INFO: Accessing SQL Server with Integrated Security from ASP

Last reviewed: December 11, 1997
Article ID: Q176377
The information in this article applies to:
  • Microsoft Active Server Pages, versions 1.0, 1.0b

SUMMARY

When accessing SQL Server with integrated security from Active Server Pages (ASP) there are some limitations that you should be aware of when designing your Web site. This article gives a high-level overview of these limitations and describes possible workarounds.

MORE INFORMATION

Microsoft SQL Server Integrated Security requires NTLM authentication in order to map user accounts to SQL Server accounts. This process requires that a token be created during the authentication process. This token requires a the user password to create a private encryption key. Because of this, the token can only be created on a domain controller or the logged on user's machine. Also note that Windows NT 4.0 does not allow the forwarding of such tokens.

With these points in mind you can see that after a Web browser is authenticated by Internet Information Server (IIS), an authenticated connection to the SQL Server is not possible. At this point when IIS attempts to connect to SQL Server via NTLM, IIS does not have the necessary information to complete the NT authentication process.

There are a couple possible workarounds to this limitation:

Host IIS and SQL Server on the Same Machine

By eliminating the need for IIS to create an authenticated connection to SQL Server, you can work around this problem. To do this you must use a data source name (DSN) that does not look out to the network for the SQL Server and instead looks directly to the local machine. This can be done by using the "(local)" setting in a System DSN.

Use Basic Authentication Instead of NTLM in IIS

By using Basic authentication, the password is BASE64 encoded and sent to IIS during the authentication process. With the password, IIS can now complete the NTLM authentication process when connection to SQL Server.

NOTE: This method is not secure. BASE64 encoded passwords can be decrypted by anyone able to sniff network packets over the Internet or intranet.

Map the Anonymous User Account from IIS to a SQL Server Guest Account

This method assumes that all users will have the same level of privileges to the SQL Server resources. This method is most often the LEAST acceptable option.

REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

   ARTICLE-ID: Q176379
   TITLE     : HOWTO: IIS and SQL Server on Separate Machines with Trusted
               Connection

   ARTICLE-ID: Q176378
   TITLE     : HOWTO: SQL Server with Integrated Security, IIS on Same
               Machine


   ARTICLE-ID: Q176380
   TITLE     : HOWTO: Using ASP with a SQL Trusted Conn with Guest Acct

For the latest Knowledge Base artices and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site:

   http://support.microsoft.com/support/vinterdev/


(c) Microsoft Corporation 1997, All Rights Reserved. Contributions by Paul Enfield, Microsoft Corporation

Keywords          : AXSFCompADO AXSFDataBase AXSFSQL
Technology        : kbInetDev
Version           : WINNT:1.0,1.0b
Platform          : winnt
Issue type        : kbinfo


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: December 11, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.