3

I have setup 3 VMs:

  • (A) Active Directory in Windows 2008 R2.
  • (B) Microsoft SQL Server 2008 Express in Windows XP SP3.
  • (C) IIS in Windows XP SP3.

Both the SQL Server and IIS are joined in the Domain but the host PC is not. I've also created a domain administrator user with administrator privileges in the SQL Server. I can ping/access all the VMs from each other and from the PC hosting the VMs. I can connect to the SQL Server VM using Windows Authentication in SQL Server Management Studio inside the IIS VM with no problem.

I created a very simple application in ASP.Net application hosted in the IIS VM that opens a database connection in the SQL Server VM. I've set the web site to authenticate via Windows Authentication only. Here is my connection string:

Server=DATABASE;Database=HAP;Trusted_Connection=True;

Here is code:

SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);

using(connection) {
    connection.Open();
}

I've also set "Trust this computer for delegation to any service (Kerberos Only)" in AD for the IIS VM.

It throws "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." exception. If I change the connection string to this:

Server=DATABASE;Database=HAP;User ID=sa;Password=connectsql;

the application works fine.

I really need it to authenticate via Windows Authentication and not via SQL Server Authentication.

Note: IIS prompts the user for his Windows credentials.

Improve this question

1 Answer 1

Reset to default
1

It's unclear to me whether you intend the application to authenticate as the logged in use, or whether you simply want to have the asp.net worker process be authenticated via AD.

If you want the user to authenticate with their account, then you need to set "imperasonate=true" in the web config. This will have performance ramifications, but that may be ok.

If you just want to authenticate via the worker process, then you need to set the identity of the worker process to a domain account.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I want the user to authenticate with their account. I tried setting <identity impersonate="true" /> but a different exception is thrown: Login failed for user 'NT AUTHORITY\ANONYMOUS'. What else am I missing?
@acemate433s - You have anonymous login turned on. In IIS Manager, right click on the site (or application name) and click on Directory Security Tab, then click Edit in Anonymous access and uathentication control. Uncheck Anonymous access, and click basic authentication, then make sure the default domain is the default (or type your full domain name). Also have to make sure the users are a member of a group that has file permissions to read the files in the site, and the users have to have "log on locally" permission to the IIS server. Finally, using XP there is 10 user simultaneous limit
That worked! However I want to use Windows Authentication in IIS instead of Basic Authentication. What settings do I have to change?
You are using Windows authentication. What you're seeing there is "integrated" authentication, and that only works on an intranet where the clients are connected to the domain (which you said they weren't).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.