Fog Creek Software
Discussion Board




Welcome! and rules

Joel on Software

Web application security problems

I'm having a hard time getting some security issues ironed  out with IIS and SQL Server.  I'm trying to leverage integrated security within SQL server for improved security in the database.  The overall goal is:

1. Create a local user on the machine where IIS and DB reside.
2. Grant the local user a login on the database with necessary permissions.
3. Within the IIS application, set the anonymous access user/password to the local user account. 
4. Access the db with a connection string that leverages integrated security.  EG: "Initial Catalog=<db>;Data Source=<machine>;Integrated Security=SSPI"

As I understand it, this model is along the lines of how FogBugz works, as described here:

http://www.fogcreek.com/FogBUGZ/KB/howto/MoveFogBUGZ.html

After I specify that the user account/password for the security settings in the IIS virtual directory, connecting to the database via this connection string fails.  It appears that despite this, it is attempting to authenticate as the local ASPNET account still.  I get: 

"Login failed for user '<machine>\ASPNET'"

If anyone has any insights regarding how I am misconfiguring things, I'd really appreciate it.

Thanks,

Kris

Kris
Sunday, August 15, 2004

Add the <identity impersonate="true" /> to your web.config.

Duncan Smart
Sunday, August 15, 2004

This works, though I'm still unsure that its configured properly.  I added the switch in the web.config, and if I enable anonymous access in IIS, set the login and password to the local account, and allow IIS to control the password, the page is visible but then appears to not execute. 

If I then enable Windows Integrated Security it works normally, however; the requests all appear to execute under my user context (aka an admin on the machine and dbo on SQL instance.)  I can tell by disabling the local account, and removing the SQL login on the db.  I can't find a means of impersonating and verifying that the security authentication/authorization is working properly.

The weird part is that the code behind on the ASPX page is calling the database and displaying the results, and if Windows Integrated Security in IIS is turned *off* this doesn't appear to even execute. 

Kris
Monday, August 16, 2004

"the requests all appear to execute under my user context " -- as you'd expect.

Is the problem *testing* it??

If you want to test it and log in as another user, then in IE go to Tools > Internet Options > Security > Custom Level > "Prompt for username and password" (right at the bottom). This way you can log in as other users without IE doing it automatically for you.

Duncan Smart
Tuesday, August 17, 2004

"This works, though I'm still unsure that its configured properly.  I added the switch in the web.config, and if I enable anonymous access in IIS, set the login and password to the local account, and allow IIS to control the password, the page is visible but then appears to not execute. "

If you allow IIS to control the password it will override the username password you have set for the IIS user.  Leave windows integrated security off, enable anonymous, set the user name and password, set impersonate=true and it will do what you want.

Chris
Saturday, September 25, 2004

*  Recent Topics

*  Fog Creek Home