« Previous Next »

Thread: ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

Last post 06-11-2009 3:00 PM by thig95. 4 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (5 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 06-04-2009, 9:53 AM

    • thig95
    • Not Ranked
    • Joined on 06-03-2009, 4:59 PM
    • Posts 4

    ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

    Reply Contact

    I have recently migrated an application written in ASP classic to a server running IIS 7 (64bit) on Server 2008 Standard. I have IIS 6 compatibility installed, as well as basic and windows authentication modules. This server is part of a corporate domain. I am trying to establish windows authentication to this web server as well as a SQL 2005 server also running on Server 2008. My desire is to use windows authentication to the db server, and this is where my problem lies.

    For more details, I have setup a custom site called CRM. This site has it's own application pool also called CRM. I have configured the application pool identity to use my domain account (for testing purposes since i know my account has rights to the db i'm trying to connect to.) When I enable windows authentication, I am able to successfully logon to the site and its ASP pages, however when calls to the db are made (using ADO) I get

    Microsoft OLE DB Provider for SQL Server error '80040e4d'
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    So from this I assume even though i'm using my domain logon as the worker process identity, those credentials aren't simply passed when making calls to other resources on the network. Is there a way to do that? My end goal is to have users get into the site without having to type their credentials, and have their domain account provide access to the db rather than having to setup a generic sql login and use that in my connection string.

    Clearly from the above error I am using OLEDB but I have also tried to set this up using a DSN connection via ODBC. Both resulted in the same error. So this doesn't seem to be a SQL problem, rather how credentials are being passed to sql from IIS. This setup will work if I use basic authentication, since it then just stores the id and password in cleartext. But I don't want to go that route for obvious reasons.

    Any help would be greatly appreciated! I've found a slew of documentation on this for .NET, but i'm not about to rewrite my whole app just to get authentication working properly.
    Tags:

  • 06-04-2009, 10:51 AM In reply to

    Re: ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

    Reply Contact

    Hi,

    What you are experiencing is the classic 'Double Hop' authentication scenario. In order for a user's credentials to be forwarded (delegated) to a back-end database (or any other application) the user has to authenticate to the web server using Kerberos. In addition there needs to be a Service Principal Name for both the web application and the back-end service to which you wish to delegate.

    As you're using IIS7 I would suggest that you use the new version of DelegConfig which should hopefully point you in the right direction :

    DelegConfig v2 beta (Delegation / Kerberos Configuration Tool)

    Regards,

     

     

    Paul Lynch | www.iisadmin.co.uk

  • 06-04-2009, 11:01 AM In reply to

    • thig95
    • Not Ranked
    • Joined on 06-03-2009, 4:59 PM
    • Posts 4

    Re: ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

    Reply Contact

    Thanks very much Paul...i'm going to download this and give it a try. I will let you know whether i'm successful or not!

  • 06-08-2009, 9:13 AM In reply to

    • thig95
    • Not Ranked
    • Joined on 06-03-2009, 4:59 PM
    • Posts 4

    Re: ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

    Reply Contact

    So I was able to successfully run the tool via my website. The problem was as you stated...NTLM was being utilized for authentication and there was no SPN associates with the domain account that the worker process is running on. I made the recommended changes, however now i'm unable to access the site at all. I know Kerberose is being used now, but it is failing.

    I had a new account called "iis-svc" created on the domain. For debugging purposes I granted this user trust for delegation to any service. I created an SPN record using "setspn.exe -A mydomain\iis-svc HTTP/CRM" with "CRM" being the dns name of the site. The site is not bound to the IP of the machine, rather i'm using "CRM" as the host header value over port 80. That way other sites can also be ran from this server. I read somewhere that you need to use the FQDN for the SPN...is that true in this case? That is not what the tool stated I needed to do.

    When I check the security log on the server, it does show failed logon attempted via Kerberos. What is strange is it does not show my domain account (the account i'm trying to logon from) in the log, rather NULL SID with the error "Unknown user name or bad password" status:0xc000006d. On the client, I am prompted to enter my domain credentials 3 times, afterwhich I get 401 not authorized.

  • 06-11-2009, 3:00 PM In reply to

    • thig95
    • Not Ranked
    • Joined on 06-03-2009, 4:59 PM
    • Posts 4

    Re: ASP Classic, IIS 7, SQL 2005, and Windows Authentication Problem

    Reply Contact

    I've now got Kerberos authenticating properly to the website. I needed to disabled Kernel Mode because I put the the two SPNs under the domain account. I am still not able to get credentials to be delegated to the backend database server. I know it's because I don't have the SPN set right for that. I tried "setspn.exe -A MSSQLSvc/<mySQLserv>:1433 domain\svc-sql" but this didn't seem to work...can you help me with what it needs to be?
Page 1 of 1 (5 items)
Microsoft Communities