Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NT Authentication Not Working

0 views
Skip to first unread message

James M. Parker

unread,
Apr 27, 2001, 11:15:24 AM4/27/01
to
I threw up a simple asp site on our IIS box, and have set it to use NT Auth,
and it works fine. But when I add some ADO code to connect to our SQL
Server, it will not pass the NT user authentication. Any ideas why or what
I should check? Thanks a bunch.


Jeff Dillon

unread,
Apr 27, 2001, 11:37:35 AM4/27/01
to
That will only work if IIS and SQL are on the same machine.

I tried for a bit with W2K Kerberos, but just decided on SQL authentication
(passing the username/password in the connect string)

Jeff

"James M. Parker" <par...@nomail.com> wrote in message
news:OSRJTzyzAHA.1576@tkmsftngp03...

Chip Andrews

unread,
Apr 27, 2001, 3:55:09 PM4/27/01
to
What version of IIS/SQL are you using?? That helps the diagnosis.

Other posters have suggested that you can only use NT Auth when SQL Server
is installed on the IIS Server - this is not exactly correct. If your IIS
server is allowing users to browse anonymously (that is - using the
IUSR_MACHINE account or another of your chosing) then it is possible to make
a single hop to another server. Also, if you're using Windows 2000 with
Active Directory you have the option of enabling delegation and making
multiple hops.

See KB article Q247931 for info on configuring intetgrated security in
IIS/SQL on different servers and also look into the delegation options if
each user is authenticated separately by IIS. Follow the directions closely
and you will be rewarded.

I have done this multiple times with great success.
Chip
________________________________
Chip Andrews, MCSE+I, MCDBA
http://www.sqlsecurity.com

"James M. Parker" <par...@nomail.com> wrote in message
news:OSRJTzyzAHA.1576@tkmsftngp03...

Chip Andrews

unread,
Apr 27, 2001, 3:59:33 PM4/27/01
to
BTW - The article mentions that using basic auth is also an option but I do
not recommend that.

Chip

"Chip Andrews" <chipa...@usa.net.nospam> wrote in message
news:#JO4$P1zAHA.1896@tkmsftngp02...

Stephen L Nicoud

unread,
Apr 27, 2001, 4:27:19 PM4/27/01
to
[Followup-To set to microsoft.public.inetserver.iis.]

Chip Andrews wrote:
>
> BTW - The article mentions that using basic auth is also an option but I do
> not recommend that.

Why do you not recommend that?
--
Reply to the newsgroup.

Chip Andrews

unread,
Apr 27, 2001, 5:19:26 PM4/27/01
to
To clarify myself: I do not recommend basic authentication unless it is
combined with SSL as it transmits the credentials in cleartext. If you do
this over an untrusted network (i.e - the Internet) then it is possible to
intercept them.

Chip

"Stephen L Nicoud" <nic...@hotmail.com> wrote in message
news:3AE9D627...@hotmail.com...

Stephen L Nicoud

unread,
Apr 30, 2001, 1:25:20 PM4/30/01
to
OK. Fair enough. I would also add that if you are going over an untrusted
network (e.g., the Internet) then I would recommend using SSL regardless of
which authentication mechanism you use. If the data is worth protecting with a
username and password then, regardless of the authentication mechanism used, you
should encrypt the data in transit. Don't be lulled into a false sense of
security by using NT Challenge / Response and then not encrypting the data.

Jake Marx

unread,
Apr 30, 2001, 7:13:41 PM4/30/01
to
Hi Stephen,

> OK. Fair enough. I would also add that if you are going over an untrusted
> network (e.g., the Internet) then I would recommend using SSL regardless
of
> which authentication mechanism you use. If the data is worth protecting
with a
> username and password then, regardless of the authentication mechanism
used, you
> should encrypt the data in transit. Don't be lulled into a false sense of
> security by using NT Challenge / Response and then not encrypting the
data.

Why do you recommend that? I was under the impression that login info *is*
encrypted when you use NT Challenge/Response, so why do you need to encrypt
it with SSL?

Thanks,
Jake Marx


Jeff Dillon

unread,
Apr 30, 2001, 7:49:43 PM4/30/01
to
NTCR doesn't work over the Internet, only on an Intranet (LAN)

Jeff

"Jake Marx" <ja...@longhead.com> wrote in message
news:e2nONsc0AHA.2040@tkmsftngp05...

Stephen L Nicoud

unread,
Apr 30, 2001, 7:56:12 PM4/30/01
to
Because the data the user is requesting is *NOT* encrypted. I'm not talking
about the login information, I'm talking about the data referred to by the URL.

--
Reply to the newsgroup.

Stephen L Nicoud

unread,
Apr 30, 2001, 7:56:53 PM4/30/01
to
NTCR *DOES* work over the Internet. It just doesn't work through all proxy
servers.

--
Reply to the newsgroup.

Jake Marx

unread,
Apr 30, 2001, 8:01:35 PM4/30/01
to
Oh, I understand now - I didn't realize you were talking about the data
being transferred back and forth (even though you said it several times).
<g>

Thanks,
Jake

"Stephen L Nicoud" <nic...@hotmail.com> wrote in message

news:3AEDFB9C...@hotmail.com...

Jake Marx

unread,
Apr 30, 2001, 8:04:28 PM4/30/01
to
> NTCR doesn't work over the Internet, only on an Intranet (LAN)
>
> Jeff

That's not true. I use it all the time over the Internet, and it works just
fine. The end user must be using IE on a Windows platform for it to work,
however.

Regards,
Jake

James M. Parker

unread,
May 1, 2001, 8:14:09 AM5/1/01
to
Our SQL Server 7 box is NT 4, and the IIS 5.0 box is Win2K. From the other
posts, I gather that we either have to upgrade our SQL box, or use basic.
Thanks.

"Chip Andrews" <chipa...@usa.net.nospam> wrote in message
news:#JO4$P1zAHA.1896@tkmsftngp02...

Chip Andrews

unread,
May 1, 2001, 9:24:59 AM5/1/01
to
If you use basic make sure to couple it with SSL.

Chip

"James M. Parker" <par...@nomail.com> wrote in message

news:ORYXqgj0AHA.1344@tkmsftngp03...

Jeff Dillon

unread,
May 1, 2001, 11:58:32 AM5/1/01
to
I stand corrected. I just updated the web sites I'm responsible for to use
NTCR instead of Basic, and it seems to work fine.

Jeff


"Jake Marx" <ja...@longhead.com> wrote in message

news:eElIlId0AHA.428@tkmsftngp02...

Jeff Dillon

unread,
May 3, 2001, 6:20:45 PM5/3/01
to
It doesn't work through AOL, so I had to pull it from my web sites.

So I probably would have to stick to my previous declaration that it doesn't
work over the Internet. AOL is too big to ignore.

Granted, it would work under controlled conditions.

Jeff

"Jake Marx" <ja...@longhead.com> wrote in message

news:eElIlId0AHA.428@tkmsftngp02...

Jake Marx

unread,
May 3, 2001, 6:40:26 PM5/3/01
to
Hi Jeff,

> It doesn't work through AOL, so I had to pull it from my web sites.

Did you find that it doesn't work with the AOL browser, or that it doesn't
work with IE when the client is dialed in through the AOL network?

Thanks,

Jake Marx
www.longhead.com

Jeff Dillon

unread,
May 3, 2001, 7:19:49 PM5/3/01
to
Windows/IE Client, dialed in through AOL.

We had several unhappy campers here over this one. Worked for me through my
local ISP that I tested against, but fails right away with a 401 when going
through AOL.

Jeff

"Jake Marx" <ja...@longhead.com> wrote in message

news:uKakmHC1AHA.2100@tkmsftngp02...

Jake Marx

unread,
May 3, 2001, 8:07:03 PM5/3/01
to
Thanks for the info, Jeff!

"Jeff Dillon" <jef...@fidalgo.net> wrote in message
news:#k0DbeC1AHA.1588@tkmsftngp02...

James M. Parker

unread,
May 4, 2001, 3:39:54 PM5/4/01
to
Is that a big deal if this is only over our company intranet? Thanks.

"Chip Andrews" <chipa...@usa.net.nospam> wrote in message

news:ucVpqIk0AHA.720@tkmsftngp03...

Chip Andrews

unread,
May 7, 2001, 9:12:07 AM5/7/01
to
I would say yes. Allowing clear-text transmissions of credentials is to be
avoided - internal or external.

Chip

"James M. Parker" <par...@nomail.com> wrote in message

news:ueFUvHN1AHA.2036@tkmsftngp03...

0 new messages