The server thathcontains the web site sould be support delegation in order
to pass the credentials to SQL Server Server.

It must be configured in the Windows 2003 that contains the IIS.

"twahl" <MSDNNospam241 (AT) nospam (DOT) nospam> wrote

Hello Terry,

For your scenario, it is a typical multi-tier application authentication
scenario. the nodes in your application stream are as below(each node on a
separate server machine):

ws client <----> webservice server<---> SQL Server 2005

the problem here is that the windows identity of client user(who run the
client app to access the webservice) can be forwarded to the webservice
application, however, it can not go further and jump to the SQL Server
machine. This is called a "double hop" case.

As Mariano has suggested, one way to lett windows identity be forwarded
across multiple machines is using kerberos delegation. However, this
approach has high requirement of the production environment(from client to
intermediate server and the backend server). They should be in the same
win2k or win2k3 domain(or different trusted domains). and each client
account(that need to be authenticated and forward across multi machines)
and the service's account need to be configured in AD. Here are some
reference about ASP.NET delegation:

#ASP.NET Delegation
http://msdn2.microsoft.com/en-gb/lib...50(VS.71).aspx

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx

#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default...b;en-us;810572

#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/is...y/default.aspx

BTW, I'm wondering whether you have to use windows authentication to the
backend sqlserver? Is it possible that we use a fixed account to access the
SQL Server database? Or if you care about the data base accessing
permissions of the client users, do you think it possible that we do the
authorization/validation in webservice methods, and always let those
users(who has passed the validation in webservice) to access the backend
database(through a fixed account)?

Please feel free to shared your consideration or if you have any other
concerns.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Terry,

Have you got any progress on this issue? Due to the nature of the problem
which may require further complex troubleshooting, I would recommend you
contact CSS for further assistance if this is an urgent issue. If there is
anything else we can help, please don't hesitate to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your followup Terry,

Look forward to your further info.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.