Tech Web Site Login Failed

Open discussion about the Asset Navigator Web HelpDesk

Tech Web Site Login Failed

Postby domdalessandro on Fri Mar 09, 2007 12:21 pm

We are running AN 4.5.3. The user web interface works fine. We recently tried to enable the Tech web interface. IIS and global.asa are configured identically. Users can login to the user web interface with no problems. When A tech tries to login to the tech interface, they get "Error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' "

IIS has anonymous access unchecked and integrated windows authentication selected. both global.asa files have this config:

Session("Impersonation")=UCase("BASIC")
'---------------------------------------------
' Authentication type valid value "WINDOWS", "STANDARD"
'---------------------------------------------
Session("Authentication")=UCase("WINDOWS")
'---------------------------------------------
' Impersonation account
'---------------------------------------------
Session("DBLogin")="ANuser"
Session("DBPassword")="Password"
'---------------------------------------------
' SQL Server parameters
'---------------------------------------------
Session("DBServer")="DBSERVER"
Session("DataBase")="AssetNav"

Again, both the user and tech interface have the same config, but the tech interface does not work.

Any ideas? I tried rerunning the config program, but no luck.

Thanks!

-Dom
domdalessandro
Junior
 
Posts: 4
Joined: Wed Jan 18, 2006 3:27 pm

Postby pille on Tue Mar 13, 2007 9:29 am

Is IIS on the same machine as your SQL server?

If they are on different boxes, are you able to access the page if you change the authentication type from Windows Integrated to Windows Basic?
Contact Technical Services directly:
support@alloy-software.com
http://support.alloy-software.com

Paul Ille
Alloy Software
Maximize your IT Universe
Follow us on Twitter: http://twitter.com/alloysoftware
Image
User avatar
pille
Alloy Software
 
Posts: 473
Joined: Thu Aug 11, 2005 3:11 pm
Location: New Jersey, USA

Postby domdalessandro on Tue Mar 13, 2007 9:38 am

No. IIS is on a different server than the sql server.

I thought i already have Windows Basic Authentication set with the following lines in the global.asa file:

Session("Impersonation")=UCase("BASIC")
Session("Authentication")=UCase("WINDOWS")
Session("DBLogin")="ANuser"
Session("DBPassword")="Password"
Session("DBServer")="DBSERVER"
Session("DataBase")="AssetNav"

Is there something else I am missing? What should I change in the global.asa file?
domdalessandro
Junior
 
Posts: 4
Joined: Wed Jan 18, 2006 3:27 pm

Postby pille on Tue Mar 13, 2007 9:45 am

Basic is set for the impersonation account, but not for the actual login. To set it to basic try this:

  1. Go into IIS
  2. Right click portal in question and go to properties
  3. Click on directory security tab
  4. Click on Edit under Anonymous access...
  5. Uncheck Windows Integrated
  6. Check Windows Basic


Restarting IIS shouldn't be needed.

When you access the page now, you should be prompted for a login. Provide your credentials. Login with a valid windows account. You'll probably need to use the following format:

domain\username
password

Does this work?
Contact Technical Services directly:
support@alloy-software.com
http://support.alloy-software.com

Paul Ille
Alloy Software
Maximize your IT Universe
Follow us on Twitter: http://twitter.com/alloysoftware
Image
User avatar
pille
Alloy Software
 
Posts: 473
Joined: Thu Aug 11, 2005 3:11 pm
Location: New Jersey, USA

Postby domdalessandro on Tue Mar 13, 2007 10:28 am

This does work.

Is there a reason why the integrated windows authentication works on the user web interface and not the Tech web interface?

How can I get the integrated windows authentication to work?
domdalessandro
Junior
 
Posts: 4
Joined: Wed Jan 18, 2006 3:27 pm

Postby pille on Tue Mar 13, 2007 11:53 am

Well, technically neither one should work. This is because of a Microsoft limitation. See the information below:

=================================

Windows Authentication with Web Portal - IIS and SQL on different machines
--------------------------------------------------------------------------------
ID: KB000571 Modified: 12/6/2006 2:00:00 PM Version: 1.0
--------------------------------------------------------------------------------

SQL Server and Integrated Security limitation

When accessing SQL Server with integrated security from Active Server Pages (ASP) there are some limitations:

http://support.microsoft.com/default.as ... -us;176377

SUMMARY
When accessing SQL Server with integrated security from Active Server Pages (ASP) there are some limitations that you should be aware of when designing your Web site. This article gives a high-level overview of these limitations and describes possible workarounds.

NOTE: This limitation was fixed in Windows 2000 but for Kerberos security only.

MORE INFORMATION
Microsoft SQL Server Integrated Security requires NTLM authentication in order to map user accounts to SQL Server accounts. This process requires that a token be created during the authentication process. This token requires a the user password to create a private encryption key. Because of this, the token can only be created on a domain controller or the logged on user's machine. Also note that Windows NT 4.0 does not allow the forwarding of such tokens.

With these points in mind you can see that after a Web browser is authenticated by Internet Information Server (IIS), an authenticated connection to the SQL Server is not possible. At this point when IIS attempts to connect to SQL Server via NTLM, IIS does not have the necessary information to complete the NT authentication process.

WORKAROUNDS
Host IIS and SQL Server on the Same Machine

By eliminating the need for IIS to create an authenticated connection to SQL Server, you can work around this problem. To do this you must use a data source name (DSN) that does not look out to the network for the SQL Server and instead looks directly to the local machine. This can be done by using the "(local)" setting in a System DSN.

Use Basic Authentication Instead of NTLM in IIS

By using Basic authentication, the password is BASE64 encoded and sent to IIS during the authentication process. With the password, IIS can now complete the NTLM authentication process when connection to SQL Server.

NOTE: This method is not secure. BASE64 encoded passwords can be decrypted by anyone able to sniff network packets over the Internet or intranet.

Map the Anonymous User Account from IIS to a SQL Server Guest Account

This method assumes that all users will have the same level of privileges to the SQL Server resources. This method is most often the LEAST acceptable option.

Enable Kerberos Delegation

Setting up Kerberos delegation in your domain will allow Windows authentication with IIS and SQL on separate machines. Details on Kerberos are included in the related article. Please note that assistance with Kerberos setup is not included in the scope of Alloy support.

=================================

We do have instructions on configuring Kerberos if you need it.
Contact Technical Services directly:
support@alloy-software.com
http://support.alloy-software.com

Paul Ille
Alloy Software
Maximize your IT Universe
Follow us on Twitter: http://twitter.com/alloysoftware
Image
User avatar
pille
Alloy Software
 
Posts: 473
Joined: Thu Aug 11, 2005 3:11 pm
Location: New Jersey, USA

Postby domdalessandro on Tue Mar 13, 2007 1:11 pm

Paul,
Thanks for your help. I think we'll stick with the basic authentication for now. Our techs can live with having to type a login and password once in a while. ;-) I'll worry about it when we start planning to move to AN5.

Thanks for the info and all your help!

-Dom
domdalessandro
Junior
 
Posts: 4
Joined: Wed Jan 18, 2006 3:27 pm


Return to Asset Navigator 4 Web HelpDesk Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron