In my previous questions I was asking how to use windows authentication within my application. That is now working, users can login with there account but I have one database access scenario I can't find anything on.
Basically I will have several servers and here is the problem.
On some servers they will have Windows Authentication accounts for the SQL Server database server, so using impersonate their credentials should be used. But I notice its a global setting in the web.config (not per connection) and it one case I want to use the applications (IIS or ASP) Windows Authentication account rather than the users. (Access to my configuration database)
How could I achieve this?
Web Application is ASP.NET MVC hosted on Server 2003/2008 IIS 6/7/7.5 with clients being Windows XP and above. Using SQL Server Express/Standard 2005/2008 mixed.
Impersonation is on a site wide basis, or you can manually turn it on. What you can't do is manually turn it off I'm afraid, nor can it be done via the connection strings.
So basically turn impersonation off, then wrap the database calls when impersonation is needed like so:
using System.Security.Principal;
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// Do your thing
}
catch
{
}
finally
{
if (ctx != null)
ctx.Undo();
}
The MSDN P&P guide to asp.net impersonation has more.
You'll have to set up delegation on your network so that the ASP.NET servers can impersonate users on the Sql server machines. This assumes your servers are on an Active Directory controlled network (not workgroups) and that the sql servers are on different machines than your web servers.
You would configure delegation for those database server machines where you want the users to be impersonated and don't configure it for those server machines that you want the ASP.NET worker process account to be the account accessing the server.
If you can't do this, you can turn off windows/mixed authentication on the Sql Server instances you wish to prevent delegation on, and then manually configure the Sql Server account to connect with in the connection string within web.config.
Use domain controller - so it could propagate same credentials for single user across entire domain.
The second trick for workgroups - create same account of impersonation (with exactly same login and password) on both servers (ASP and SQLServer). Don't forget to grant this permission on SQLServer.
Related
I have two servers, let's say they are APPSVR (ASP.NET) and DBSVR (SQL Server). Currently, the application running smoothly with database connection using SQL Server authentication with User Id and Password.
In the future, it must be changed with Windows Authentication Integrated Security=True. I have tried to change this but can't worked (DB connection failure).
We have domain controller also and both server in the same domain. I am not sure which one that must be configured in our environment (Domain/SQL Server/IIS Manager). What's the right procedure to do this?
Is your asp.net application already running with domain user authentication?
Do you need per user login for SQL server because you set up the
access right on domain user rather than create your own access right
system on your asp.net application?
Why i am asking you this? Because You need to consider the differences between web application and desktop application. In web application, the web server contact the sql server not the user pc.
So this complicate the setup if you want the web server to use the windows authentication to login to sql server then you need to set up the web server to somehow masquerade as the domain users. You also need to consider the scenario if user are accessing the web application from the internet.
I suggest using strong application only password for sql server connection using local user rather than domain Users. For access right you can simply create a new table to store domain user login id and their access right. This set up still allow login to web application using the domain Users but the database connection is not. The Advantage is you can minimize the access to simply few or even one user application only user you need to maintain in sql server rather than every domain Users that need to be registered on sql server if you use windows authentication.
If you still need the Windows Authentication set up than you can see the info here.
We recently had to change over to using Windows Auth instead of a SQL Account to access the DB from our ASP site. The trick is to have the application pool start up with the same domain account you use to access the SQL Server and then you can just change your connection string to use Integrated Security.
The process is shown here:
https://thycotic.force.com/support/s/article/Using-Windows-Authentication-to-access-SQL-Server-Secret-Server
I have an application developed in ASP.NET MVC using Entity Framework / Sql Server 2008
Actually, connections to the database are made with the "sa" account.
Is it possible to use, instead of "sa" the windows final user credentials ?
This would be helpful to control more efficiently the security limitations of each user.
I use, in my application windows authentication.
Thank's !
It is possible but whole your system must run inside windows domain, users must have domain accounts and your system infrastructure must be enabled for Kerberos delegation (belongs to ServerFault). The reason is that you have two hoops in the system - first user authenticates from his client machine to your web server and then web server delegates user credentials to database server. If client computer, web server and database server are different machine Kerberos delegation must be enabled (if db and web runs on the same server you should be fine without Kerberos). Your web application will have to use impersonation and your connection string will have to use windows integrated security.
Also using end user credentials will reduce performance of your system because EF will have to maintain separate connection pool per user. Administrator of SQL server will have to give access for every single user (or user group) using your application.
I've written a simple ASP.NET application that works as a frontend for a simple MSSQL database. The application is accessible over the Internet.
There are two physical servers involved: a WS2008R2 Active Directory domain controller which is also running MSQL Server 2008 R2, and another server, the webserver (WS2008R2/IIS7.5) where my application resides.
The Application Pool for my application "FooPool" has its own AD User identity it runs under "FooUser". FooUser does not have any permission to access the SQL Server database, instead only my own personal user account "MyUser" has that permission.
