开发者

ASP.NET, IIS security setup Windows Auth and SQL Server Access

开发者 https://www.devze.com 2023-02-10 11:26 出处:网络
I\'m having trouble configuring my ASP.NET web.config and my 开发者_开发技巧IIS web site to get the setup I want.Here\'s what I want at the end of the day:

I'm having trouble configuring my ASP.NET web.config and my 开发者_开发技巧IIS web site to get the setup I want. Here's what I want at the end of the day:

  • The application connects to SQL Server using a particular NT ID
  • The NT ID used to connect to SQL Server is not in the web.config. Or at least its password isn't.
  • I can use HttpContext.Current.User.Identity.Name (or some other means) to get the NT ID of the real user that is connecting to the application.

If I setup an ASP.NET 3.5 in Visual Studio 2008, this basically is all working locally. But when I deploy to IIS, I can get the first two bullets successfully, but I can't get the third bullet. Identity.Name is null. The way I have it deployed right now is impersonation is set to true in the web.config, and IIS has anonymous access enabled with the anonymous user set to the NT ID I want to connect to the SQL Server.

The connection string I'm using to connect to SQL Server looks like this:

Server=[My Server];Database=[My DB];Trusted_Connection=Yes;

I have tried setting authorization to which was suggested in other posts, but that just makes Internet Explorer pop up a login box.

This is a Windows Server 2003 box running IIS 6.0.

This may very well be a stupid question, and/or duplicate question. But I've done a lot of searching and trial and error and I can't seem to get the magic settings.


By default, the machine\ASPNET account or the NETWORK_SERVICE account, depending on the version of IIS you are using (I'm not sure if IIS 7 is using NETWORK_SERVICE but 6 did). If you want a different account, the impersonation is applied on the configuration file (both user name and password) to run the account as. Now you can encrypt this part of the config section using the aspnet_regiis utility. But you have to supply an account. I don't think you can get away without this that I know of... unless maybe it can be done through IIS.

HTH.


This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).

The problem will not appear if you host IIS and SQL Server on the same machine.

There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.

0

精彩评论

暂无评论...
验证码 换一张
取 消