September 4, 2003 at 9:44 am
Greetings.
I have two servers in my DMZ. A SQL server and IIS server.
I want IIS to use NT Auth to connect to SQL.
When trying to add a user account to SQL (IISServer\UserAccount) it gives an error (Error 15401: Windows NT user or group 'IISServer\UserAccount' not found. Check the name again.)
There is no PDC or AD in the DMZ, all the servers sit on a plain old work group.
What am I missing?
Am I just being stupid?
Cheers,
Crispin
Cheers,CrispinI can't die, there are too many people who still have to meet me!It's not a bug, SQL just misunderstood me!
September 4, 2003 at 9:56 am
quote:
What am I missing?Am I just being stupid?
why are you at the office right now?
I thought you leave at 4 PM !!
Did the bride confuses you that much?
Explanation for the others:
Crappy is one of those guys I mail with ?!?
He knows what I'm talking about!
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
September 4, 2003 at 11:13 am
IISServer\UserAccount is a local account to the IIS server only.
Steven
September 4, 2003 at 12:00 pm
Steven is right. This KB article explains in more detail what's going on.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;247931
Basically, you have no trust established between IIS and SQL Server (this would normally be handled by a domain). Since the IIS server is in the DMZ, you wouldn't want a domain that connects to anything inside your firewall. I also need to point out that if you are using a Windows account that is local to a server (not a domain account), it won't be trusted, either. That's what's happening here, and would happen even if both servers were in a domain together.
Which brings me to my next point... unless you have people directly accessing the SQL Server from the outside, get the SQL Server back behind your firewall and work with your firewall admin to open up the right ports.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
September 4, 2003 at 10:29 pm
Frank, some times I work... 🙂
Brian:
What you are saying makes sense. I'll go read the KB article now.
However, why would you say move the SQL box back into the domain?
Assume the IIS box gets nailed, they can nail the SQL box (It's blind to the world) via the IIS box. Or am I wrong here?
My reasoning was if this happens and the SQL box is inside my domain, they could now have free rein on my domain.
Ideally I would like another zone which is separate from DMZ and from my domain with restricted access between them. I asked "my" firewall admin to open the ports and I said ok 🙂 I am the admin. 🙁
Is my way of doing it wrong?
Cheers,
Crispin
Cheers,CrispinI can't die, there are too many people who still have to meet me!It's not a bug, SQL just misunderstood me!
September 5, 2003 at 12:21 am
I didn't say move the SQL Server box into the domain, but I would move it out of the DMZ. If it's not sitting in the DMZ, you can set up rules by which the IIS box can access SQL Server (say only using the TCP port SQL Server listens on). You simply block all other access through the firewall to that SQL Server.
That means the only way in to SQL Server from the outside would be by compromising the web server. But then an attacker will only get the privileges you've given the web server account. Lock down that account's privileges as much as possible (for instance, don't make the account a sysadmin and if possible eliminate db_owner, db_securityadmin, or db_ddladmin and things like that) then even if the web server is compromised, the SQL Server isn't. Granted the particular database might be, but the server as a whole is not.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
September 5, 2003 at 12:28 am
Just found this... it may help. It's an overview of the Microsoft Internet Data Center architecture and it's basically what everyone recommends currently.
http://www.microsoft.com/solutions/msa/evaluation/overview/idc/archelements.asp
(this is page 3, so there is some discussion on the previous 2 pages)
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
September 16, 2003 at 3:27 pm
In your DMZ use local accounts with synced names and passwords. For example: servera\IUSR_WEB and serverb\IUSR_WEB with both accounts having the same password. Servera is your web server and is open to the internet. serverb is your database server and NOT open to the internet, just to servera
"locally on both the SQL Server computer and the IIS computer with the same password. If you create the user locally on both computers, the user must be given the Log on Locally right on the SQL Server computer"
Edited by - robinhc on 09/16/2003 3:30:21 PM
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply