Board index MS SQL Server

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Bradley Silbe » Thu, 26 Jul 2001 19:05:57



Hi All,

Firstly let me thank everyone for their insight and advise.

Finally the problem has been solved and in the end was quite simple. There
is no need to configure the server or COM+ application differently from the
default i.e. Active Directory accounts are not trusted for delegation (also
*not* marked as sensitive), COM+ application has default impersonation level
(impersonate), server is not trusted for delegation, global DCOM settings
are the default.

The following code snippet solved the problem (Inserted into the data access
component - gotta love this tiered architecture):

Private Declare Function CoImpersonateClient Lib "ole32.dll" () As Long
Private Declare Function CoRevertToSelf Lib "ole32.dll" () As Long

Private Function OpenConnection(Byval vsConnectionString as String) As
ADODB.Connection
    CoImpersonateClient
    'Open connection to the database  using the connection string provided
(including Integrated Security = SPPI setting)
    CoRevertToSelf
End Function

One thing to note is that this does *not* work when the IIS server is
configured with integegrated security. I have tested it with Basic Clear
Text ...  In the case of using the integrated security the application
server tries to log into the database as the NT Authority ??? (anyone care
to comment).

This solution comes from the book: Designing Secure Windows 2000
Application, Microsoft Press, (don't know the author off hand). Very good
book if anyone is interested.

Thanks to all for the help and insight.
Cheers,
Bradley

PS: The multiple topic subject line and post address should give an idea of
how many different post I attempted and forums I posted to

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Adrian Batema » Fri, 27 Jul 2001 01:05:41



Quote:> One thing to note is that this does *not* work when the IIS server is
> configured with integegrated security. I have tested it with Basic Clear
> Text ...  In the case of using the integrated security the application
> server tries to log into the database as the NT Authority ??? (anyone care
> to comment).

It doesn't work with integrated security because the IIS server never knows
what the password actually is, it just knows that the challenge/response was
successful. For this reason, it doesn't have the credentials to log on to
the SQL Server computer, and you can't forward NTLM logins from one machine
to another (unless you make use of Kerberos).

Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Bradley Silbe » Fri, 27 Jul 2001 01:54:42


Hi,

I was under the impression that I was using Kerberos.
If I am not, any idea why not?
I have configured everything (at least I thought I did) to make use of
Kerberos (AD etc).

Cheers,
Bradley




> > One thing to note is that this does *not* work when the IIS server is
> > configured with integegrated security. I have tested it with Basic Clear
> > Text ...  In the case of using the integrated security the application
> > server tries to log into the database as the NT Authority ??? (anyone
care
> > to comment).

> It doesn't work with integrated security because the IIS server never
knows
> what the password actually is, it just knows that the challenge/response
was
> successful. For this reason, it doesn't have the credentials to log on to
> the SQL Server computer, and you can't forward NTLM logins from one
machine
> to another (unless you make use of Kerberos).

> Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Adrian Batema » Fri, 27 Jul 2001 03:51:54



Quote:> I was under the impression that I was using Kerberos.
> If I am not, any idea why not?
> I have configured everything (at least I thought I did) to make use of
> Kerberos (AD etc).

Kerberos is only used if you configure it in the group policy. By default,
NTLM authentication is used, even with the Active Directory.

In addition, there are significant security issues with opening up IIS
authentication using Kerberos - the browser needs access to the Kerberos
server which might be a problem in an Internet environment.

Regards,

Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by sabb » Fri, 27 Jul 2001 06:07:34


actually delegation from the browser to the DB is only for intranet
scenario.
basic+https is the way to go in internet
p.s.: bradley, i've go tthe book you mention as well, but your could have
found the tips you mention to set up delegation in my FAQ as well :)

--

MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm




> > I was under the impression that I was using Kerberos.
> > If I am not, any idea why not?
> > I have configured everything (at least I thought I did) to make use of
> > Kerberos (AD etc).

> Kerberos is only used if you configure it in the group policy. By default,
> NTLM authentication is used, even with the Active Directory.

> In addition, there are significant security issues with opening up IIS
> authentication using Kerberos - the browser needs access to the Kerberos
> server which might be a problem in an Internet environment.

> Regards,

> Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Adrian Batema » Fri, 27 Jul 2001 20:46:55


There's no reason why you can't use Kerberos over the Internet, it's just
not a good idea for the reason I specified - you have to open the Kerberos
port on your firewall which you probably don't want to do.


> actually delegation from the browser to the DB is only for intranet
> scenario.
> basic+https is the way to go in internet
> p.s.: bradley, i've go tthe book you mention as well, but your could have
> found the tips you mention to set up delegation in my FAQ as well :)

> --

> MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm





> > > I was under the impression that I was using Kerberos.
> > > If I am not, any idea why not?
> > > I have configured everything (at least I thought I did) to make use of
> > > Kerberos (AD etc).

