Re: Windows Auth to SQL Server from ATL Web Service not working...

From:

"Alexander Nickolov" <agnickolov@mvps.org>

Newsgroups:

microsoft.public.vc.atl

Date:

Fri, 18 Jan 2008 13:43:05 -0800

Message-ID:

<uNI9orhWIHA.4740@TK2MSFTNGP02.phx.gbl>

Isn't a domain an option? Legacy credentials matching is a tricky
business better left unexplored...

--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: agnickolov@mvps.org
MVP VC FAQ: http://vcfaq.mvps.org
=====================================

"mike" <mikebizub@hotmail.com> wrote in message
news:8d72d88a-8342-4432-95d3-67557d7fdeb8@s13g2000prd.googlegroups.com...
On Jan 17, 1:59 pm, "Brian Muth" <bm...@mvps.org> wrote:

"mike" <mikebi...@hotmail.com> wrote in
messagenews:8f08910a-b98b-4098-bbb0-d3069a203bf6@h11g2000prf.googlegroups.com...

I have a web service that I've created using ATL Server (Visual Studio
2005 running on Windows 2003). The web service has NTLM auth on and
anonymous turned off. the app pool its in is running under a local
machine account. I'm trying to access SQL Server on a different
machine. When I hit the web service with a simple test application,
it appears to authenticate me and had the LOGON_USER equal to the
account I'm logged on as. However, when the database call happens, it
looks as though these credentials are not flowing to SQL as the event
log on the SQL box has a security audit failure with the account being
anonymous.

Can someone please help me understand how I can flow credentials (they
could even be the one the application pool in iis is running under) to
SQL on a different box from my web service in an Atl Server web
service.

By default, security credentials are only allowed to cross one application
boundary. You are configured for two hops: The first hop
is from the test application to the web service. At that point the web
service's thread has an impersonation token and is now
impersonating the security identity of the test application. However, this
impersonation token is not passed on to the SQL Server.
Instead the process token is used, which is running as the local system
account. This is interpreted as "anonymous" by the SQL
Server.

Probably the simplest solution is to run the web service under a specific
account, something other than the local system account.
You should confirm that this is the account that is "seen" by SQL Server.
If you want to have the original user's account passed on
over two hops, then your only option is to turn on delegation. This is not
for the faint of heart; there are quite a few dials that
need to be adjusted to get delegation to work. It's generally not
recommended, because then your SQL Server connection pool count
will go way up.- Hide quoted text -

- Show quoted text -

Brian,

Thanks for the quick reply. I'm running the application pool that the
web service is in under an account that exists on both the web and SQL
server (same name/password). Below are 3 entries from the web server
event log. The 3rd entry seems to imply its trying to negotiate using
the IUSER account from some reason instead of the encoder account (the
account that is common to both machines and that the application pool
is running under). I was under the impression that in this scenario,
the encoder account would be use as the account going to SQL Server.

Do you know what might be causing this?

Entry 1 ======================================================

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/17/2008
Time: 2:29:15 PM
User: SERVER2\IUSR_SERVER2
Computer: SERVER2
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_SERVER2
Source Workstation: SERVER2
Error Code: 0x0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Entry 2 ======================================================

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 1/17/2008
Time: 2:29:15 PM
User: SERVER2\encoder
Computer: SERVER2
Description:
Logon attempt using explicit credentials:
Logged on user:
  User Name: encoder
  Domain: SERVER2
  Logon ID: (0x0,0x5337B3B)
  Logon GUID: -
User whose credentials were used:
  Target User Name: IUSR_SERVER2
  Target Domain: SERVER2
  Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 2432
Source Network Address: -
Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Entry 3 ======================================================

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 1/17/2008
Time: 2:29:15 PM
User: SERVER2\IUSR_SERVER2
Computer: SERVER2
Description:
Successful Network Logon:
  User Name: IUSR_SERVER2
  Domain: SERVER2
  Logon ID: (0x0,0x54E2E6D)
  Logon Type: 8
  Logon Process: Advapi
  Authentication Package: Negotiate
  Workstation Name: SERVER2
  Logon GUID: -
  Caller User Name: encoder
  Caller Domain: SERVER2
  Caller Logon ID: (0x0,0x5337B3B)
  Caller Process ID: 2432
  Transited Services: -
  Source Network Address: -
  Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.