Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Web Server connecting to db server on different machines

Reply
Thread Tools

Web Server connecting to db server on different machines

 
 
Ben
Guest
Posts: n/a
 
      03-28-2006
Hello

Im creating an asp.net web app that will need to connect to a SQL Server db
on another machine. I have set this up using trusted connections and
impersonation in the web.config file but I am getting a "Login failed for
user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I need this to work through
domain accounts on both machines.

Currently, it will work if I am using the machine where the web app resides
(ie. http://localhost/webapp/page.aspx) but i get the above message when
using another remote machine.

Any help is appreciated.
Ben
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-28-2006
http://msdn.microsoft.com/msdnmag/is...s/default.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello
>
> Im creating an asp.net web app that will need to connect to a SQL
> Server db on another machine. I have set this up using trusted
> connections and impersonation in the web.config file but I am getting
> a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I
> need this to work through domain accounts on both machines.
>
> Currently, it will work if I am using the machine where the web app
> resides (ie. http://localhost/webapp/page.aspx) but i get the above
> message when using another remote machine.
>
> Any help is appreciated.
> Ben



 
Reply With Quote
 
 
 
 
Ben
Guest
Posts: n/a
 
      03-28-2006
Thank you.

Seeing as I may not be able to convince our AD services group to do this, is
there another option?

Thanks.


"Dominick Baier [DevelopMentor]" wrote:

> http://msdn.microsoft.com/msdnmag/is...s/default.aspx
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hello
> >
> > Im creating an asp.net web app that will need to connect to a SQL
> > Server db on another machine. I have set this up using trusted
> > connections and impersonation in the web.config file but I am getting
> > a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" message. I
> > need this to work through domain accounts on both machines.
> >
> > Currently, it will work if I am using the machine where the web app
> > resides (ie. http://localhost/webapp/page.aspx) but i get the above
> > message when using another remote machine.
> >
> > Any help is appreciated.
> > Ben

>
>
>

 
Reply With Quote
 
Ben
Guest
Posts: n/a
 
      03-28-2006
Sorry for the question, but do you have a link that describes the trusted
subsystem design?

Thanks for your help!

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> if you want to delegate client credentials - kerberos is they only way to go.
>
> You could disable delegation and use a trusted subsystem design to access
> the back-end resources.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Thank you.
> >
> > Seeing as I may not be able to convince our AD services group to do
> > this, is there another option?
> >
> > Thanks.
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> http://msdn.microsoft.com/msdnmag/is...Briefs/default
> >> .aspx
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hello
> >>>
> >>> Im creating an asp.net web app that will need to connect to a SQL
> >>> Server db on another machine. I have set this up using trusted
> >>> connections and impersonation in the web.config file but I am
> >>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
> >>> message. I need this to work through domain accounts on both
> >>> machines.
> >>>
> >>> Currently, it will work if I am using the machine where the web app
> >>> resides (ie. http://localhost/webapp/page.aspx) but i get the above
> >>> message when using another remote machine.
> >>>
> >>> Any help is appreciated.
> >>> Ben

>
>
>

 
Reply With Quote
 
Ben
Guest
Posts: n/a
 
      03-28-2006
Dominick

Thanks for the replies (again).

That solution wont work for use as we are building security into the
database to identify which data a user has access to based on their domain
account.

I will have to investigate either delegation or having the web server reside
on the same machine as the database.

Thanks again.

"Dominick Baier [DevelopMentor]" wrote:

