Reputation: 635
ASP.NET site fail when accessed remotely, 'NT AUTHORITY\ANONYMOUS LOGON'. Accessing SQL Server with domain user of the App Pool
I have an ASP.NET (4.0) site accessed using Window Authentication & Impersonation only (Anoymous Disabled).
The SQL Server Connection is done with SSPI, and with the user identity of the Application pool, not with Windows Domain User of the logged in and Windows Authenticated user.
Everything works fine when the website is accessed locally from the IIS Web Server.
When accessed from a remote PC, even when using the same domain user, it fails.
And all servers are on the same domain.... Any ideas?
Thanks
Upvotes: 1
Views: 3568
Answers (1)
Reputation: 6824
This is a "double-hop" issue, which is where the server is not being trusted to pass the client's credentials on to another box (hop 1 is the credentials to the IIS box, hop 2 is from the IIS box to the SQL Server). It works when running directly on server but does not work when accessing from a remote PC. More here and here
Depends on requirements you might need Windows Authentication but not the impersonation on SQL Server. Impersonation on SQL Server means that for every user you need to have account/permissions in the database. If this is not the case and you only need a secure authentication (without hardcoding username and password in web.config) then you can do following
- make IIS not impersontate
- set pool to use Network Service account
- create a login account in your db server with domainName\WebServerMachineName$ and grant rights
More in How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
If you still need impersonation than do
Ensure your Application server is set as Trusted for Delegation. Ensure in IIS that Anonymous Authentication is disabled and Windows Authentication is enabled, if using Windows 2008, enable ASP.Net Impersonation also. If using Windows 2008 and your app pool is running under Network Service then goto Advanced settings of Windows Authentication and turn Kernal Mode off. Set yourDomain\yourAppServer$ to have read access to the ASP.Net application folder. [Source]
Upvotes: 2
Related Questions
- SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
- Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' Possible Connection String Issue?
- "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." to SQL Server 2005
- Login failed for user 'NT AUTHORITYANONYMOUS LOGON'
- SQL windows authentication is not working after hosting locally
- SQL Server 2000 + ASP.NET: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
- Win auth NT AUTHORITY\ANONYMOUS LOGON
- Authentification works when browsed from Visual Studio but not with IIS
- "NT AUTHORITY\ANONYMOUS LOGON" error in Windows 7 (ASP.NET & Web Service)
- Connecting to SQL with ANONYMOUS LOGON since switch to IIS7