Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / April 2005

Tip: Looking for answers? Try searching our database.

How Does SQL Server Verify Domain Security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Will - 24 Apr 2005 05:15 GMT
How does SQL Server verify the credentials of a domain user who attempts to
use a database with domain security?    Is some sort of Kerberos key passed
instead of the userid and password, and how does SQL Server's security
verify these tokens are correct?

We want to migrate a small application from an internal network to the other
side of a proxy server, and we want to understand what is required for the
domain authentication to continue working.

Signature

Will

Reply to this Message
Jens Süßmeyer - 24 Apr 2005 10:32 GMT
> How does SQL Server verify the credentials of a domain user who attempts
> to
[quoted text clipped - 7 lines]
> side of a proxy server, and we want to understand what is required for the
> domain authentication to continue working.
Reply to this Message
Jens Süßmeyer - 24 Apr 2005 10:36 GMT
No problem, thats a good articl about Autentification in SQL Server:

http://www.databasejournal.com/features/mssql/article.php/3341651

To summarize Aut: You logon on a domain controller prooving that your are
the individal that you are supposed to be. (Username and Password) If this
Aut. is successfull you get a Kerberos ticket is valid for a specific amount
of time. With this ticket you are able to logon to SQL Server bcause the
server can validate the ticket with the domain controller to proove "time"
and identity.

HTH, Jens Suessmeyer.

---
http://www.sqlserver2005.de
---

> How does SQL Server verify the credentials of a domain user who attempts
> to
[quoted text clipped - 7 lines]
> side of a proxy server, and we want to understand what is required for the
> domain authentication to continue working.
Reply to this Message
Will - 24 Apr 2005 17:54 GMT
I suspected this, so this is where we see the problem.   We would
have a domain controller on the internal network and then another
domain controller on the other side of the proxy server.   User A
authenticates behind the proxy with his domain controller.   SQL
Server resides on the Internet side of the proxy.  Upon receiving
the Kerberos ticket, SQL Server attempts to validate it with the
local domain controller.   The local domain controller won't
recognize this ticket, and I assume it will try to validate it
with the internal domain controller.   But it cannot do this,
because the internal domain controller is behind a proxy server.

Is there any way around this dilemma?

Signature

Will
Internet: westes at earthbroadcast.com

> No problem, thats a good articl about Autentification in SQL Server:

http://www.databasejournal.com/features/mssql/article.php/3341651

> To summarize Aut: You logon on a domain controller prooving that your are
> the individal that you are supposed to be. (Username and Password) If this
[quoted text clipped - 7 lines]
> ---
> http://www.sqlserver2005.de
Reply to this Message
Mike Epprecht (SQL MVP) - 25 Apr 2005 12:45 GMT
Hi

The only way would be to setup a one-way trust, with only the external
Domain trusting the internal one. Proxy server ports would need to be opened.

Regards
Mike

> I suspected this, so this is where we see the problem.   We would
> have a domain controller on the internal network and then another
[quoted text clipped - 30 lines]
> > ---
> > http://www.sqlserver2005.de
Reply to this Message
Will - 25 Apr 2005 16:11 GMT
What is the nature of the protocol that would need to take place
between the SQL Server / domain controller on the external side
of the proxy and the domain controller on the internal side of
the proxy?

I read one example of a Kerberos exchange last night where it
looked like the two domain controllers never talked directly to
each other, but instead negotiated authentication through a
common parent domain controller.

Signature

Will
Internet: westes at earthbroadcast.com

> The only way would be to setup a one-way trust, with only the external
> Domain trusting the internal one. Proxy server ports would need to be opened.
>
> Regards
> Mike
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.