If the ASP page was accessed anonymously, then the Windows NT/SQL Server
computer needs to be able to authenticate the anonymous logon account. To
do this use one of the following methods:
- Duplicate the anonymous account as a local account on the Windows
NT/SQL Server computer with an identical name and password. To
determine which account is used by IIS, open the WWW Properties
dialog in the Internet Service Manager. The default account used
is IUSR_<machinename>
- Change the anonymous user on the IIS computer to be a domain account
so that the Windows NT/SQL computer can verify this account against
the domain controller. To change which account is used, open the
WWW Properties dialog box in the Internet Service Manager. Change
the Anonymous Logon Username and password. Make sure the Username
refers to a domain account (for example, Northamerica\JohnSmith).
If the ASP page requires authentication and any of the following is true,
the error involves a Windows NT delegation issue where the security
credentials are lost:
- The ASP page was accessed using Windows NT Challenge/Response, and
SQL is on a different computer.
- The SQL Server is on the same computer as IIS and the server name is
specified as opposed to selecting Local.
- The DSN has the "Trusted Connection" check box selected, and the SQL
computer is set up to use Named Pipes.
To resolve this, use one of the following methods:
- If IIS and SQL are on the same computer, select (local) instead of the
server name, when you create the DSN. Also, ensure that "trusted
connection" is not selected.
- If IIS and SQL are on separate computers, ensure that TCP/IP sockets are
used to access the Windows NT/SQL computer. When Named Pipes are used
to access the SQL Server, IIS tries to impersonate the authenticated
user, but it does not have the ability to prove its identity. By
using TCP/IP sockets, the connection between SQL and IIS is not
authenticated. To enable TCP/IP sockets, run the SQL Server Setup
program and select TCP/IP sockets under the Change Network Support
option. You may also need to run the SQL Client Configuration
Utility on the IIS computer and change the Net Library from
Named Pipes to TCP/IP sockets. To start the SQL Client Configuration Utility, follow these steps:
- Click Start, and then click Run.
- In the Open box, type cliconfg.exe, then click OK.
- You can also avoid this delegation issue by choosing to authenticate via
Basic (Clear Text). This will give IIS the information needed to
impersonate the authenticated user to the SQL Server. Be aware that with
this authentication method, passwords are transmitted across the
network, and could be stolen. To change to Basic authentication, open
the WWW Properties dialog box from the Internet Service Manager, and
select Basic (Clear Text), and clear the Windows NT Challenge
Response check box.