ASP.NET site fail when accessed remotely, 'NT AUTHORITY\ANONYMOUS LOGON'. Accessing SQL Server with domain user of the App Pool

1
votes

I have an ASP.NET (4.0) site accessed using Window Authentication & Impersonation only (Anoymous Disabled).

The SQL Server Connection is done with SSPI, and with the user identity of the Application pool, not with Windows Domain User of the logged in and Windows Authenticated user.

Everything works fine when the website is accessed locally from the IIS Web Server.

When accessed from a remote PC, even when using the same domain user, it fails.

And all servers are on the same domain.... Any ideas?

Thanks

1
asp.netsql-serveriiswindows-authenticationsspi
I'm confused, you are saying two different things. You say you're using Windows Authentication and Impersonation. Impersonation causes the worker process to run as the identity of the logged in user, which also causes the connection to the database to be the logged in user if using an SSPI connection because the App pool identity is the logged in user. But then you say you're not... how exactly are you doing those to mutually exclusive things? - Erik Funkenbusch
@ErikFunkenbusch you are right. Turns out the user i was testing was the one used to the SQL Server as well. Do you know of any way possible to have Windows Authentication and Impersonation for the Web Server processing, yet connect to SQL Server with a different Active Directory user? - Gabriel
Why do you need to impersonate the user? - Erik Funkenbusch
Because we also access some files on the disk from the web app, and the client has the users organized in active directory groups, some having access to some files while others not - Gabriel
There are other ways to access the files, for instance you could check their AD permissions in your code and compare them to the AD permissions of the file (all files would have to have the worker processes access as well). - Erik Funkenbusch

1 Answers

2
votes

This is a "double-hop" issue, which is where the server is not being trusted to pass the client's credentials on to another box (hop 1 is the credentials to the IIS box, hop 2 is from the IIS box to the SQL Server). It works when running directly on server but does not work when accessing from a remote PC. More here and here

Depends on requirements you might need Windows Authentication but not the impersonation on SQL Server. Impersonation on SQL Server means that for every user you need to have account/permissions in the database. If this is not the case and you only need a secure authentication (without hardcoding username and password in web.config) then you can do following

  • make IIS not impersontate
  • set pool to use Network Service account
  • create a login account in your db server with domainName\WebServerMachineName$ and grant rights

More in How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0

If you still need impersonation than do

Ensure your Application server is set as Trusted for Delegation. Ensure in IIS that Anonymous Authentication is disabled and Windows Authentication is enabled, if using Windows 2008, enable ASP.Net Impersonation also. If using Windows 2008 and your app pool is running under Network Service then goto Advanced settings of Windows Authentication and turn Kernal Mode off. Set yourDomain\yourAppServer$ to have read access to the ASP.Net application folder. [Source]