开发者

IIS and SQL Server Windows Authentication in an ASP.NET application

开发者 https://www.devze.com 2023-03-01 16:52 出处:网络
I have setup 3 VMs: (A) Active Directory in Windows 2008 R2. (B) Microsoft SQL Server 2008 Express in Windows XP SP3.

I have setup 3 VMs:

  • (A) Active Directory in Windows 2008 R2.
  • (B) Microsoft SQL Server 2008 Express in Windows XP SP3.
  • (C) IIS 开发者_如何学Cin Windows XP SP3.

Both the SQL Server and IIS are joined in the Domain but the host PC is not. I've also created a domain administrator user with administrator privileges in the SQL Server. I can ping/access all the VMs from each other and from the PC hosting the VMs. I can connect to the SQL Server VM using Windows Authentication in SQL Server Management Studio inside the IIS VM with no problem.

I created a very simple application in ASP.Net application hosted in the IIS VM that opens a database connection in the SQL Server VM. I've set the web site to authenticate via Windows Authentication only. Here is my connection string:

Server=DATABASE;Database=HAP;Trusted_Connection=True;

Here is code:

SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);

using(connection) {
    connection.Open();
}

I've also set "Trust this computer for delegation to any service (Kerberos Only)" in AD for the IIS VM.

It throws "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." exception. If I change the connection string to this:

Server=DATABASE;Database=HAP;User ID=sa;Password=connectsql;

the application works fine.

I really need it to authenticate via Windows Authentication and not via SQL Server Authentication.

Note: IIS prompts the user for his Windows credentials.


It's unclear to me whether you intend the application to authenticate as the logged in use, or whether you simply want to have the asp.net worker process be authenticated via AD.

If you want the user to authenticate with their account, then you need to set "imperasonate=true" in the web config. This will have performance ramifications, but that may be ok.

If you just want to authenticate via the worker process, then you need to set the identity of the worker process to a domain account.

0

精彩评论

暂无评论...
验证码 换一张
取 消