开发者

Impersonated process will not log on to Oracle with Windows Authentication

开发者 https://www.devze.com 2022-12-20 01:34 出处:网络
I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net imperson开发者_开发问答ation. The worker process owner i

I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net imperson开发者_开发问答ation. The worker process owner is set to NETWORK SERVICE.

The web service invokes sqlplus.exe impersonated with his/her domain account on the server. I can see that through the task manager. However, when sqlplus is started, oracle says the username/password is wrong.

sqlplus.exe is started like this: sqlplu.exe / . This works great if I manually log on the server with the user account and type the statement above, everything works great


I believe you're running into the "double hop" issue here.

Your first hop is using impersonation from the client's computer to the web server. The second hop is from the web server to your database server, where you're attempting to pass those same credentials along to the database.

When you manually log on and run the sqlplus statement, it's only a single hop from the web server to the database server.

The following is quoted from MSDN. Notice the recommendation to use basic authentication from the client to the web server.

The double-hop issue occurs when the ASPX page attempts to use resources located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to Active Directory. Active Directory requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to Active Directory. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to Active Directory.

The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to Active Directory, IIS is passing a hashed password. Active Directory cannot verify the password so it uses NTAUTHORITY\ANONYMOUS LOGON for authentication.

If your browser client uses Basic authentication to authenticate to the IIS ASPX page, the IIS server has the client password and can make a primary token to pass to Active Directory. Active Directory can verify the password and authenticate the domain user.

http://msdn.microsoft.com/en-us/library/ms817871.aspx

0

精彩评论

暂无评论...
验证码 换一张
取 消