2

I have a website with Impersonation turned on.

IIS Windows Authentication is on and Anonymous Access is OFF.

SQL Server security has a Domain\TestUser account added

I logged on with Domain\TestUser.

Browsing a test page shows that HttpContext is set to Domain\TestUser and ApplicationPool is set to Domain\TestUser - which it should... however I get an error browsing my target web page (which attempts to connect to sql) which tells me that "NT AUTHORITY\ANONYMOUS LOGON" is attempting to connect to SQL.

Further to this I ran a script from Microsoft web page which tells me that my account will NOT flow through to SQL. http://msdn.microsoft.com/en-us/library/bsz5788z.aspx

Question is - why??

IsWellKnown(WellKnownSidType.InteractiveSid)) 
IsWellKnown(WellKnownSidType.BatchSid))       
IsWellKnown(WellKnownSidType.ServiceSid))

None of the above returns True, but what do they mean!?

Thanks in advance,

KS

Perplexed
  • 877
  • 2
  • 19
  • 32
  • sounds like you are running into double hop issue : http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx – BlackICE Nov 23 '11 at 21:56
  • 1
    Interesting... but then why does this Microsoft article show steps on how to achieve what I am attempting?! http://msdn.microsoft.com/en-us/library/bsz5788z.aspx – Perplexed Nov 23 '11 at 22:17
  • 1
    Can you post your connection code (the connection string mainly). I think you need to pass the credentials fro Windows Authentication into the sql connection. – Chris Nov 23 '11 at 22:31
  • Ok, so having looked at the Microsoft article more closely - it says that for remote servers (ie on a different box) you should clear windows authentication and check basic. Doing this worked - but that sucks, I dont want credentials sent in clear text and I dont want the user to type in credentials. My connection string uses integrated security btw. – Perplexed Nov 23 '11 at 22:37

1 Answers1

1

As David pointed out, it appears to be double hop issue. Rather than using basic authentication, another work-around could be to use mixed authentication mode in SQL Server and pass the user credentials from the connection string.

Of course, you can always try to solve the double hop issue - see these links:

http://www.sqlservercentral.com/Forums/Topic1043330-359-1.aspx (these gives basic steps)
http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx (same as bove but in check-list format - useful for trouble-shooting)

VinayC
  • 47,395
  • 5
  • 59
  • 72