CODEWITHSUNDEEP
asp.netwindows-authentication
Dakhath
Dakhath

Reputation: 103

Windows Authentication not working with ASP.NET webpage

I'm trying to hit my intranet website and get it to run a simple sql query as the windows user I'm logged in as.

When I debug through Visual Studio, everything works great. When I hit the webserver though, I get an error from sqlconnection saying, "ERROR:Login failed for user 'YOUR_DOMAIN\YOUR_WEBSERVER_NAME'."

Request.ServerVariables[AUTH_USER]: YOUR_DOMAIN\UserBob 
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
Page.User.Identity.Name: YOUR_DOMAIN\UserBob
System.Threading.Thread.CurrentPrincipal.Identity.Name: YOUR_DOMAIN\UserBob

So how do I get the SQL query to execute under UserBob?

Here's my setup:

  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    <customErrors mode="Off"/>
  </system.web>

Webserver is a Win 2008 server with IIS7, Windows Authentication on, Anon Auth off.

Code is simply:

Response.Write("Request.ServerVariables[AUTH_USER]: " + Request.ServerVariables ["AUTH_USER"].ToString());
Response.Write("<br>System.Security.Principal.WindowsIdentity.GetCurrent().Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
Response.Write("<br>Page.User.Identity.Name: " + Page.User.Identity.Name);
Response.Write("<br>System.Threading.Thread.CurrentPrincipal.Identity.Name: " + System.Threading.Thread.CurrentPrincipal.Identity.Name);

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["CarbonDB"].ConnectionString);

conn.Open();

SqlCommand sqlcom = new SqlCommand("dbo.runsomething", conn);
sqlcom.CommandType = CommandType.StoredProcedure;
SqlDataReader sqlDataReader = sqlcom.ExecuteReader();

conn.Close();

Upvotes: 1

Views: 1932

Answers (2)

Erick T
Erick T

Reputation: 7459

Is the SQL Server on a different machine than the web server?

If so, the issue you are running into is related to Kerberos Delegation. Basically, your web server doesn't have the permission/ability to impersonate the end user to another server.

Try this link for more information on delegation.

Be aware that this isn't trivial, and requires assistance from a network admin, as it involves making changes to your Active Directory environment.

If possible, use a service account (such as Network Service) to access the SQL Server.

Erick

Upvotes: 1

jordanbtucker
jordanbtucker

Reputation: 6098

Is the site using Integrated or Classic pipeline mode. In IIS7, check the Basic Settings of the website, click Connect As... and make sure that Application user (pass-through authentication) is checked.

Upvotes: 0

Related Questions