The idea is that attempts to access this web application first perform Windows Authentication with IIS, my web application then uses Impersonation to access the SQL Server database.
However my application does not work.
I tested the application without it touching SQL Server, just to test impersonation, so I did Response.Write( WindowsIdentity.GetCurrent(false).Name ); which correctly shows the application impersonating MyUser and not acting as FooUser. This works from all modern browsers and across the Internet.
But as soon as it touches MSSQL Server I get the error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." but that should not be happening because no user tokens are for Anonymous Logon.
I've done my homework and read all about Delegation and Impersonation in ASP.NET and I have set up delegation: The FooUser account has a Service Principal Name set-up (I set the SPN to an arbitrary string, is that doing it right?) and is marked for delegation in ADUC.
Finally, my connection string has SSPI enabled, Connection pooling disabled, and the network library set to "dbmssocn".
What else am I forgetting?
Finishing the Configuration for Delegation to Work you must enable constrained delegation:
Open Active Directory Users and Computers
Find the user account that the IIS Web site is using for the web application pool and double-click it
Select the option: Trust this user for delegation to specified
services only.
Make sure that the user is constrained to the
SPN associated with the MSSQLSvc service
Restart IIS
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
What I want to do is:
Allow anonymous users to access my ASP .NET site.
Use Windows Authentication for the site to access Sql Server. It will log in to Sql Server with a domain account set aside especially for the site (and preferably do everything under the same account).
Every article on the Web tells you to do this:
<authentication mode="Windows"/>
<identity impersonate="true"/>
in Web.config. However, I gather that this is only if you want users to log in with Windows Authentication. It has nothing to do with the server logging in to SQL Server (except that the combination of the above 2 implies that users' authentication will also be used to connect to the database). Is this correct? Given that my Windows account has access to files on the server and the database which the site is connecting to, this seems hard to test....
It seems that if I:
set the App Pool Identity to the domain account
enable Anonymous Access on the site using the domain account
use a connect string with Windows Authentication
then the site will connect to SQL Server via Windows Authentication. Also, it will use the domain account as long as impersonation is off. Is this correct?
in Web.config. However, I gather that
this is only if you want users to log
in with Windows Authentication. It has
nothing to do with the server logging
in to SQL Server
This is partially true. The impersonated account will be used to logon SQL server if delegation is setup properly. You didn't see this because in most of the environment, delegation needs to be explicitly setup. Delegation is a more powerful form of impersonation and makes it possible for the server process (in your case, IIS process) to access remote resources (in your case, SQL server) while acting as the client. For more information, you can google ASP.NET Delegation. I said it's partially true because in some simple environment, you don't even need any special configuration. The delegation is just working. For example, if you have SQL server running on the same machine as the IIS server. Another case is that you have your IIS server running on an Active Directory domain controller (very rare). In these two cases or on a machine with delegation configured properly, your above statements will be wrong.
It seems that if I:
set the App Pool Identity to the
domain account
enable Anonymous
Access on the site using the domain
account
use a connect string with
Windows Authentication
then the site
will connect to SQL Server via Windows
Authentication. Also, it will use the
domain account as long as
impersonation is off. Is this correct?
Yes, this is correct.
Given that my Windows account has
access to files on the server and the
database which the site is connecting
to, this seems hard to test....
It's easy to test if you have two domain accounts (or one domain account and one local account). Set the App Pool identity to use your DomainAccount1. Grant only DomainAccount1 to have permission to access your database. Access your web app on another machine using another accound (either domain account or local account). Test if the web app can properly access your database.
If I'm following you correctly, you are right; You do not want to use impersonation/authentication to do what you want to do. Set the App Pool identity appropriately, and assure that user account has appropriate access to SQL Server.
Instead of using a Windows Account you can create a separate Sql Login i.e. a username/pwd and use that in the connection string instead.
Best practice says to keep my web app and database on separate machines, but when doing that it seems I can't get a clear explanation on how best to make this connection. Whil windows auth is the recommended authentication, I don't see how to make a trusted connection . Must I use impersonation to have my application connect to a db server?
Are most people simply using SQL authentication in this case?
Both machines are on a virtual cloud network.
If both computers are in the same domain, I'd use Windows Authentication for the SQL connection. To set it up:
Create a domain account to use for the app.
Give the id the absolute minimum priveleges necessary to host the site on the web server. For example, it must have read access to the web site itself, write access only to folders updated by the web site, etc.
Change IIS so that the domain account is used to run the app. In IIS6 & IIS7, you do this through the application pool. In IIS5, you have to change the settings in the machine.config or in the web.config for the ProcessModel.
All calls to the database will be done through this domain account; you won't have to setup impersonation. In fact, if you are using SQL authentication today, the only change you need to make is to the database connection string; no code changes are needed.