|
Home > Archive > IIS Server Security > July 2006 > IIS passing server credentials rather than user credentials
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS passing server credentials rather than user credentials
|
|
|
| We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
We are using VS2005 and building for .Net 2.0 framework.
We set IIS up to use integrated security. However when I access the
application through IE, it cannot connect to the server. When I check
the SQL Server logs, I see a failed attempt to login by <domain
name>\<web server name>. It looks like it is using the credentials
under which the web server is running.
he desired behavior is to use the profile of the domain user who is
using IE.
When I give <domain name>\<web server name> explicit access to the SQL
Server DB it, *can* connect.
This reeks of a misconfiguration. What could we be doing wrong?
TIA
| |
| Ken Schaefer 2006-07-05, 7:39 pm |
| You need to verify that:
a) the brower (IE) is actually using Kerberos to authenticate to IIS, not
NTLM. NTLM is not natively delegatable. What is the URL you are using to
connect to? If it is in the Internet security zone, you will need to
manually add it to IE's Intranet security zone.
b) you need to verify that the IIS server is permitted to delegate in Active
Directory (either the machine account if you are running the web app pool as
a built-in principal like Network Service, or the user account if you are
using a custom domain account)
c) you need to verify that your Kerberos SPNs (Service Principal Names) are
correctly configured. This is done automatically if you are connecting to
http://servername or http://servername.domain.com However if you have
created an additional DNS CNAME or A record for this website, or you are
using the IP address of the server, then you may need to change/update your
Kerberos SPNs.
Cheers
Ken
"cfs" <wayhip@hotmail.com> wrote in message
news:1152129654.720884.259350@v61g2000cwv.googlegroups.com...
> We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
> We are using VS2005 and building for .Net 2.0 framework.
>
> We set IIS up to use integrated security. However when I access the
> application through IE, it cannot connect to the server. When I check
> the SQL Server logs, I see a failed attempt to login by <domain
> name>\<web server name>. It looks like it is using the credentials
> under which the web server is running.
>
> he desired behavior is to use the profile of the domain user who is
> using IE.
>
> When I give <domain name>\<web server name> explicit access to the SQL
> Server DB it, *can* connect.
>
> This reeks of a misconfiguration. What could we be doing wrong?
>
> TIA
>
| |
| Jeff Cochran 2006-07-05, 9:20 pm |
| On 5 Jul 2006 13:00:54 -0700, "cfs" <wayhip@hotmail.com> wrote:
>We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
>We are using VS2005 and building for .Net 2.0 framework.
>
>We set IIS up to use integrated security. However when I access the
>application through IE, it cannot connect to the server. When I check
>the SQL Server logs, I see a failed attempt to login by <domain
>name>\<web server name>. It looks like it is using the credentials
> under which the web server is running.
>
>he desired behavior is to use the profile of the domain user who is
>using IE.
>
>When I give <domain name>\<web server name> explicit access to the SQL
>Server DB it, *can* connect.
>
>This reeks of a misconfiguration. What could we be doing wrong?
Is IE set to remember passwords? If so it may not pass the correct
credentials.
Jeff
| |
| Ken Schaefer 2006-07-06, 1:22 am |
|
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:44b07326.794595046@msnews.microsoft.com...
> On 5 Jul 2006 13:00:54 -0700, "cfs" <wayhip@hotmail.com> wrote:
>
>
> Is IE set to remember passwords? If so it may not pass the correct
> credentials.
True, but that would not result in the server's machine account being used
to login to SQL Server
Cheers
Ken
| |
|
| Fixed it. Thanks...
Ken Schaefer wrote:[vbcol=seagreen]
> You need to verify that:
> a) the brower (IE) is actually using Kerberos to authenticate to IIS, not
> NTLM. NTLM is not natively delegatable. What is the URL you are using to
> connect to? If it is in the Internet security zone, you will need to
> manually add it to IE's Intranet security zone.
>
> b) you need to verify that the IIS server is permitted to delegate in Active
> Directory (either the machine account if you are running the web app pool as
> a built-in principal like Network Service, or the user account if you are
> using a custom domain account)
>
> c) you need to verify that your Kerberos SPNs (Service Principal Names) are
> correctly configured. This is done automatically if you are connecting to
> http://servername or http://servername.domain.com However if you have
> created an additional DNS CNAME or A record for this website, or you are
> using the IP address of the server, then you may need to change/update your
> Kerberos SPNs.
>
> Cheers
> Ken
>
>
> "cfs" <wayhip@hotmail.com> wrote in message
> news:1152129654.720884.259350@v61g2000cwv.googlegroups.com...
| |
| Roger Abell [MVP] 2006-07-07, 1:20 am |
| So your web.config or machine.config is specifying impersonation, right?
(and we seem to be assuming that this is not allowing anonymous access).
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"cfs" <wayhip@hotmail.com> wrote in message
news:1152129654.720884.259350@v61g2000cwv.googlegroups.com...
> We are developing a web app using II6, ASP .Net 2.0 on a Win2003 box.
> We are using VS2005 and building for .Net 2.0 framework.
>
> We set IIS up to use integrated security. However when I access the
> application through IE, it cannot connect to the server. When I check
> the SQL Server logs, I see a failed attempt to login by <domain
> name>\<web server name>. It looks like it is using the credentials
> under which the web server is running.
>
> he desired behavior is to use the profile of the domain user who is
> using IE.
>
> When I give <domain name>\<web server name> explicit access to the SQL
> Server DB it, *can* connect.
>
> This reeks of a misconfiguration. What could we be doing wrong?
>
> TIA
>
| |
| Jeff Cochran 2006-07-07, 7:17 pm |
| On Thu, 6 Jul 2006 16:22:20 +1000, "Ken Schaefer"
<kenREMOVE@THISadOpenStatic.com> wrote:
>
>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>news:44b07326.794595046@msnews.microsoft.com...
>
>True, but that would not result in the server's machine account being used
>to login to SQL Server
It happens here. IE is used to access a domain that isn't in the
intranet zone. User logs in and IE remembers the password. From
there on, the credentials become whatever account was used on the
server. Using Windows authentication in SQL, it passes the server's
login, not the user's. Bugged the heck out of us for about three
weeks until we tracked it down. Even after the domain is added to the
intranet zone, the user becomes the server account for some reason.
Haven't done any diagnostocs beyond this to track down what's going
on, so can't say it's his issue.
Jeff
| |
| Ken Schaefer 2006-07-09, 1:23 am |
|
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:44b1ee82.160039828@msnews.microsoft.com...
> On Thu, 6 Jul 2006 16:22:20 +1000, "Ken Schaefer"
> <kenREMOVE@THISadOpenStatic.com> wrote:
>
>
> It happens here. IE is used to access a domain that isn't in the
> intranet zone. User logs in and IE remembers the password. From
> there on, the credentials become whatever account was used on the
> server. Using Windows authentication in SQL, it passes the server's
> login, not the user's. Bugged the heck out of us for about three
> weeks until we tracked it down. Even after the domain is added to the
> intranet zone, the user becomes the server account for some reason.
This has nothing to do with "remember credentials". The user account doesn't
"become" the server's credentials automagically because you've choosen to
remember some credentials in IE. The server has no knowledge of whether the
user has manually entered credentials, or the browser is auto-submitting
them.
The machine account is used when you are running into a double-hop
authentication issue. The user has authenticated to IIS, but IIS doesn't
have any way of using those credentials to logon to the backend server. In
which case the machine account is used.
Cheers
Ken
|
|
|
|
|