>> Arnold
>> >-----Original Message-----
>> >do you have the anonymous enabled in the iis?
>> >if so --> disable anonymous
>> >"Arnold" <> wrote in message
>> >news:077e01c37861$9500bc00$...
>> >> I'm trying to log on to SQL Server 2000 via an
ASP.NET
>> >> page using SqlClient with integrated security. I get
the
>> >> error message "invalid login
NT_AUTHORITY/ANNONYMOUS". I
>> >> believe I have all the correct web.config settigs
>> correct
>> >> because I can get the page to work as long as it is
on
>> the
>> >> same computer as the WebServer (thie sqlserver is on
a
>> >> different machine). As soon as access the page from a
>> >> client (browser not on same machine as web server) I
get
>> >> the message. I'd appreciate any ideas.
>> >>
>> >> TIA,
>> >>
>> >> Arnold
>> >
>> >
>> >.
>> >
>
>
>.
>

I'm pretty sure I know what the problem is but before I answer, just tell me
is the WebServer and SQL server on the same machine?

Lior
"Arnold" <> wrote in message
news:077e01c37861$9500bc00$...
> I'm trying to log on to SQL Server 2000 via an ASP.NET
> page using SqlClient with integrated security. I get the
> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> believe I have all the correct web.config settigs correct
> because I can get the page to work as long as it is on the
> same computer as the WebServer (thie sqlserver is on a
> different machine). As soon as access the page from a
> client (browser not on same machine as web server) I get
> the message. I'd appreciate any ideas.
>
> TIA,
>
> Arnold

No they are not.
Arnold
>-----Original Message-----
>I'm pretty sure I know what the problem is but before I
answer, just tell me
>is the WebServer and SQL server on the same machine?
>
>Lior
>"Arnold" <> wrote in message
>news:077e01c37861$9500bc00$...
>> I'm trying to log on to SQL Server 2000 via an ASP.NET
>> page using SqlClient with integrated security. I get the
>> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
>> believe I have all the correct web.config settigs
correct
>> because I can get the page to work as long as it is on
the
>> same computer as the WebServer (thie sqlserver is on a
>> different machine). As soon as access the page from a
>> client (browser not on same machine as web server) I get
>> the message. I'd appreciate any ideas.
>>
>> TIA,
>>
>> Arnold
>
>
>.
>

Strange, the only thing that can mean is no impersonation. When you print
out the System.Security.Principal.WindowsIdentity.GetCurre nt.Name does it
show ASPNET, SYSTEM or the Logged on User? I've seen a couple of instances
where setting the Web.Config does not force impersonation but going into the
Machine.Config and setting the Identity tag to impersonate and the
authorization to Deny="?". Granted both times I saw this, the Machine.Config
had been setup to SYSTEM.

SSPI should not fail when on the same machine so I would look more at your
ASPNET setup. If you can send me the Web.Config and the Machine.Config I
could better help you with it.

Lior,



"Arnold" <> wrote in message
news:088701c37885$3c654880$...
> No they are not.
> Arnold
> >-----Original Message-----
> >I'm pretty sure I know what the problem is but before I
> answer, just tell me
> >is the WebServer and SQL server on the same machine?
> >
> >Lior
> >"Arnold" <> wrote in message
> >news:077e01c37861$9500bc00$...
> >> I'm trying to log on to SQL Server 2000 via an ASP.NET
> >> page using SqlClient with integrated security. I get the
> >> error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> >> believe I have all the correct web.config settigs
> correct
> >> because I can get the page to work as long as it is on
> the
> >> same computer as the WebServer (thie sqlserver is on a
> >> different machine). As soon as access the page from a
> >> client (browser not on same machine as web server) I get
> >> the message. I'd appreciate any ideas.
> >>
> >> TIA,
> >>
> >> Arnold
> >
> >
> >.
> >

Thanks Stefan, Lior for the suggestions.

