 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / July 2008Using trusted database connection across domains
I have asked this before; however, I never got a response. Before I start using crypto (e.g. blowfish) to encrypt my connection strings in web.config I would like to know that it is necessary. I feel that it should not be necessary. I have an ASP.NET app running under IIS6 on a Windows 2003 Server in a DMZ within our network. Obviously, this machine is not a member of any of our domains. My app needs to talk to an SQL Server machine that not in the DMZ and is a member of one of our domains. So, I have to cross not only a domain boundary but also a firewall to get from the client to the server. Is this possible using a trusted database connection? Thank you for any and all ideas. Dave Hi Dave, I understand that you would like to use Windows Authentication for your ASP.NET application, however the web server is in a workgroup which is not in any of your domains. You would like to know if this is possible. If I have misunderstood, please let me know. Unfortunately this is not possible, because Kerberos authentication cannot be established between a domain and a workgroup or among seperated domains (without building any trust relationship); while Windows NTLM authentication cannot be double-hop. If your Web application used Windows authentication, you client user token can be passed to your web server and authenticated, however the token cannot be further authenticated on your remote SQL Server. I recommend that you use SQL Authentication in this case and encrypt the connection string in your config file. If you have any other questions or concerns, please feel free to let me know. Have a nice day! Best regards, Charles Wang Microsoft Online Community Support =========================================================== Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. =========================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ============================================================  SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, You asked for my comments on your response to my question. My basic response is that it makes little sense with what I believe that I know about Windows security. One of us clearly does not understand the problem; I admit that it may be me. I have already implemented the encryption of the connection string, even though I still do not understand why it is necessary. First, you seem to be saying that Kerberos authentication will not work between one machine that is not in a domain and a second machine that is in a domain. If this is true, how does it work in Mac OS X or Red Hat Linux where NT domains do not exist? You go on to say that I have a double-hop in my authentication. I do not see this. My plan is to configure the ASP.NET app to run in an application pool under IIS 6. This pool will be configured to run under a username and password defined in the local SAM database on that web server machine. When the ASP.NET application needs to connect to the SQL database it will pass its login credentials, from its local SAM database, to the SQL Server machine. On the SQL Server there will be another Windows account with the same username and password. Where is the second hop? Thank you for your time in considering this. Dave > Hi Dave, > I understand that you would like to use Windows Authentication for your [quoted text clipped - 45 lines] > rights. > ========================================================= Hi Dave, Thank you for your response. First let me try to explain the Kerberos authentication though it should be a Windows AD question. Based on my communications with some AD expert, Kerberos authentication on Windows requires KDC that is running on a domain controller. If the client computer is not in a domain, it is restricted to directly communicate with the KDC and you cannot add a domain user account into a local user group. Also your ASP.NET host process cannot be configured to start with a domain account. Since your ASP.NET application's host process cannot run under a domain account, if your ASP.NET web application's database connection was configured to use Windows Integrated Authentication, the workgroup account cannot be validated by KDC. In this case, Kerberos authentication will fail. You can use Kerberos authentication in such a scenario, for example, you need to access a web server that is in a domain and that is configured to use Windows Integrated Authentication, after you input the URL in IE and click Enter, there will be a prompt Window to ask you to input the account and you can input the domain account here for authentication, however as you can see that it is not for a database connection and this way is actually not welcome in my viewpoint. Regarding double-hop, thank you for your inputs. I apologize that my last description was not accurate for your scenario. I had thought that your client computer's account token (client computer) would be past to your web application (web server) and then your web application used it to access your database (database server). However after I discussed with some ASP.NET experts and I knew that I had some misunderstandings before and appreciate your understanding on this since I am not an ASP.NET expert. As I mentioned before, since your ASP.NET application pool in a Workgroup environment cannot start with a domain user account, Kerberos authentication cannot be established between a Workgroup user and KDC in Windows environment. However if your intention is just want to use Windows authentication and do not want to encrypt connection string, I think that NTLM authentication can also work for you. On your database server, you can create a local user with same name and password as your ASP.NET application pool's identity, and then explicitly add the local Windows user account to your SQL Server logins and assign permissions. Then your ASP.NET application can use Windows Integrated Authentication for your database connection. I performed a test at my side and it worked fine. Note that for such type of issue that is cross-related with other AD and ASP.NET technologies, our initial response may not be able to fully address your real concerns, so if you have any further questions or concerns like that in this thread, we appreciate that you could timely post back so that we can better understand your issue and try to effectively collaborate with other technical experts to work together on resolving the issue. If you have any other questions or concerns, please feel free to let me know. Have a nice day! Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Charles, Thank you for the further explanation. As I understand from your comments about using peer-to-peer NTLM authentication, this should work; however, we have been unable to get it to work for us. This may be due to the firewall between our web server and our SQL server blocking NETBIOS. This is no longer an issue for us, since I have already modified the web application to decrypt the connection string read from web.config and have written a standalone utility to create the encrypted connection strings. I feel it is a shame that such a great technology like trusted database connections are of so limited value. I can't believe that many enterprise web application have the customer-facing web server in the same network and domain as the SQL server machine, which means (as I understand from you) that these application cannot use trusted connections. Thank you for your assistance. Dave Smith > Hi Dave, > Thank you for your response. [quoted text clipped - 69 lines] > rights. > ========================================================= Hi Dave, Thank you for your response. Regarding your concern, "I feel it is a shame that such a great technology like trusted database connections are of so limited value. I can't believe that many enterprise web application have the customer-facing web server in the same network and domain as the SQL server machine, which means (as I understand from you) that these application cannot use trusted connections.", It does not mean that trusted connections cannot be established. Trusted database connection can be established but via NTLM authentication instead of Kerberos in this case. I recommend that you first check if you can access a network share folder by using NTLM authentication between your web server and database server. If not, contact your network administrator to check why NTLM authentication cannot work in your environment. Once this issue can be resolved, you should be able to use Windows NTLM authentication for a database trusted connection by following the steps I mentioned in my last response. From your former descriptions, I think that you might be an expert on Unix or Linux and have not got into the habit of using Windows operating system. I appreciate that you could give more understandings on Windows. After all Windows is a different OS from Unix and Linux, and it is normal that they show different behaviors for some functions. That also leads to different application architectures on these different OS platforms. Also I would like to let you know that since your question is essentially a Windows security question and our SQL Server newsgroup is not the best place for deeply discussing such a kind of advisory question. If you are interested in such Windows security questions, you may have a new post at microsoft.public.windows.server.security for wider audience. Please feel free to let me know if you have any other questions or concerns. I am very glad to work with you for further assistance. Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= Hi Dave, Just check with you to see if you have any other questions or concerns on this issue. We welcome your posting back and letting us know the issue status. Have a nice day! Best regards, Charles Wang Microsoft Online Community Support ========================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ========================================================= SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. ========================================================= |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.