«

I'm at a loss to what the solution is. I have an intranet application that
runs on w2k3 with iis 6.0 security set to Integrated Windows authentication
only. I am using C# in .NET 2003 (7.1.308 w/ Framework 1.1 (1.1.4322 SP1).
The web.config authentication mode="Windows" and authorization set to <allow
users="*" />.
This app is trying to connect to SQL 7.0 on an NT server in the same domain.
I currently have a web service running on the same w2k3 web server that
accesses this same SQL Server but uses anonymous access (set to a domain
user) and it connects just fine. Here's a stripped down version of the
routine that throws the exception.

private DataTable getData()
{
SqlConnection conn = new SqlConnection ("server=ntServer;database=myDB;
Integrated
Security=SSPI");
conn.Open(); <--------- throws SqlException
....
}

When I use WindowsPrincipal.Identity.Name.ToString() to see who this .NET
app is being ran as, it comes back with the correct domain\username that has
proper access to the database (I even used the domain admin account). But
the SQL Error message is saying "Login failed for user'\'". I tried setting
the authentication mode to anonymous and use the same user and SqlConnection
as my web service but I get the same error message. I've got to be missing
something but what?

Please help.

Hello Karl S.,

do you have impersonation enabled??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I'm at a loss to what the solution is. I have an intranet application
> that
> runs on w2k3 with iis 6.0 security set to Integrated Windows
> authentication
> only. I am using C# in .NET 2003 (7.1.308 w/ Framework 1.1
> (1.1.4322 SP1).
> The web.config authentication mode="Windows" and authorization set to
> <allow
> users="*" />.
> This app is trying to connect to SQL 7.0 on an NT server in the same
> domain.
> I currently have a web service running on the same w2k3 web server
> that
> accesses this same SQL Server but uses anonymous access (set to a
> domain
> user) and it connects just fine. Here's a stripped down version of
> the routine that throws the exception.
>
> private DataTable getData()
> {
> SqlConnection conn = new SqlConnection
> ("server=ntServer;database=myDB;
>
> Integrated
> Security=SSPI");
> conn.Open(); <--------- throws SqlException
> ...
> }
> When I use WindowsPrincipal.Identity.Name.ToString() to see who this
> .NET app is being ran as, it comes back with the correct
> domain\username that has proper access to the database (I even used
> the domain admin account). But the SQL Error message is saying "Login
> failed for user'\'". I tried setting the authentication mode to
> anonymous and use the same user and SqlConnection as my web service
> but I get the same error message. I've got to be missing something
> but what?
>
> Please help.
>

Hi Dominick,

I do have <identity impersonate="true" /> set in the web.config file. It
does seem like it isn't taking though. Any thoughts on how to verify it?

~Karl

"Dominick Baier [DevelopMentor]" wrote:

> Hello Karl S.,
>
> do you have impersonation enabled??
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I'm at a loss to what the solution is. I have an intranet application
> > that
> > runs on w2k3 with iis 6.0 security set to Integrated Windows
> > authentication
> > only. I am using C# in .NET 2003 (7.1.308 w/ Framework 1.1
> > (1.1.4322 SP1).
> > The web.config authentication mode="Windows" and authorization set to
> > <allow
> > users="*" />.
> > This app is trying to connect to SQL 7.0 on an NT server in the same
> > domain.
> > I currently have a web service running on the same w2k3 web server
> > that
> > accesses this same SQL Server but uses anonymous access (set to a
> > domain
> > user) and it connects just fine. Here's a stripped down version of
> > the routine that throws the exception.
> >
> > private DataTable getData()
> > {
> > SqlConnection conn = new SqlConnection
> > ("server=ntServer;database=myDB;
> >
> > Integrated
> > Security=SSPI");
> > conn.Open(); <--------- throws SqlException
> > ...
> > }
> > When I use WindowsPrincipal.Identity.Name.ToString() to see who this
> > .NET app is being ran as, it comes back with the correct
> > domain\username that has proper access to the database (I even used
> > the domain admin account). But the SQL Error message is saying "Login
> > failed for user'\'". I tried setting the authentication mode to
> > anonymous and use the same user and SqlConnection as my web service
> > but I get the same error message. I've got to be missing something
> > but what?
> >
> > Please help.
> >
>
>
>
>

Looks like I was wrong about the below statement.

> ... I tried setting
> the authentication mode to anonymous and use the same user and SqlConnection
> as my web service but I get the same error message. ...

When I set the authentication mode to anonymous and use the same username as
my web service, it works. It appears that using "Integrated Windows
authentication" only is why it is failing for me. What do I need to do to
get this to work?

