Tommaso Caldarola said:
I have a custom object host on IIS, windows authentication enabled.
The problem raises when the remote object, invoked by the client, tries to connect to SQL
Server, I get 401 error (Authorization denied).
What do I have to set in order to connect to database?
Your clients are are authenticated by IIS but SQL sever is one hop too far for NTLM
authentication, this will only work if you enable Kerberos delegation. In order to set-up
this correctly, you need to run in a AD realm, and you need to trust the IIS server machine
for delegation, the users (AD accounts) must also "allow to be delegated" (this is the
default).
Note that above will only work with IE clients and only if Kerberos authentication succeeds,
else your clients may well get authenticated using NTLM and trouble begins again. Another
serious drawback is that this doesn't scale, as each user has different credentials, each
connection with SQL will require a separate SQL connection pool and each logical connect
will result in a new physical connection, which is pretty slow.
Much better option is to authenticate at the IIS server side and apply role based security
in order to access SQL, the asp.net application can connect with SQL using fixed explicit
credentials.
Willy.