Hi Arnold,

It's a Double-Hop Issue. Please check the following links for more
information:

264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921

What is the Double-Hop Issue?
http://support.microsoft.com/?id=329986#3

Here are two workarounds:

Method A
When the Web.config file is set to identity impersonate="true"/ and
authentication mode="Windows", use the Anonymous account with the following
settings:

1. On the ASPX page, set the security mechanism to Anonymous only.
2. Clear the Allow IIS to control the password check box.
3. Set the Anonymous account to be a domain user.

Method B

When Web.config and Machine.config are set as follows:

1. When Web.config is set to identity impersonate="false"/ and
authentication mode="Windows"
2. When Machine.config is set to processModel
username=Domain\username,password=secret
3. If identity impersonate="false"/ in the Web.config file, the credentials
of the Base process are used. When you supply a domain user and password,
you make it possible for IIS to pass a primary token to the SQL Server.

Hope this helps.

Best regards,
Lewis

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "Arnold" <>
| Sender: "Arnold" <>
| Subject: Integrated Security
| Date: Thu, 11 Sep 2003 05:38:20 -0700
| Lines: 13
| Message-ID: <077e01c37861$9500bc00$>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 6631
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I'm trying to log on to SQL Server 2000 via an ASP.NET
| page using SqlClient with integrated security. I get the
| error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
| believe I have all the correct web.config settigs correct
| because I can get the page to work as long as it is on the
| same computer as the WebServer (thie sqlserver is on a
| different machine). As soon as access the page from a
| client (browser not on same machine as web server) I get
| the message. I'd appreciate any ideas.
|
| TIA,
|
| Arnold
|

That was where I was leaning towards but he said that the SQL server and IIS
reside on the same machine which removes the possibility of it being a
double hop. Double hops occur when credential delegation needs to be
transferred from the 1st remote server to subsequent remote servers. This
can only be accomplished using Kerberos v.5 which is available on 2K and up.

From the sound of his problem, I would think it's more in the impersonation
or the fact that ASPNET does just in time impersonation.

Lior,


"Lewis Wang [MSFT]" <v-> wrote in message
news:...
> Thanks Stefan, Lior for the suggestions.
>
> Hi Arnold,
>
> It's a Double-Hop Issue. Please check the following links for more
> information:
>
> 264921 INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/?id=264921
>
> What is the Double-Hop Issue?
> http://support.microsoft.com/?id=329986#3
>
> Here are two workarounds:
>
> Method A
> When the Web.config file is set to identity impersonate="true"/ and
> authentication mode="Windows", use the Anonymous account with the
following
> settings:
>
> 1. On the ASPX page, set the security mechanism to Anonymous only.
> 2. Clear the Allow IIS to control the password check box.
> 3. Set the Anonymous account to be a domain user.
>
> Method B
>
> When Web.config and Machine.config are set as follows:
>
> 1. When Web.config is set to identity impersonate="false"/ and
> authentication mode="Windows"
> 2. When Machine.config is set to processModel
> username=Domain\username,password=secret
> 3. If identity impersonate="false"/ in the Web.config file, the
credentials
> of the Base process are used. When you supply a domain user and password,
> you make it possible for IIS to pass a primary token to the SQL Server.
>
> Hope this helps.
>
> Best regards,
> Lewis
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> | Content-Class: urn:content-classes:message
> | From: "Arnold" <>
> | Sender: "Arnold" <>
> | Subject: Integrated Security
> | Date: Thu, 11 Sep 2003 05:38:20 -0700
> | Lines: 13
> | Message-ID: <077e01c37861$9500bc00$>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="iso-8859-1"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> | Thread-Index: AcN4YZUA6DZINxL4SveACWHEjQ5NUw==
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | Path: cpmsftngxa06.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 6631
> | NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | I'm trying to log on to SQL Server 2000 via an ASP.NET
> | page using SqlClient with integrated security. I get the
> | error message "invalid login NT_AUTHORITY/ANNONYMOUS". I
> | believe I have all the correct web.config settigs correct
> | because I can get the page to work as long as it is on the
> | same computer as the WebServer (thie sqlserver is on a
> | different machine). As soon as access the page from a
> | client (browser not on same machine as web server) I get
> | the message. I'd appreciate any ideas.
> |
> | TIA,
> |
> | Arnold
> |
>