> > Kerberos is only used if you configure it in the group policy. By
default,
> > NTLM authentication is used, even with the Active Directory.

> > In addition, there are significant security issues with opening up IIS
> > authentication using Kerberos - the browser needs access to the Kerberos
> > server which might be a problem in an Internet environment.

> > Regards,

> > Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Bradley Silbe » Sat, 28 Jul 2001 16:13:48


Hi,

I'm a little confused. I was under the impression that one of the biggest
advantages of Kerberos is for use in a distributed environment and
especially for single signon. Is it not just as simple as issuing the client
(browser) with a certificate, setting up certificate to user mappings in
IIS, and setting integrated security on in IIS. In the scenario that I am
implementing uses will be connecting via a VPN over the Internet using
L2TP/IPSec as the tunneling and security protocol, therefore I will have to
issue a certificate to each client anyway.

Cheers,
Bradley


> There's no reason why you can't use Kerberos over the Internet, it's just
> not a good idea for the reason I specified - you have to open the Kerberos
> port on your firewall which you probably don't want to do.



> > actually delegation from the browser to the DB is only for intranet
> > scenario.
> > basic+https is the way to go in internet
> > p.s.: bradley, i've go tthe book you mention as well, but your could
have
> > found the tips you mention to set up delegation in my FAQ as well :)

> > --

> > MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm





> > > > I was under the impression that I was using Kerberos.
> > > > If I am not, any idea why not?
> > > > I have configured everything (at least I thought I did) to make use
of
> > > > Kerberos (AD etc).

> > > Kerberos is only used if you configure it in the group policy. By
> default,
> > > NTLM authentication is used, even with the Active Directory.

> > > In addition, there are significant security issues with opening up IIS
> > > authentication using Kerberos - the browser needs access to the
Kerberos
> > > server which might be a problem in an Internet environment.

> > > Regards,

> > > Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Bradley Silbe » Sat, 28 Jul 2001 16:33:44


Hi,

I'm a little confused. I was under the impression that one of the biggest
advantages of Kerberos is for use in a distributed environment and
especially for single signon. Is it not just as simple as issuing the client
(browser) with a certificate, setting up certificate to user mappings in
IIS, and setting integrated security on in IIS. In the scenario that I am
implementing uses will be connecting via a VPN over the Internet using
L2TP/IPSec as the tunneling and security protocol, therefore I will have to
issue a certificate to each client anyway.

Cheers,
Bradley


> There's no reason why you can't use Kerberos over the Internet, it's just
> not a good idea for the reason I specified - you have to open the Kerberos
> port on your firewall which you probably don't want to do.



> > actually delegation from the browser to the DB is only for intranet
> > scenario.
> > basic+https is the way to go in internet
> > p.s.: bradley, i've go tthe book you mention as well, but your could
have
> > found the tips you mention to set up delegation in my FAQ as well :)

> > --

> > MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm





> > > > I was under the impression that I was using Kerberos.
> > > > If I am not, any idea why not?
> > > > I have configured everything (at least I thought I did) to make use
of
> > > > Kerberos (AD etc).

> > > Kerberos is only used if you configure it in the group policy. By
> default,
> > > NTLM authentication is used, even with the Active Directory.

> > > In addition, there are significant security issues with opening up IIS
> > > authentication using Kerberos - the browser needs access to the
Kerberos
> > > server which might be a problem in an Internet environment.

> > > Regards,

> > > Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by sabb » Sat, 28 Jul 2001 16:57:20


yes, technicaly it is possible.
but i think it's quite a crazy idea ,
client certicates , or basic authentication over https is a much more
manageable solution
IMHO

--

http://www.sabbasoft.com
MTS/COM+ / VB-COM FAQ: http://www.sabbasoft.com/mts_faq.htm


> There's no reason why you can't use Kerberos over the Internet, it's just
> not a good idea for the reason I specified - you have to open the Kerberos
> port on your firewall which you probably don't want to do.



> > actually delegation from the browser to the DB is only for intranet
> > scenario.
> > basic+https is the way to go in internet
> > p.s.: bradley, i've go tthe book you mention as well, but your could
have
> > found the tips you mention to set up delegation in my FAQ as well :)

> > --

> > MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm





> > > > I was under the impression that I was using Kerberos.
> > > > If I am not, any idea why not?
> > > > I have configured everything (at least I thought I did) to make use
of
> > > > Kerberos (AD etc).

> > > Kerberos is only used if you configure it in the group policy. By
> default,
> > > NTLM authentication is used, even with the Active Directory.

> > > In addition, there are significant security issues with opening up IIS
> > > authentication using Kerberos - the browser needs access to the
Kerberos
> > > server which might be a problem in an Internet environment.

> > > Regards,

> > > Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Adrian Batema » Sun, 29 Jul 2001 00:43:39


Well, it depends what your definition of "distributed environment" is, but
yes, single sign-on is one of the advantages.

