Integrated Security across machines

I have two machines called MA and MB. MA is hosting IIS and MB is hosting SQL
Server. I'd like to use integrated security to access SQL Server in my
application hosted in IIS. How should I configure the SQL Server so that it
can recognize the Network Service account in another machine?
Thanks.
Daniel
Hello Daniel,
I understand that you'd like to web application could access SQL Server by
using Network service account. If I'm off-base, please let me know.
Usually it is suggested that you use a domain account under the situation
in the application pool of IIS, and configure "impersonate" to false in
web.config of ASP.net application.
The other opiton is configure "impersonate" to true, and grant each client
domain user proper permission on remote SQL Server. Please note under this
situation, IIS has to be use Kerberos authentication and it shall be
enabled to "delegate" the user credential to remote SQL server.
891031Common security issues when you access remote resources from ASP.NET
applications
http://support.microsoft.com/default.aspx?scid=kb;EN-US;891031
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
http://msdn2.microsoft.com/en-us/library/aa302387.aspx
How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default.aspx?scid=kb;EN-US;810572
It is not recommended to use Network Service account under the situation.
Since Network service account actually use machine account to access remote
server, you may try to add the "domain\server$" to SQL Server login and
grant it some permission. However, this may not work as expected and may
bring security hole.
If you have any comments or feedback, please feel free to let me know.
Thank you.
Best Regards,
Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications
<http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx>.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
<http://msdn.microsoft.com/subscriptions/support/default.aspx>.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|||Using a domain account is a nice way I think. But we have one problem that is
the company IT policy states that each AD account must bind to an actual
human user. So up to now, we can't create AD accounts for our system. And AD
account for user has a policy of changing password every 45 days. I think
there must be a good reason for the company to establish this policy, may be
for the sake of SOX. Do you know the reason for such policy? How do other
people work around such problems?
Thanks.
Daniel
|||Many companies will also have policies for service accounts
with service accounts being in a different OU from user
accounts. They should have some requirements for service
accounts and what accounts services will use.
-Sue
On Wed, 28 Feb 2007 01:13:13 -0800, Daniel
<daniel.shen@.newsgroup.nospam> wrote:

>Using a domain account is a nice way I think. But we have one problem that is
>the company IT policy states that each AD account must bind to an actual
>human user. So up to now, we can't create AD accounts for our system. And AD
>account for user has a policy of changing password every 45 days. I think
>there must be a good reason for the company to establish this policy, may be
>for the sake of SOX. Do you know the reason for such policy? How do other
>people work around such problems?
>Thanks.
>Daniel
|||Hello Daniel,
I agree that this policy is for security purpose. However, as Sue
mentioned, it makes sense to have different policy to have service
accounts. Or you have to change the password of service account accordingly
and restart services when necessary. This could be done by a script or
manually.
Please let's know if you have further questions or concerns, please feel
free to let's know. Thank you.
Best Regards,
Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====
|||Hello Daniel,
Just want to check in if you have further questions on the issue. Please
feel free to post back if you need any help.
Thanks & Regards,
Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.