Announcement

Collapse
No announcement yet.

DMZ to Domain Authentication - Mirrored Account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DMZ to Domain Authentication - Mirrored Account

    Hi Guys,

    Got a frustrating problem, I have a hosting network, Front end DMZ, web server (2003, IIS6), running on a couple of web servers behind an F5 load balancer.

    These web server then connect to a database cluster through a second firewall. Due to it being a window cluster it has to be on a domain (obviously!!).

    Now the problem I have is that we do not want to use SQL authentication, we have setup mirrored accounts (same username and password) on both web servers and the hosting domain.

    When it tries to authenticate I get the following erro in the database event log, if I create a local account on the database server (with same username and password) then it works fine, but just not when using a domain account.

    The reason I want to use a domain account is for when the cluster is failed over, I don't want to setup permissions twice on the database for each local user.

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: SUDS-TEST-WEB$
    Domain: HOSTING
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: SUDS-TEST-WEB
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: -
    Source Port: -

    I know this solution can work as I have it setup else where, the only difference is that the database cluster nodes are the domain controllers (yea yea, i know, not recommended) so we cannot have local users but it works perfectly with a domain user.

    What is the difference? Pls help!
    * Shamelessly mentioning "Don't forget to add reputation!"

  • #2
    Re: DMZ to Domain Authentication - Mirrored Account

    Originally posted by topper View Post
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: SUDS-TEST-WEB$
    Domain: HOSTING
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    and before anyone asks, yes the passwords match!!!
    * Shamelessly mentioning "Don't forget to add reputation!"

    Comment


    • #3
      Re: DMZ to Domain Authentication - Mirrored Account

      TOPPER!! long time no see. It's great to see you back. Hope things are going well for you.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Re: DMZ to Domain Authentication - Mirrored Account

        I think the problem is that in your other setup where the cluster is on the DC it works because the DC has only one user account database to "query" or "compare" to the incoming credentials and that's the AD database. In the case of the member server it can only query it's local user account database and has no mechanism to query the AD database after querying it's own local database unless you set up a trust between the two domains. Pass through authentication just doesn't work like that.

        Comment


        • #5
          Re: DMZ to Domain Authentication - Mirrored Account

          Cheers, I presumed that was the case, but how does everyone else get this working with a windows cluster? Surely nobody uses SQL authentication!!
          * Shamelessly mentioning "Don't forget to add reputation!"

          Comment


          • #6
            Re: DMZ to Domain Authentication - Mirrored Account

            Originally posted by biggles77 View Post
            TOPPER!! long time no see. It's great to see you back. Hope things are going well for you.
            Hey!! Thanks for the Beer, how about answering the question??? lol.
            * Shamelessly mentioning "Don't forget to add reputation!"

            Comment


            • #7
              Re: DMZ to Domain Authentication - Mirrored Account

              Originally posted by topper View Post
              Cheers, I presumed that was the case, but how does everyone else get this working with a windows cluster? Surely nobody uses SQL authentication!!

              My guess would be one of three:

              1. They do use SQL authentication

              2. The servers are members of the same domain

              3. The servers are in different domains and a trust exists between the two

              Of course, as I said, these are just guesses on my part.

              Comment


              • #8
                Re: DMZ to Domain Authentication - Mirrored Account

                How can you have 'mirrored domain accounts'? They're either one and the same or they're independant.

                Remember that the unique identifier is the SID..

                You'd need to open a hole in the firewall for authentication to pass through.

                Comment


                • #9
                  Re: DMZ to Domain Authentication - Mirrored Account

                  The OP is referring to pass through authentication.

                  Comment

                  Working...
                  X