Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 Windows Authentication with IIS and SQL Server

Author  Topic 

foxprorawks
Starting Member

17 Posts

Posted - 2005-09-15 : 05:12:47
Hi,

We are changing our web application to use Windows Authentication instead of SQL Server Authentication.

Initially, we added the IUSR_MACHINENAME user to SQL Server. This works ok when SQL Server and IIS are both running on the same server.

However, this won't work if SQL Server and IIS are on different servers on the same domain.

After doing a lot of research on the internet, it seemed that the answer was to create a user on the domain and use that user in IIS as the anonymous user (and give that user the relevant rights on SQL Server).

However, I've seen other comments in articles on the internet saying "Running any web service as a domain user is ill-advised".

We are using ASP rather than ASP.NET. What is the correct (and most secure) way to go about this?

Best

Matt.

derrickleggett
Pointy Haired Yak DBA

4184 Posts

Posted - 2005-09-15 : 23:53:05
There are a few ways. The easiest is to use a domain user.

Another way is to create a local user on both servers with the exact same password. You will need to enable the user for delegation in the local security policy. I would also recommend restricting the user from logging in locally, since this user should be used as a service account only. You also need to go to Component Services and make sure you have Distributed COM enabled and the TCP/IP protocol for distributed transactions.

If this is Windows 2003, you need to go to MSDTC tab in Component Services and select the Network DTS Access box. Under Network DTC Access, click on Network Transactions. Make sure the DTS Logon Account is set to NT Authority\Network Service. You will have to reboot the server for changes to take effect.

If you want more information on the last outlined choice, look at http://support.microsoft.com/default.aspx?scid=kb;en-us;329332

MeanOldDBA
derrickleggett@hotmail.com

When life gives you a lemon, fire the DBA.
Go to Top of Page
   

- Advertisement -