How do I allow anonymous access to my IIS site, but use Windows Authentication to connect to SQL Server?

Question

What I want to do is:

• Allow anonymous users to access my ASP .NET site.
• Use Windows Authentication for the site to access Sql Server. It will log in to Sql Server with a domain account set aside especially for the site (and preferably do everything under the same account).

Every article on the Web tells you to do this:

<authentication mode="Windows"/>
<identity impersonate="true"/>

in Web.config. However, I gather that this is only if you want users to log in with Windows Authentication. It has nothing to do with the server logging in to SQL Server (except that the combination of the above 2 implies that users' authentication will also be used to connect to the database). Is this correct? Given that my Windows account has access to files on the server and the database which the site is connecting to, this seems hard to test....

It seems that if I:

• set the App Pool Identity to the domain account
• enable Anonymous Access on the site using the domain account
• use a connect string with Windows Authentication

then the site will connect to SQL Server via Windows Authentication. Also, it will use the domain account as long as impersonation is off. Is this correct?

Answer 1

in Web.config. However, I gather that this is only if you want users to log in with Windows Authentication. It has nothing to do with the server logging in to SQL Server

This is partially true. The impersonated account will be used to logon SQL server if delegation is setup properly. You didn't see this because in most of the environment, delegation needs to be explicitly setup. Delegation is a more powerful form of impersonation and makes it possible for the server process (in your case, IIS process) to access remote resources (in your case, SQL server) while acting as the client. For more information, you can google ASP.NET Delegation. I said it's partially true because in some simple environment, you don't even need any special configuration. The delegation is just working. For example, if you have SQL server running on the same machine as the IIS server. Another case is that you have your IIS server running on an Active Directory domain controller (very rare). In these two cases or on a machine with delegation configured properly, your above statements will be wrong.

It seems that if I:

• set the App Pool Identity to the domain account
• enable Anonymous Access on the site using the domain account
• use a connect string with Windows Authentication

then the site will connect to SQL Server via Windows Authentication. Also, it will use the domain account as long as impersonation is off. Is this correct?

Yes, this is correct.

Given that my Windows account has access to files on the server and the database which the site is connecting to, this seems hard to test....

It's easy to test if you have two domain accounts (or one domain account and one local account). Set the App Pool identity to use your DomainAccount1. Grant only DomainAccount1 to have permission to access your database. Access your web app on another machine using another accound (either domain account or local account). Test if the web app can properly access your database.

Answer 2

If I'm following you correctly, you are right; You do not want to use impersonation/authentication to do what you want to do. Set the App Pool identity appropriately, and assure that user account has appropriate access to SQL Server.

Answer 3

您可以创建单独的Sql登录，即用户名/密码，而不是使用Windows帐户，而是在连接字符串中使用它。