A client certificate is used for setting up a secure communication channel,
and doesn't really have anything to do with Kerberos. You can configure IIS
to map particular client certificates to user accounts and passwords so it
can use this mapping to log-in.

If you use Kerberos with IIS and Internet Explorer, IIS will request
authentication from the browser, IE will then contact the KDC and requests a
TGT which it gets if the correct credentials were supplied. Next it passes
the TGT along with information about the IIS server (so it can verify that
the authentication request was genuine) to the KDC to get a resource ticket
which it sends to IIS to authenticate itself. The problem is, both the
server and the client need a trusted connection to the KDC (Kerberos
server).

In your case, if you're using an encrypted VPN channel, you may be able to
rely on the connection to Kerberos and you would be able to make use of
this. (Clearly, in an Internet environment, this might not be such a good
idea, since you don't want to open up access to the KDC to Joe Public).

Regards,

Ade.


> Hi,

> I'm a little confused. I was under the impression that one of the biggest
> advantages of Kerberos is for use in a distributed environment and
> especially for single signon. Is it not just as simple as issuing the
client
> (browser) with a certificate, setting up certificate to user mappings in
> IIS, and setting integrated security on in IIS. In the scenario that I am
> implementing uses will be connecting via a VPN over the Internet using
> L2TP/IPSec as the tunneling and security protocol, therefore I will have
to
> issue a certificate to each client anyway.

> Cheers,
> Bradley



> > There's no reason why you can't use Kerberos over the Internet, it's
just
> > not a good idea for the reason I specified - you have to open the
Kerberos
> > port on your firewall which you probably don't want to do.



> > > actually delegation from the browser to the DB is only for intranet
> > > scenario.
> > > basic+https is the way to go in internet
> > > p.s.: bradley, i've go tthe book you mention as well, but your could
> have
> > > found the tips you mention to set up delegation in my FAQ as well :)

> > > --

> > > MTS / COM+ / VBCOM FAQ (and more) : www.sabbasoft.com/mts_faq.htm





> > > > > I was under the impression that I was using Kerberos.
> > > > > If I am not, any idea why not?
> > > > > I have configured everything (at least I thought I did) to make
use
> of
> > > > > Kerberos (AD etc).

> > > > Kerberos is only used if you configure it in the group policy. By
> > default,
> > > > NTLM authentication is used, even with the Active Directory.

> > > > In addition, there are significant security issues with opening up
IIS
> > > > authentication using Kerberos - the browser needs access to the
> Kerberos
> > > > server which might be a problem in an Internet environment.

> > > > Regards,

> > > > Ade.

 
 
 
Top

COM+ and SQL Server; COM+, SQL Server, and Integrated Security; Integrated Security [Solved :-)]

Post by Adrian Batema » Sun, 29 Jul 2001 00:47:35


Well, it depends. I wouldn't say client certificates were particularly
manageable, and basic authentication means that you always have to type your
password in, or at least respond to the login dialog, whereas with Windows
Security IE will pass your login credentials. In a corporate application
environment or extranet, this may be preferable. In the end, I only raised
Kerberos as an issue because the NTLM challenge/response authentication
can't be forwarded from one server to another.

Ade.


Quote:> yes, technicaly it is possible.
> but i think it's quite a crazy idea ,
> client certicates , or basic authentication over https is a much more
> manageable solution
> IMHO

 
 
 
Top

1. SQL Server, COM+, Integrated Security, and Delegation/Impersonation

Hi All,

I am trying to configure COM+ so that when a client who access the COM
components registered in COM+ via a browser and ASP, the clients credentials
are used to login into SQL Server 2000. I have tried every impersonation
setting in COM+ but the database login is always the same (Interactive User
or if configured the user account under which the COM+ application is set to
run). The connection string is as follows:

Provider=SQLOLEDB;Initial Catalog=Database; Integrated Security=SSPI;Data
Source=SQLServer

The client is a web user and I am using Basic Clear Text authentication. If
I check the security context, while in the COM call, I can see that the
correct credentials have been returned i.e. the client initiating the COM
call.

Any ideas would be greatly appreciated.

Thanks,
Bradley

2. Oracle vs Sybase

3. How to integrate Access application security with a SQL Server security

4. Backups suddenly slow

5. XMLBulkLoad Works with integrated security, fails with SQL Server security

6. design forms/textfields that keep their shape if return is pressed?

7. How to connect to SQL Server through ADO (SOL Server uses Integrated Security)

8. Q: java.sql.SQLException: Protocol violation

9. How does COM+ integrates SQL Server transactions???

10. NT Integrated Security Without SQL Security Manager ?

11. How does COM+ integrates SQL Server transactions???

12. ODBC and MS/SQL Server Integrated Security


All times are UTC
Board index