"Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message
news:dhl942hp9ifa1gncs1aokpfdqn2s2d1tjp@4ax.com...
> On Tue, 18 Apr 2006 02:48:39 -0500, <param@community.nospam> wrote:
>
> ¤ Hi all,
> ¤
> ¤ I have a production environment where I have a 2-node SQL 2005 Cluster
> ¤ running on boxes which are part of a domain "MyCompany". I have setup a
> ¤ domain user account called "netasp" and then given it permissions to the
> ¤ database. I then setup a new App Pool in IIS on my Web Server (not part
> of
> ¤ domain, can access SQL server via TCP) with identity setup to a local
> ¤ account called "netasp" with the same password as the domain user
> account. I
> ¤ then setup my website under this App Pool and tried my app. For some
> reason
> ¤ it will not connect. This works in a development environment where my
> web &
> ¤ sql is on the same box (non cluster environment). How do I go about
> getting
> ¤ this to work? For security reasons, my web servers cannot be part of the
> ¤ domain.
> ¤
>
> Is your web app and database connection configured for Windows integrated
> security? If so you
> probably have a delegation issue.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

news:ODwLDyrYGHA.4652@TK2MSFTNGP04.phx.gbl...
> Hi all,
>
> I have a production environment where I have a 2-node SQL 2005 Cluster
> running on boxes which are part of a domain "MyCompany". I have setup a
> domain user account called "netasp" and then given it permissions to the
> database. I then setup a new App Pool in IIS on my Web Server (not part of
> domain, can access SQL server via TCP) with identity setup to a local
> account called "netasp" with the same password as the domain user account.
> I then setup my website under this App Pool and tried my app. For some
> reason it will not connect. This works in a development environment where
> my web & sql is on the same box (non cluster environment). How do I go
> about getting this to work? For security reasons, my web servers cannot be
> part of the domain.
>
> TIA!
>

"Marina Levit [MVP]" <someone@nospam.com> wrote in message
news:eOeZGZvYGHA.3848@TK2MSFTNGP05.phx.gbl...
> The problem is that you gave permissions to the domain account, but you
> running it as a local account.  The remote SQL Server doesn't know about
> your local 'netasp', it only knows about the domain one.  I'm not sure you
> can 'fool' the SQL server in thinking that the local machine account of
> the remote web server is the same thing as the domain account it knows
> about. I think you'd have to make your web server part of the domain, and
> run it under the domain account. That, or just use username/password for
> the the sql server authentication instead of integrated.
>
> <param@community.nospam> wrote in message
> news:ODwLDyrYGHA.4652@TK2MSFTNGP04.phx.gbl...
>> Hi all,
>>
>> I have a production environment where I have a 2-node SQL 2005 Cluster
>> running on boxes which are part of a domain "MyCompany". I have setup a
>> domain user account called "netasp" and then given it permissions to the
>> database. I then setup a new App Pool in IIS on my Web Server (not part
>> of domain, can access SQL server via TCP) with identity setup to a local
>> account called "netasp" with the same password as the domain user
>> account. I then setup my website under this App Pool and tried my app.
>> For some reason it will not connect. This works in a development
>> environment where my web & sql is on the same box (non cluster
>> environment). How do I go about getting this to work? For security
>> reasons, my web servers cannot be part of the domain.
>>
>> TIA!
>>
>
>

news:uYxROfvYGHA.3532@TK2MSFTNGP05.phx.gbl...
>I would love to use SQL Auth, but the beauty of windows auth is I dont have
>to specify the username/pwd in the config file. Is there no way at all to
>get this to work? Does MS recommend putting your Web Servers in the same
>domain as the SQL? Our security consultant told us never to do that. Leave
>the Web in the DMZ..
>
> TIA!
>
> "Marina Levit [MVP]" <someone@nospam.com> wrote in message
> news:eOeZGZvYGHA.3848@TK2MSFTNGP05.phx.gbl...
>> The problem is that you gave permissions to the domain account, but you
>> running it as a local account.  The remote SQL Server doesn't know about
>> your local 'netasp', it only knows about the domain one.  I'm not sure
>> you can 'fool' the SQL server in thinking that the local machine account
>> of the remote web server is the same thing as the domain account it knows
>> about. I think you'd have to make your web server part of the domain, and
>> run it under the domain account. That, or just use username/password for
>> the the sql server authentication instead of integrated.
>>
>> <param@community.nospam> wrote in message
>> news:ODwLDyrYGHA.4652@TK2MSFTNGP04.phx.gbl...
>>> Hi all,
>>>
>>> I have a production environment where I have a 2-node SQL 2005 Cluster
>>> running on boxes which are part of a domain "MyCompany". I have setup a
>>> domain user account called "netasp" and then given it permissions to the
>>> database. I then setup a new App Pool in IIS on my Web Server (not part
>>> of domain, can access SQL server via TCP) with identity setup to a local
>>> account called "netasp" with the same password as the domain user
>>> account. I then setup my website under this App Pool and tried my app.
>>> For some reason it will not connect. This works in a development
>>> environment where my web & sql is on the same box (non cluster
>>> environment). How do I go about getting this to work? For security
>>> reasons, my web servers cannot be part of the domain.
>>>
>>> TIA!
>>>
>>
>>
>
>

"Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message
news:rh8a4218grgi70ba3tef4td7n80lmcrus5@4ax.com...
> On Tue, 18 Apr 2006 09:53:06 -0500, <param@community.nospam> wrote:
>
> ¤ I would love to use SQL Auth, but the beauty of windows auth is I dont
> have
> ¤ to specify the username/pwd in the config file. Is there no way at all
> to
> ¤ get this to work? Does MS recommend putting your Web Servers in the same
> ¤ domain as the SQL? Our security consultant told us never to do that.
> Leave
> ¤ the Web in the DMZ..
> ¤
>
> See if the following helps:
>
> How To: Use Forms Authentication with Active Directory in Multiple Domains
> in ASP.NET 2.0
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000021.asp
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

> On Tue, 18 Apr 2006 14:02:13 -0500, <param@community.nospam> wrote:
>
> ¤ I guess, I need to clarify. I do not wish to use Active Directory in
> anyway ¤ to authenticate my web application users. They will be
> authenticated off ¤ tables in SQL Server. The problem I am having is
> making the Asp.Net Web ¤ Application connect to and authenticate against
> the SQL Server using a ¤ standard specified Windows account. Is there a
> way to do it when the SQL ¤ server is in a domain environment and the Web
> Server are in a Workgroup ¤ environment. I have tried SQL Auth and it
> works fine. ¤
>
> The bottom line is that there must be a delegation of credentials between
> the two systems if you plan on using Windows Integrated Security with SQL
> Server. I'm fairly certain that you understand that.
>
> What I would do is create a local account on the web server and specify
> that as the anonymous account in IIS under which your application
> executes. I would then create a local account with the same exact
> credentials (sam account ID and password) on the SQL Server box in the
> other domain and provide the necessary permissions for this account under
> SQL Server. This is essentially what Dan described in his post.
>
> Since I wouldn't be completely familiar with your configuration, I can't
> be certain what other tweaks might be involved in order to get this to
> work.
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

> On Wed, 19 Apr 2006 16:29:53 +0100, "Daniel Crichton"
> <msn***@worldofspack.co.uk>
> wrote:
>
> ¤ Paul wrote  on Wed, 19 Apr 2006 09:47:36 -0500:
> ¤
> ¤ > On Tue, 18 Apr 2006 14:02:13 -0500, <param@community.nospam> wrote:
> ¤ >
> ¤ > ¤ I guess, I need to clarify. I do not wish to use Active Directory in
> ¤ > anyway ¤ to authenticate my web application users. They will be
> ¤ > authenticated off ¤ tables in SQL Server. The problem I am having is
> ¤ > making the Asp.Net Web ¤ Application connect to and authenticate
> against ¤ > the SQL Server using a ¤ standard specified Windows account.
> Is there a ¤ > way to do it when the SQL ¤ server is in a domain
> environment and the Web ¤ > Server are in a Workgroup ¤ environment. I
> have tried SQL Auth and it ¤ > works fine. ¤
> ¤ >
> ¤ > The bottom line is that there must be a delegation of credentials
> between ¤ > the two systems if you plan on using Windows Integrated
> Security with SQL ¤ > Server. I'm fairly certain that you understand that.
> ¤ >
> ¤ > What I would do is create a local account on the web server and
> specify ¤ > that as the anonymous account in IIS under which your
> application ¤ > executes. I would then create a local account with the
> same exact ¤ > credentials (sam account ID and password) on the SQL Server
> box in the ¤ > other domain and provide the necessary permissions for this
> account under ¤ > SQL Server. This is essentially what Dan described in
> his post. ¤ >
> ¤ > Since I wouldn't be completely familiar with your configuration, I
> can't ¤ > be certain what other tweaks might be involved in order to get
> this to ¤ > work.
> ¤ >
> ¤ > Paul
> ¤ > ~~~~
> ¤ > Microsoft MVP (Visual Basic)
> ¤
> ¤ Yep, it's as simple as doing that, at least as far as IIS is concerned.
> ¤ Whether this delegates to ASP.NET correctly I can't say.
> ¤
> ¤ Dan
> ¤
>
> It does, however I've never attempted this across domains or in a
> clustered SQL Server environment and I'm not sure what other security
> barriers may exist in his environment.
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

