stackoom
  简体   繁体   中英

Double hop IIS to SQL Server authentication works locally, doesn't work remotely

 原文  2021-02-11 12:33:37       sql-server/ iis/ webforms/ kerberos/ windows-authentication

Question

A question about double hop authentication browser -> IIS (ASP.NET WebForms app) -> SQL Server.

I have a WebForms website with Web.config as follows:

<?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <configSections>
        <sectionGroup name="devExpress">
          ...some DevExpress settings here...
        </sectionGroup>
      </configSections>
      <connectionStrings>
        <add name="ConnStringName" connectionString="Data Source=SERVER_NAME;Initial Catalog=DB_NAME;Trusted_Connection=Yes;Integrated Security=SSPI;Persist Security Info=False;Connect Timeout=0" providerName="System.Data.SqlClient" />
      </connectionStrings>
      <system.web>
        <identity impersonate="true" />
        ...
        <authentication mode="Windows" />
        <authorization>
          <deny users="?" />
        </authorization>
        ...
        <httpRuntime maxRequestLength="4096" requestValidationMode="4.0" executionTimeout="110" targetFramework="4.5.2" />
        <pages validateRequest="true" clientIDMode="Predictable">
        ...
        </pages>
        <sessionState mode="InProc" timeout="60"></sessionState>
      </system.web>
      <system.webServer>
        <defaultDocument>
          <files>
            <clear />
            <add value="Default.aspx" />
          </files>
        </defaultDocument>
        ...
        <validation validateIntegratedModeConfiguration="false" />
      ...
    </configuration>

I need it to work like this: when any user in domain opens site in browser, ASP.NET Web Forms application runs under his Windows credential. Then the same credential must be used to authenticate database calls made by ASP.NET app using SqlConnection class.

For clarity: SQL Server is configured for using Windows authentication. Users that must have access to app and DB are included in a specific AD group. That group is listed in DB's Security - Logins list with data_reader, data_writer permissions (and also they can execute stored procs).

The most interesting is how it really works:
#1. When I open browser on the server that IIS is on, type http://localhost:port/ - it works as expected.
#2. When I open browser on my PC, type http://server-name:port/ - it catches SqlConnection opening error:

System.Data.SqlClient.SqlException
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

In both cases, Context.User.Identity.Name and WindowsIdentity.GetCurrent().Name are correct.

Why do these two scenarios give different results? How to make #2 work like #1?

1 answers

solution1
 0  2021-02-11 15:01:40

Since this is a double-hop authentication scenario you must enable Kerberos Constrained Delegation . See eg Setting up Kerberos Authentication for a Website in IIS .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kerberos Double Hop Authentication - SQL Server Kerberos Double Hop Delegation from IIS to SQL server (using django) Double hop linked server issue work for admin computer, but not client computer Can't connect to SQL locally with SQL Server authentication IIS can't connect to SQL Server using SQL Server authentication Connecting to SQL database works when ASP application is hosted in IIS Exress but doesn't work when hosted in Local IIS Accessing SQL Server remotely using Windows Authentication Configure IIS 8 for SQL Server Authentication My connection string using Windows authentication for SQL Server doesn't work SQL query doesn't work on SQL Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM