RE: Integrated Authentication on IIS 6.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well, isn't it always a minor detail that makes the difference? This
problem occurred because part of my upgrade included separating IIS and
my SQL server. Well, guess what, good ole' Microsoft has included a
"feature" that will not allow credentials to be passed from IIS to SQL
if SQL is on a different machine. DOAH! It's called the 2 hop issue and
is a problem even for their loyal ASP developers. 

Anyway apparently there are 3 solutions:

1. Set up a complex kerberos delegation configuration based on a lengthy
article from Microsnot and cross your fingers.
2. Install SQL server on your IIS machine.
3. Don't use integrated authentication.

ALL of my permissions are setup based on a domain user group. Access to
the system was added by putting a user in that group. It was a beautiful
thing until this doozy appeared. :-\

Thanks anyway. No wonder there wasn't much response.

<>< Ryan 

-----Original Message-----
From: tg-php@xxxxxxxxxxxxxxxxxxxxxx
[mailto:tg-php@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, May 23, 2005 1:00 PM
To: php-db@xxxxxxxxxxxxx
Cc: Ryan Jameson (USA)
Subject: RE:  Integrated Authentication on IIS 6.0

Ahh.. ok..  I was mostly doing DSNless connections.

You might want to look into the setup for your ODBC source called
"Datasource" in your example below.  That might be what's actually
passing the authentication, not PHP itself.  PHP makes a call to the
local ODBC source which in turn actually handles the connection.

Don't know if that helps, but that's the next place I'd check, unless
someone else has better insight.

-TG

= = = Original message = = =

Thanks for the response!

Yes, believe it or not it does work, or at least did on IIS 5. When I
turn on Integrated Security on the web server it causes PHP to run as
the user logged in instead of the Anonymous user. Then calling
odbc_connect with a blank username/password combination in cooperation
with a system DSN configured to use Windows Authentication caused the
connection to be made via the individual user's Windows credentials.
This behavior is eluded to in a note on the php site from "flo" :

--------------------
If you don't want to specify your login credentials on your web server,
you can leave the login fields blank to use the integrated windows
security like here: 

odbc_connect("DSN=DataSource","",""); 

Make sure you have switched your system dsn to integrated security, too
! 

(works on windows machines only, of course)
--------------------

My intranet application relies on this ability. My working production
server is IIS 5 on Advanced Server 2000 with PHP 5.04. My new server is
IIS 6 on Windows 2003 Server with PHP 5.04. Both are operating in ISAPI
mode. $AUTH_USER does report correctly the authenticated user on both
systems, but a call to odbc_connect on the new system gives this error:

Warning: odbc_connect() [function.odbc-connect]: SQL error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user
'(null)'. Reason: Not associated with a trusted SQL Server connection.,
SQL state 28000 in SQLConnect in testOdbc.php on line 3

For some reason odbc_connect on IIS 6.0 is not acting the same as it is
on IIS 5. I'm pretty sure it's a configuration problem, I just can't
find it. :-\

<>< Ryan


-----Original Message-----
From: tg-php@xxxxxxxxxxxxxxxxxxxxxx
[mailto:tg-php@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, May 23, 2005 12:38 PM
To: php-db@xxxxxxxxxxxxx
Cc: Ryan Jameson (USA)
Subject: Re:  Integrated Authentication on IIS 6.0

Maybe I'm not understanding the situation properly, because I can't see
why you would have had it working under IIS5 if your configuration is
how I think it is.

Integrated authentication basically allows a workstation that's logged
into a domain to automatically pass it's credentials from the
workstation to the domain.

Using this, you can get the currently logged in userid via server
variables from IIS into PHP.

But you never get the user's password or are able to get anything into
PHP that will automatically connect you to a database or other trusted
data source.   If you connect to a web server and PHP on that server
creates a connection to a database, then PHP needs to send login
credentials (either hardcoded, pulled from another database based on the
user's ID or something, or provided by the user via a web form).  I
don't believe you can have PHP create a connection based on integrated
authentication because PHP is sort of outside the whole windows security
scheme.

You could configure the database to accept a connection from the PHP
server's IP address and nowhere else and hardcode a password into PHP,
or do other things like that.

Again, maybe I mis-assuming what your configuration is.  Mind giving us
more detail on the process you're trying to fix?   Users connects to web
server, web server makes ODBC connection (by what means?), etc..

-TG

= = = Original message = = =

Hi,

I have an intranet application that I wrote in PHP that has worked great
for a long time. It uses integrated authentication in IIS. I'm trying to
migrate to IIS 6 and things are mostly working. The problem I have is
that my ODBC_CONNECT calls are not resulting in: "Login failed for user
'(null)'. Reason: Not associated with a trusted SQL Server connection.".
What it seems to tell me is it is correctly trying to make an integrated
auth connection to the database, but for some reason the current user's
credentials aren't being passed? Does anyone have insight into this?

Thanks!
<>< Ryan

--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php


___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.


___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux