I had all the settings configured as you suggested (on IIS and Web.Config) except for the Integrated Security setting. After confirming that all was as you suggested, I reinstalled my app on my webserver. Now I don't even get prompted for username/password when I connect to the server. So when I try to connect to my SQL database, it's trying to connect as 'NT AUTHORITY\ANONYMOUS LOGON'.
"server=insert server name here;trusted_connection=yes;database=databaseNameHere;Integrated Security=SSPI;"
Turns out it was caused by my checking the 'Integrated Windows Security' box on the IIS Directory Security dialog. The problem is that when I uncheck this box, the user has to log into the IIS box (and not the domain). I need them to log into the domain. We are going to have hundreds of users who will need Domain Accounts as well as local IIS accounts (a maintenance nightmare). Also, I need them to authenticate to the domain so that I can get information about their groups.
I don't know enough about NT security to make any decisions. I will try to make it through the paper you suggested (there's alot of information there!). I think I'll try to find someone who might be willing to do some security consulting work (any recommendations/ideas?) to make sure I architect the solution to meet our strict banking security and business needs.
m
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only