"Daniel Crichton" <msn***@worldofspack.co.uk> wrote in message
news:uXuIHYGZGHA.4920@TK2MSFTNGP02.phx.gbl...
> Paul wrote  on Wed, 19 Apr 2006 14:03:26 -0500:
>
>> On Wed, 19 Apr 2006 16:29:53 +0100, "Daniel Crichton"
>> <msn***@worldofspack.co.uk>
>> wrote:
>>
>> ¤ Paul wrote  on Wed, 19 Apr 2006 09:47:36 -0500:
>> ¤
>> ¤ > On Tue, 18 Apr 2006 14:02:13 -0500, <param@community.nospam> wrote:
>> ¤ >
>> ¤ > ¤ I guess, I need to clarify. I do not wish to use Active Directory
>> in
>> ¤ > anyway ¤ to authenticate my web application users. They will be
>> ¤ > authenticated off ¤ tables in SQL Server. The problem I am having is
>> ¤ > making the Asp.Net Web ¤ Application connect to and authenticate
>> against ¤ > the SQL Server using a ¤ standard specified Windows account.
>> Is there a ¤ > way to do it when the SQL ¤ server is in a domain
>> environment and the Web ¤ > Server are in a Workgroup ¤ environment. I
>> have tried SQL Auth and it ¤ > works fine. ¤
>> ¤ >
>> ¤ > The bottom line is that there must be a delegation of credentials
>> between ¤ > the two systems if you plan on using Windows Integrated
>> Security with SQL ¤ > Server. I'm fairly certain that you understand
>> that.
>> ¤ >
>> ¤ > What I would do is create a local account on the web server and
>> specify ¤ > that as the anonymous account in IIS under which your
>> application ¤ > executes. I would then create a local account with the
>> same exact ¤ > credentials (sam account ID and password) on the SQL
>> Server
>> box in the ¤ > other domain and provide the necessary permissions for
>> this
>> account under ¤ > SQL Server. This is essentially what Dan described in
>> his post. ¤ >
>> ¤ > Since I wouldn't be completely familiar with your configuration, I
>> can't ¤ > be certain what other tweaks might be involved in order to get
>> this to ¤ > work.
>> ¤ >
>> ¤ > Paul
>> ¤ > ~~~~
>> ¤ > Microsoft MVP (Visual Basic)
>> ¤
>> ¤ Yep, it's as simple as doing that, at least as far as IIS is concerned.
>> ¤ Whether this delegates to ASP.NET correctly I can't say.
>> ¤
>> ¤ Dan
>> ¤
>>
>> It does, however I've never attempted this across domains or in a
>> clustered SQL Server environment and I'm not sure what other security
>> barriers may exist in his environment.
>>
>> Paul
>> ~~~~
>> Microsoft MVP (Visual Basic)
>
> That's a good point. Re-reading the original post the account
> configuration appears correct for this to work, but obviously it's not.
>
> Surface Area Configuration needs to be run in SQL Server 2005 to allow
> connections from "remote" machines, that could be the reason for it not
> working if that hasn't been done - it will allow connections from the
> local machine, but nowhere else.
>
> Dan
>

