5

I have a service that I want to when accessing databases I want to access databases to use the calling identities credentials.

Before I access a particular database I do an impersonation by

var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database
ctx.Undo();

This scenario works fine when the service runs locally on my PC. However when deployed on another remote PC I get the error:

Login failed for user 'NT Authority\Anonymous Logon"

as soon as it tries to access the database.

I have been told by DBAdmin that the SQL Server has an SPN.

The account under which the service runs under is a domain account.

Charles
  • 50,943
  • 13
  • 104
  • 142
TheWommies
  • 4,922
  • 11
  • 61
  • 79
  • Windows service or web service hosted on IIS? – CodeZombie Oct 31 '13 at 08:45
  • It has .asmx extension so I guess that is webservice. DB Team have advised me this is thee error they are getting when Im trying to access the database DESCRIPTION: SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT: 192.168.14.116]. – TheWommies Oct 31 '13 at 08:55
  • 2
    http://stackoverflow.com/questions/13706580/kerberos-double-hop-in-asp-net-4-0-sql2008r2/ – Joe Oct 31 '13 at 12:53
  • 2
    You cannot double hop with windows authentication, only kerberos can do that. – RBarryYoung Nov 02 '13 at 23:22
  • So I need to re-write my asmx service following this article http://www.codeproject.com/Articles/27554/Authentication-in-web-services-using-C-and-Kerbero – TheWommies Nov 05 '13 at 00:22

2 Answers2

10

The problem you most likely experiencing is Delegation as opposed Impersonation.

I assume in your production environment you actually have your Web Browser, your IIS Server and SQL Server are all on different machines.

Simple Impersonation does not support Multi-Hop.

To support Multi-Hop you need to setup Kerberos with Delegation. You are going to have to setup the SPN records on your Active Directory. Once that is done, you also need to enable Delgation for the IIS machine on your AD.

In short, Delegation is a HUGE can of worms.

Aron
  • 15,464
  • 3
  • 31
  • 64
  • Yes we have done all of that except setting the IIS Server an SPN as I have been told this can be dangerous. II Server is still running under a local account, does this need to run under a AD account with an SPN set? – TheWommies Nov 03 '13 at 22:36
  • Either you need an AD account, and you set SPN on that or you use a local account and set SPN on the machine. Still. Kerberos Auth with multi hop is a black art. My final advise is DON'T. It's such a complicated system to debug. – Aron Nov 04 '13 at 00:14
  • What alternatives are there then? I need to access resources on another network using the person that's calling the service credentials. – TheWommies Nov 04 '13 at 04:34
  • Apart from re-architecture your program to avoid multi-hop auth? None. In .net/Windows Kerberos is the only way. As for your source telling you that 'setting SPN is dangerous'. Well consider what delegation means, the whole concept is a huge security hole. Hence to reduce the attack surface area, Kerberos Delegation is extremely complex and fragile. – Aron Nov 04 '13 at 05:10
  • Thanks, I assume the holes are someone can somehow sniff the delegation being sent around and emulate that? Thats why its dangerous? ANyway Im just wondering if its related to the way Im making my calls to the ASMX service so reading up on http://msdn.microsoft.com/en-us/library/microsoft.web.services2.requestsoapcontext.aspx – TheWommies Nov 04 '13 at 06:17
  • No and no. Delegation is only dangerous if you lose control of your IIS server. – Aron Nov 04 '13 at 06:58
  • Another issue is my ASMX service is running under a domain account. WHen this domain account has an SPN I cannot use my client application to authenticate again it anymore. How would I rectify this? – TheWommies Nov 04 '13 at 23:51
  • I keep on getting 401 authentication errors. I am calling multiple asmx web services and sometimes for whatever reason one succeeds whereas the other one fails but then for some reason one works then the other one fails...Have no idea what the reason is – TheWommies Nov 06 '13 at 07:05
  • Are your computers all NTP synchronized? Are you using FQDNs to access your server? Is Jupiter rising in the seventh house, on a blue moon during a solar flare? – Aron Nov 06 '13 at 09:02
  • Read Ken's writeup on Kerberos and IIS. I recently did this same thing, and it's not all that bad once you understand how it all works. http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx – stames Nov 06 '13 at 20:36
  • Thanks looks like I got a bit of reading to do, the funny thing is going through the browsers like IE and firefox the authentication works fine..Running the services locally the authentication also works fine. NTP seems synchronized. Not surw what FQDN is – TheWommies Nov 06 '13 at 22:19
  • Fully Qualified Domain Name – Aron Nov 07 '13 at 01:10
  • I'm still struggling with this...i have another post up for a bounty here if anyone is intersted. http://stackoverflow.com/questions/19806533/client-calling-multiple-asmx-services#comment29613892_19806533 – TheWommies Nov 11 '13 at 11:00
  • Just wondering if IIS running under a local account matters? The service is running under a domain account but not IIS. Also there is only one service that is running under the domain account. There are other services that the wpf application calls but they run on different local accounts. Just wondering if this matters – TheWommies Nov 11 '13 at 11:27
  • The account that IIS is running under needs to be set in your SPN. – Aron Nov 11 '13 at 16:53
  • @TheWommies just realised the actual question you asked...YOU CANNOT RUN KERBEROS AGAINST A LOCAL ACCOUNT. The AD needs to send the User's credentials to IIS encrypted using the IIS account public keys. Only way it can do that is because it stores all AD user's public keys. You CAN force the `system` account to decrypt the user credentials by using `Kernel Mode Security`, and the `system` account is an AD account. However I never managed to get that to work... – Aron Nov 11 '13 at 17:05
3

You have to make sure IIS offers "Windows Authentication" authentication and it is enabled. By default the WindowsAuthenticationModule is not installed and Anonymous Authentication is used.

Default

To setup Windows Authentication use the Web Platform Installer and search for "Windows Authentication". After the installation completed, enable the "Windows Authentication" authentication for your site.

After setup and enable

See Configure Windows Authentication (IIS 7) for more information.

You might also take a look at the related questions on the right, especially SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application

Community
  • 1
  • 1
CodeZombie
  • 5,367
  • 3
  • 30
  • 37
  • Yes windows authentication with no Anonymous authentication is set up so that anonymous is not enabled. I have read those posts, not still not sure what I am missing – TheWommies Oct 31 '13 at 21:30