Hello Karl S.,

so you are trying to access a back end resource using impersonated credentials.
this is called delegation and has to be configured.

have a look at:
http://www.leastprivilege.com/Troubl...elegation.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> I do have <identity impersonate="true" /> set in the web.config
> file. It does seem like it isn't taking though. Any thoughts on how
> to verify it?
>
> ~Karl
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Karl S.,
>>
>> do you have impersonation enabled??
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I'm at a loss to what the solution is. I have an intranet
>>> application
>>> that
>>> runs on w2k3 with iis 6.0 security set to Integrated Windows
>>> authentication
>>> only. I am using C# in .NET 2003 (7.1.308 w/ Framework 1.1
>>> (1.1.4322 SP1).
>>> The web.config authentication mode="Windows" and authorization set
>>> to
>>> <allow
>>> users="*" />.
>>> This app is trying to connect to SQL 7.0 on an NT server in the same
>>> domain.
>>> I currently have a web service running on the same w2k3 web server
>>> that
>>> accesses this same SQL Server but uses anonymous access (set to a
>>> domain
>>> user) and it connects just fine. Here's a stripped down version of
>>> the routine that throws the exception.
>>> private DataTable getData()
>>> {
>>> SqlConnection conn = new SqlConnection
>>> ("server=ntServer;database=myDB;
>>> Integrated
>>> Security=SSPI");
>>> conn.Open(); <--------- throws SqlException
>>> ...
>>> }
>>> When I use WindowsPrincipal.Identity.Name.ToString() to see who this
>>> .NET app is being ran as, it comes back with the correct
>>> domain\username that has proper access to the database (I even used
>>> the domain admin account). But the SQL Error message is saying
>>> "Login
>>> failed for user'\'". I tried setting the authentication mode to
>>> anonymous and use the same user and SqlConnection as my web service
>>> but I get the same error message. I've got to be missing something
>>> but what?
>>> Please help.
>>>

On Tue, 23 Aug 2005 17:07:03 -0700, "Karl S." <> wrote:

¤ Looks like I was wrong about the below statement.
¤
¤ > ... I tried setting
¤ > the authentication mode to anonymous and use the same user and SqlConnection
¤ > as my web service but I get the same error message. ...
¤
¤ When I set the authentication mode to anonymous and use the same username as
¤ my web service, it works. It appears that using "Integrated Windows
¤ authentication" only is why it is failing for me. What do I need to do to
¤ get this to work?

You need to configure your environment for Kerberos as Dominick referred to in his last reply.

IIS cannot delegate credentials to remote resources when Integrated Windows Authentication has been
implemented.


Paul
~~~~
Microsoft MVP (Visual Basic)

Thank you for steering me in the right direction. I'll check it out.

"Dominick Baier [DevelopMentor]" wrote:

> Hello Karl S.,
>
> so you are trying to access a back end resource using impersonated credentials.
> this is called delegation and has to be configured.
>
> have a look at:
> http://www.leastprivilege.com/Troubl...elegation.aspx
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > I do have <identity impersonate="true" /> set in the web.config
> > file. It does seem like it isn't taking though. Any thoughts on how
> > to verify it?
> >
> > ~Karl
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Karl S.,
> >>
> >> do you have impersonation enabled??
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> I'm at a loss to what the solution is. I have an intranet
> >>> application
> >>> that
> >>> runs on w2k3 with iis 6.0 security set to Integrated Windows
> >>> authentication
> >>> only. I am using C# in .NET 2003 (7.1.308 w/ Framework 1.1
> >>> (1.1.4322 SP1).
> >>> The web.config authentication mode="Windows" and authorization set
> >>> to
> >>> <allow
> >>> users="*" />.
> >>> This app is trying to connect to SQL 7.0 on an NT server in the same
> >>> domain.
> >>> I currently have a web service running on the same w2k3 web server
> >>> that
> >>> accesses this same SQL Server but uses anonymous access (set to a
> >>> domain
> >>> user) and it connects just fine. Here's a stripped down version of
> >>> the routine that throws the exception.
> >>> private DataTable getData()
> >>> {
> >>> SqlConnection conn = new SqlConnection
> >>> ("server=ntServer;database=myDB;
> >>> Integrated
> >>> Security=SSPI");
> >>> conn.Open(); <--------- throws SqlException
> >>> ...
> >>> }
> >>> When I use WindowsPrincipal.Identity.Name.ToString() to see who this
> >>> .NET app is being ran as, it comes back with the correct
> >>> domain\username that has proper access to the database (I even used
> >>> the domain admin account). But the SQL Error message is saying
> >>> "Login
> >>> failed for user'\'". I tried setting the authentication mode to
> >>> anonymous and use the same user and SqlConnection as my web service
> >>> but I get the same error message. I've got to be missing something
> >>> but what?
> >>> Please help.
> >>>
>
>
>
>

Thanks Paul.

"Paul Clement" wrote:

> On Tue, 23 Aug 2005 17:07:03 -0700, "Karl S." <> wrote:
>
> ¤ Looks like I was wrong about the below statement.
> ¤
> ¤ > ... I tried setting
> ¤ > the authentication mode to anonymous and use the same user and SqlConnection
> ¤ > as my web service but I get the same error message. ...
> ¤
> ¤ When I set the authentication mode to anonymous and use the same username as
> ¤ my web service, it works. It appears that using "Integrated Windows
> ¤ authentication" only is why it is failing for me. What do I need to do to
> ¤ get this to work?
>
> You need to configure your environment for Kerberos as Dominick referred to in his last reply.
>
> IIS cannot delegate credentials to remote resources when Integrated Windows Authentication has been
> implemented.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)
>