How to establish trust between IIS and SQL Server on different machines?
I have a .net web app hosting in IIS6 with Windows Authentication and anonymous access disabled. The web app is making connection to a SQL Server that is in the same domain, but on a different machine.
I want to have the IIS Worker process acount I_USR_开发者_Go百科... to be granted access to the SQL Server.
Will this work ?
(Is there a one to one trust ? Or should I make some extra effort to make the trust work ?)
(edit) On this page I read:
IUSR_ must be in the domain, and given proper access to the SQL Server; or, you must disable anonymous access on the site / application - which will allow IIS to pass the users' credentials to SQL Server. Not doing either of these things will result in an error.
This can work if you provide SQL access to the identity of the application pool.
There is no way you can pass your users' credentials to the SQL even with impersonation.
You should be fine either by allowing that domain account access on the SQL Server box or creating a SQL Server account and use that to query the database.
More information on Connection Strings and Trusted Connections here: http://www.connectionstrings.com/sql-server-2008
It would be a good idea to set up a sql user account or a domain account specific for you connection. Having the same account helps with connection pooling: http://msdn.microsoft.com/en-us/library/8xx3tyca.aspx
To get this to work, you must configure Active Directory to establish trust between your web server and the database server. This is called delegation. It is something you must actively configure for each server, because it is inherently unsafe to allow a process to take someone's credentials and use it all over the network.
More info here:
http://msdn.microsoft.com/en-us/library/ff647404.aspx
A slightly more readable version:
http://www.databasejournal.com/features/mssql/article.php/3696506/Setting-Up-Delegation-for-Linked-Servers.htm
精彩评论