> hi - no problem -
>
> not really a good one -
>
> but the general idea is that you do authentication, authorization and auditing
> in the middle tier and access the back-end resource using the middle tier
> server credentials as opposed to the client ones...
>
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Sorry for the question, but do you have a link that describes the
> > trusted subsystem design?
> >
> > Thanks for your help!
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hi,
> >>
> >> if you want to delegate client credentials - kerberos is they only
> >> way to go.
> >>
> >> You could disable delegation and use a trusted subsystem design to
> >> access the back-end resources.
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Thank you.
> >>>
> >>> Seeing as I may not be able to convince our AD services group to do
> >>> this, is there another option?
> >>>
> >>> Thanks.
> >>>
> >>> "Dominick Baier [DevelopMentor]" wrote:
> >>>
> >>>> http://msdn.microsoft.com/msdnmag/is...tyBriefs/defau
> >>>> lt .aspx
> >>>>
> >>>> ---------------------------------------
> >>>> Dominick Baier - DevelopMentor
> >>>> http://www.leastprivilege.com
> >>>>> Hello
> >>>>>
> >>>>> Im creating an asp.net web app that will need to connect to a SQL
> >>>>> Server db on another machine. I have set this up using trusted
> >>>>> connections and impersonation in the web.config file but I am
> >>>>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
> >>>>> message. I need this to work through domain accounts on both
> >>>>> machines.
> >>>>>
> >>>>> Currently, it will work if I am using the machine where the web
> >>>>> app resides (ie. http://localhost/webapp/page.aspx) but i get the
> >>>>> above message when using another remote machine.
> >>>>>
> >>>>> Any help is appreciated.
> >>>>> Ben

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-31-2006
Setting up the various SPNs are enabling constrained delegation (if your AD
is 2003) isn't a big deal and is quite secure. If they are concerned about
their privileged domain admin accounts being delegated, they can flag them
as "sensitive and cannot be delegated".

Joe K.

"Ben" <ben_1_ AT hotmail DOT com> wrote in message
news:(E-Mail Removed)...
> Dominick
>
> Thanks for the replies (again).
>
> That solution wont work for use as we are building security into the
> database to identify which data a user has access to based on their domain
> account.
>
> I will have to investigate either delegation or having the web server
> reside
> on the same machine as the database.
>
> Thanks again.
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> hi - no problem -
>>
>> not really a good one -
>>
>> but the general idea is that you do authentication, authorization and
>> auditing
>> in the middle tier and access the back-end resource using the middle tier
>> server credentials as opposed to the client ones...
>>
>>
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>> > Sorry for the question, but do you have a link that describes the
>> > trusted subsystem design?
>> >
>> > Thanks for your help!
>> >
>> > "Dominick Baier [DevelopMentor]" wrote:
>> >
>> >> Hi,
>> >>
>> >> if you want to delegate client credentials - kerberos is they only
>> >> way to go.
>> >>
>> >> You could disable delegation and use a trusted subsystem design to
>> >> access the back-end resources.
>> >>
>> >> ---------------------------------------
>> >> Dominick Baier - DevelopMentor
>> >> http://www.leastprivilege.com
>> >>> Thank you.
>> >>>
>> >>> Seeing as I may not be able to convince our AD services group to do
>> >>> this, is there another option?
>> >>>
>> >>> Thanks.
>> >>>
>> >>> "Dominick Baier [DevelopMentor]" wrote:
>> >>>
>> >>>> http://msdn.microsoft.com/msdnmag/is...tyBriefs/defau
>> >>>> lt .aspx
>> >>>>
>> >>>> ---------------------------------------
>> >>>> Dominick Baier - DevelopMentor
>> >>>> http://www.leastprivilege.com
>> >>>>> Hello
>> >>>>>
>> >>>>> Im creating an asp.net web app that will need to connect to a SQL
>> >>>>> Server db on another machine. I have set this up using trusted
>> >>>>> connections and impersonation in the web.config file but I am
>> >>>>> getting a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
>> >>>>> message. I need this to work through domain accounts on both
>> >>>>> machines.
>> >>>>>
>> >>>>> Currently, it will work if I am using the machine where the web
>> >>>>> app resides (ie. http://localhost/webapp/page.aspx) but i get the
>> >>>>> above message when using another remote machine.
>> >>>>>
>> >>>>> Any help is appreciated.
>> >>>>> Ben

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
running same script on same data on two different machines -->different result Christopher Brewster Python 5 11-14-2008 08:19 PM
different behavior on different machines, same JRE/IE Johnny Ruin Java 5 03-15-2006 08:51 PM
Different machines and ASPX web application Just D. ASP .Net 2 09-30-2004 01:23 PM
Response.Expires=0 have different effect on different machines, need urgent help Jenny Javascript 1 05-14-2004 05:24 PM
web app - IIS and SQL on different machines Dan Walls ASP .Net 4 01-23-2004 01:19 PM



Advertisments