authenticating windows users to sql thru IIS
-
(guessing a little on the right forum but...)
I'm building a new server for our intranet, using win2000 server/IIS5 and sql 2000.
All user accessing are authenticated via domain controller and thus can do 'integrated' (NT if you prefer) login - transparent to them.
Now, I know that the users are getting recognised, as the asp page reports so, and the 'domain users' group that contains all users is listed in sql as a group to use windows auth rather than sql auth. However, I cannot seem to get sql to recognise the group as containing the login passed, and the MS KB article 247931 indicates that the error message I get means 'problems with the SQL Server configuration for Windows NT authentication', but I'm stuck as to where the problem is.
We don't use ADS yet, btw.
-
Are you using MTS?
-
Not specifically - but I've solved the problem now by creating a 'standard' login that is then added to the connection string.
I get the feeling that MS don't make it easy if you don't move wholesale to their newest idea....
-
The problem is that IIS does the authorization first then lets the user move on to the SQL server. Set up a NT Authority group with network service on your SQL server when using windows authorization.
If this does not solve the problem or I misunderstood cut and paste the error message and search for the answer using google.
Cheers, Jim
-
far as I can see, that's what I've been trying to do...
IIS is picking up the user login fine, and all the users are (on the domain) members of the 'domain members' group, which in turn is in the logins list on the sql server, and that in turn has 'public' perms to the database.
-
Hi .
What we have found was that when you users are from different domains and you have NT 4.0 domain controllers and windows 2000 Dc's, you cannot do 2 authentication hops (one from the web server and one on the SQL server , the only ways to resolve this is to have and AD , or have the web app and SQl server on the same box or use a SQL account not a domain account .
hope this helps
WC
-
It would but......
The IIS and SQL servers are on the same box, in the same domain and in their previous incarnation (NT/sql7) worked just fine, the only difference being that under NT, NTLM was the only authentication availlable.
I've resolved this, as you have mentioned, by using an sql account in the middle (until ADS rears its head).
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply