I'm running an asp-based page on our internal intranet. All users are locally NTLM authenticated. It's running the standard configuration that I've used a bezillion times:
Directory Security set to Integrated Windows Authentication (only).
ASP is connecting via ADO using a UDL that has Integrated Sec. enabled. (And, I checked, it DOES have the proper Integrated Security=SSPI statement in the ConnectionString.)
SQL Server has accounts created with access/permissions to the right database.
This configuration has always worked up until now.
Here's what happens:
When logged in as me (a domain admin), everything works completely fine.
When logged in as another domain admin, it comes back and says Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
When logged in as another domain admin ON THE WEB SERVER, it works.
This other domain admin account can access everything it needs to from SQL Enterprise Mgr., so I'm fairly certain it's not a SQL issue, or at least not a SQL security issue.
This seems extremely flakey to me! Why would my account work (under all circumstances) when there's nothing different about it? (It's using BUILTIN/Administrators to get permissions in SQL, just like the other domain admin account that can't get in.) Why would other accounts only work when logged in directly to the web server?
Oh, also, I wrote a tiny little .asp, put it in the same directory (so it's doing Integrated Auth) and had it display Request.ServerVariables("AUTH_USER". It's correct every time (displaying the domain\user of the domain admin account I'm testing), even when it then goes on to claim the ANONYMOUS LOGON can't connect to SQL. (I also checked the web logs and they indicate valid authentication followed by a SQL error.)
Has anyone seen anything like this before? Is there something majorly fubar'ed with my (only 3 month-old!!!) domain? Have I completely lost it and overlooked something obvious???
Thanks a million, everyone!
Damien Guay
Directory Security set to Integrated Windows Authentication (only).
ASP is connecting via ADO using a UDL that has Integrated Sec. enabled. (And, I checked, it DOES have the proper Integrated Security=SSPI statement in the ConnectionString.)
SQL Server has accounts created with access/permissions to the right database.
This configuration has always worked up until now.
Here's what happens:
When logged in as me (a domain admin), everything works completely fine.
When logged in as another domain admin, it comes back and says Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
When logged in as another domain admin ON THE WEB SERVER, it works.
This other domain admin account can access everything it needs to from SQL Enterprise Mgr., so I'm fairly certain it's not a SQL issue, or at least not a SQL security issue.
This seems extremely flakey to me! Why would my account work (under all circumstances) when there's nothing different about it? (It's using BUILTIN/Administrators to get permissions in SQL, just like the other domain admin account that can't get in.) Why would other accounts only work when logged in directly to the web server?
Oh, also, I wrote a tiny little .asp, put it in the same directory (so it's doing Integrated Auth) and had it display Request.ServerVariables("AUTH_USER"
. It's correct every time (displaying the domain\user of the domain admin account I'm testing), even when it then goes on to claim the ANONYMOUS LOGON can't connect to SQL. (I also checked the web logs and they indicate valid authentication followed by a SQL error.)Has anyone seen anything like this before? Is there something majorly fubar'ed with my (only 3 month-old!!!) domain? Have I completely lost it and overlooked something obvious???
Thanks a million, everyone!
Damien Guay
