[thelist] IIS & OLEDB

Ken Schaefer ken at adOpenStatic.com
Sat Jan 3 00:46:21 CST 2004


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Joel D Canfield" <joel at spinhead.com>
Subject: RE: [thelist] IIS & OLEDB


: > I've got an intranet page that connects to my SQL server, and I'm
: trying
: > to force it to use NT Authentication when it does.
: >
: > <snippage />
: >
: > Microsoft OLE DB Provider for SQL Server error '80040e4d'
: >
: > Login failed for user 'IUSR_COMPUTERNAME'.
: >
: > Why isn't it passing MY user id?  Why is it trying to use the
: anonymous
: > IUSR id?
:
:
: 'cause NT authentication doesn't actually know your username and
: password when it talks to the SQL server.
:
: Huh?
:
: Okay, when you log into the intranet, your machine knows your auth info
: just long enough to verify it with the domain. After that, while it
: knows you're authenticated, it *doesn't store* your auth info. So, when
: you try to touch other domain resources, that resource asks for your
: auth info, and your machine says, "I dunno, but he's authorized. Trust
: me." The other machine doesn't accept that answer. It wants a real
: username and password.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In addition to Joel's comments:

You can get this to work (using Integrated Windows Authentication via
Kerberos) *if* the IIS box, the SQL Server box and the Domain are all
Windows 2000 or Windows Server 2003, by enabling delegation. If you have a
Windows 2000 Domain, you can only use unconstrained delegation. If you have
a 2003 functional-level domain, you can use constrained delegation which is
more "secure".

Otherwise, your options are limited to using an authentication scheme where
the user token received by the webserver from the DC has permissions to
logon to network resources. Basic is one. IIRC Digest Authentication on
Windows 2003 Servers will also work.

Cheers
Ken

Microsoft MVP - Windows Server (IIS)



More information about the thelist mailing list