> When you say Surface Area Config has to be run? It appears that is
> configured correctly, because SQL Authentication is working right?
>
> TIA!
>
> "Daniel Crichton" <msn***@worldofspack.co.uk> wrote in message news:uXuIHYGZGHA.4920@TK2MSFTNGP02.phx.gbl...
>> Paul wrote  on Wed, 19 Apr 2006 14:03:26 -0500:
>>
>>> On Wed, 19 Apr 2006 16:29:53 +0100, "Daniel Crichton"
>>> <msn***@worldofspack.co.uk>
>>> wrote:
>>>
>>> ¤ Paul wrote  on Wed, 19 Apr 2006 09:47:36 -0500:
>>> ¤
>>> ¤ > On Tue, 18 Apr 2006 14:02:13 -0500, <param@community.nospam> wrote:
>>> ¤ >
>>> ¤ > ¤ I guess, I need to clarify. I do not wish to use Active Directory
>>> in
>>> ¤ > anyway ¤ to authenticate my web application users. They will be
>>> ¤ > authenticated off ¤ tables in SQL Server. The problem I am having is
>>> ¤ > making the Asp.Net Web ¤ Application connect to and authenticate
>>> against ¤ > the SQL Server using a ¤ standard specified Windows account.
>>> Is there a ¤ > way to do it when the SQL ¤ server is in a domain
>>> environment and the Web ¤ > Server are in a Workgroup ¤ environment. I
>>> have tried SQL Auth and it ¤ > works fine. ¤
>>> ¤ >
>>> ¤ > The bottom line is that there must be a delegation of credentials
>>> between ¤ > the two systems if you plan on using Windows Integrated
>>> Security with SQL ¤ > Server. I'm fairly certain that you understand
>>> that.
>>> ¤ >
>>> ¤ > What I would do is create a local account on the web server and
>>> specify ¤ > that as the anonymous account in IIS under which your
>>> application ¤ > executes. I would then create a local account with the
>>> same exact ¤ > credentials (sam account ID and password) on the SQL
>>> Server
>>> box in the ¤ > other domain and provide the necessary permissions for
>>> this
>>> account under ¤ > SQL Server. This is essentially what Dan described in
>>> his post. ¤ >
>>> ¤ > Since I wouldn't be completely familiar with your configuration, I
>>> can't ¤ > be certain what other tweaks might be involved in order to get
>>> this to ¤ > work.
>>> ¤ >
>>> ¤ > Paul
>>> ¤ > ~~~~
>>> ¤ > Microsoft MVP (Visual Basic)
>>> ¤
>>> ¤ Yep, it's as simple as doing that, at least as far as IIS is
>>> concerned. ¤ Whether this delegates to ASP.NET correctly I can't say. ¤
>>> ¤ Dan ¤
>>>
>>> It does, however I've never attempted this across domains or in a
>>> clustered SQL Server environment and I'm not sure what other security
>>> barriers may exist in his environment.
>>>
>>> Paul
>>> ~~~~
>>> Microsoft MVP (Visual Basic)
>>
>> That's a good point. Re-reading the original post the account
>> configuration appears correct for this to work, but obviously it's not.
>>
>> Surface Area Configuration needs to be run in SQL Server 2005 to allow
>> connections from "remote" machines, that could be the reason for it not
>> working if that hasn't been done - it will allow connections from the
>> local machine, but nowhere else.
>>
>> Dan
>>

"Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message
news:3dic42doter27fe68okjlrc2j35cp042fv@4ax.com...
> On Tue, 18 Apr 2006 14:02:13 -0500, <param@community.nospam> wrote:
>
> ¤ I guess, I need to clarify. I do not wish to use Active Directory in
> anyway
> ¤ to authenticate my web application users. They will be authenticated off
> ¤ tables in SQL Server. The problem I am having is making the Asp.Net Web
> ¤ Application connect to and authenticate against the SQL Server using a
> ¤ standard specified Windows account. Is there a way to do it when the SQL
> ¤ server is in a domain environment and the Web Server are in a Workgroup
> ¤ environment. I have tried SQL Auth and it works fine.
> ¤
>
> The bottom line is that there must be a delegation of credentials between
> the two systems if you
> plan on using Windows Integrated Security with SQL Server. I'm fairly
> certain that you understand
> that.
>
> What I would do is create a local account on the web server and specify
> that as the anonymous
> account in IIS under which your application executes. I would then create
> a local account with the
> same exact credentials (sam account ID and password) on the SQL Server box
> in the other domain and
> provide the necessary permissions for this account under SQL Server. This
> is essentially what Dan
> described in his post.
>
> Since I wouldn't be completely familiar with your configuration, I can't
> be certain what other
> tweaks might be involved in order to get this to work.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)