0

I have some issues trying to create a web application under windows security.

Scenario

One server with IIS and a different remote SQL Server. All users from the network should be able to use the application using their active directory credentials.

Following this documentation:

Connection string:

<connectionStrings>
<add name="TESTODSEntities"
    connectionString="metadata=res://*/Models.EntityModel.TESTODSEntityModel.csdl|res://*/Models.EntityModel.TESTODSEntityModel.ssdl|res://*/Models.EntityModel.TESTODSEntityModel.msl;
    provider=System.Data.SqlClient;
    provider connection string=&quot;
    data source=TestServer;
    initial catalog=TEST_ODS;
    persist security info=False;
    Trusted_Connection=Yes;integrated security=True;
    MultipleActiveResultSets=True;
    App=EntityFramework&quot;" 
    providerName="System.Data.EntityClient" />
</connectionStrings>

web.config:

<identity impersonate="true"/>
<authentication mode="Windows" />
<authorization>
    <deny users="?" />
</authorization>

IIS Configuration

ApplicationPool properties: 

Identity --> ApplicationPoolIdentity
Load UserProfile --> True

Application's options:

Authentication:
    ASP.NET Impersonation: Enabled
    Basic Authentication: Enabled
    Windows Authentication: Disabled <--According to documentation this has to be disabled when IIS and SQL are in different servers.

I created the test page as suggested by the documentation and this is the result:

Test database Current user: Domain\testuser | System user: AD\testuser

Current user IIS User: Domain\testuser - Will flow across the network: False

InteractiveSid: False

BatchSid: False

ServiceSid: False

The user is known, but this three WellKnownSidType are false and therefore "Will flow across the network" is also false

Already checked:

Any suggestion?

Community
  • 1
  • 1
blfuentes
  • 2,731
  • 5
  • 44
  • 72
  • 2
    An interesting read, documenting step by step how you completely removed all security from you deployment. Start by reading [How to: Access SQL Server Using Windows Integrated Security](https://msdn.microsoft.com/en-us/library/bsz5788z(v=vs.140).aspx) and only make changes after you actually *understand* what you're doing. Stop reading random forum posts. – Remus Rusanu Jul 16 '15 at 14:07
  • Well, the Application is set to use only Windows authentication and Impersonation. I reverted all changes and left these as explained in documentation and just gave rights to the authenticated users login in SQL. What's wrong with that solution? Why does it remove all security from the app? I tried some failed logins and they get the unauthorized expected response. – blfuentes Jul 16 '15 at 14:24
  • You aren't clear about what goal you want to accomplish. "Is it correct?" is not a good question. Please explain the authentication scheme you are trying to implement. If you don't know, that is the first problem you need to solve. – pseudocoder Jul 16 '15 at 16:16
  • 1
    Your solution, as posted originally after all the edits when I commented, was removing all security because you ended up granting R/W access to "all authenticated users" group. In effect you granted access to everybody with access to your network. – Remus Rusanu Jul 16 '15 at 17:07
  • @RemusRusanu you are right. I will update my question with a schema of what I am trying to do. – blfuentes Jul 16 '15 at 17:15
  • @RemusRusanu I updated my question with the changes and trying to explain better what is the problem and the current state. I do really appreciate your help. – blfuentes Jul 20 '15 at 07:19

0 Answers0