Hi. Hope one of you gurus out there can help me.
If possible, I want to keep the generic web user (IUSR_machine) out of
our SQL Server. I also want to leverage our SQL Server integrated
permissions structure for intranet users accessing SQL Server via the
web, since those users already have usernames and passwords in the NT
domain. Otherwise I have to reinvent the wheel and build and maintain a
whole separate permission structure for intranet users, using SQL Server
I have an ASP app running on IIS 4. It connects with SQL Server running
on a different machine in the same domain. The web server is the PDC
and the db server is a BDC. Anonymous and NT Challenge/Response
authentication are enabled on IIS. The folders on the web server where
the asp app lives are intentionally off-limits to IUSR_machinename,
because I want IE to either use the user's active NT logon (if any), or
else prompt the iser for his/her NT logon info to proceed. That much
works fine: If the user is not logged onto the NT domain when he/she
surfs to the directory, the browser displays a prompt, the web server
accepts the logon, and then allows access.
Unfortunately, the next piece doesn't work. Somehow the NT logon info
the user is not being passed successfully over to SQL Server, since it
rejects the logins every time. (*Direct* trusted connections by the same
users to SQL Server work fine.) If I set the DSN on the web server to
use SQL standard security, and have the web page query the user for a
standard username and password - or else allow IUSR_machine into SQL as
a guest under standard security - the connection works fine, so there is
probably no fundamental problem with connectivity in the asp. I have
also tried using "DSN-less" connections and that doesn't seem to help.
I'm pretty sure the problem lies between the web server and SQL Server,
but I don't know how to fix it. Any ideas?
Thanks in advance!!
Jamaica Plain, Massachusetts