locked
Connecting to SQL Server 2008 with IIS 6.0 over a Domain RRS feed

  • Question

  • Hi,

    In my company we are currently running a Domain Controller with SQL Server 2008 and a company database.  I have set up a separate machine with IIS 6.0 (Server 2003 Web Edition) and connected it to the domain.  However I am trying to host a website on it that needs to access the MS SQL database on the Domain Controller.  I am using the MS SQL dlls which allow me to connect using Windows Authentication, and this worked fine on my own PC (running XP and Web Matrix) but since trying to run it from IIS 6.0, I get an authentication error (untrusted login/domain etc) when I try to access the database.  Eventually I want this to run on the Domain Controller, but I want it to be fully functional before I put it on there, and I don't want to have to make changes to the authentication in the php files.  Is there any way I can make it use a domain account to authenticate with the database, or give access to the database to the local account it is trying to use?

    Tuesday, February 15, 2011 4:59 PM

Answers

  •  

    Hi SacredZero,

     

    Based on your description, it seems to be a double hop issue, I would like to suggest you check the following aspects:

     

    • The SPNs are properly created for the account both SQL Server and Web Server(the IIS 6.0 ) running under.
    • Make sure the end-user is sensitive and enabled for delegation.
    • Disable Kernel-mode authentication for the IIS application.

     

    For your last question, we could use sqlsrv_connect function to access database, it uses Windows Authentication by default.

     

    For more detail information, please also refer the following links:

    Checklist for Double Hop issues {IIS and SQL Server}

    Accessing SQL Server Databases with PHP

    SQL Server Driver for PHP: Understanding Windows Authentication

     

    In addition, Microsoft recommends that you do not install SQL Server 2008 on a domain controller for security reasons. If the domain controller is based on Windows Server 2003, then the SQL Server services could run under a domain account or a local system account .

     

    If there are an progress, please feel free to let me know.

     

    Thanks,

    Weilin Qiao

    • Marked as answer by WeiLin Qiao Friday, February 25, 2011 3:25 AM
    Friday, February 18, 2011 5:36 AM