The information in this article applies to:
SUMMARY
When accessing SQL Server with integrated security from Active Server Pages
(ASP) there are some limitations that you should be aware of when designing
your Web site. This article gives a high-level overview of these
limitations and describes possible workarounds. MORE INFORMATION
Microsoft SQL Server Integrated Security requires NTLM authentication in
order to map user accounts to SQL Server accounts. This process requires
that a token be created during the authentication process. This token
requires a the user password to create a private encryption key. Because of
this, the token can only be created on a domain controller or the logged on
user's machine. Also note that Windows NT 4.0 does not allow the forwarding
of such tokens.
Host IIS and SQL Server on the Same MachineBy eliminating the need for IIS to create an authenticated connection to SQL Server, you can work around this problem. To do this you must use a data source name (DSN) that does not look out to the network for the SQL Server and instead looks directly to the local machine. This can be done by using the "(local)" setting in a System DSN.Use Basic Authentication Instead of NTLM in IISBy using Basic authentication, the password is BASE64 encoded and sent to IIS during the authentication process. With the password, IIS can now complete the NTLM authentication process when connection to SQL Server.NOTE: This method is not secure. BASE64 encoded passwords can be decrypted by anyone able to sniff network packets over the Internet or intranet. Map the Anonymous User Account from IIS to a SQL Server Guest AccountThis method assumes that all users will have the same level of privileges to the SQL Server resources. This method is most often the LEAST acceptable option.REFERENCESFor additional information, please see the following article(s) in the Microsoft Knowledge Base: Q176379 HOWTO: IIS and SQL Server on Separate Machines with Trusted Connection Q176380 HOWTO: Using ASP with a SQL Trusted Conn with Guest Acct For the latest Knowledge Base artices and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site: http://support.microsoft.com/support/vinterdev/ (c) Microsoft Corporation 1997, All Rights Reserved. Contributions by Paul Enfield, Microsoft Corporation Additional query words:
Keywords : kbASP kbDatabase kbWinOS2000fix kbSecurity kbSQLServ kbWebServer kbGrpASP kbiis300 kbiis400 kbiis500 |
Last Reviewed: December 8, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |