Directory Programming .NET

well got it working.

This missing piece was that I hadn't delegated the webservice account to the sql server service! duh

however, I am still using the IP address in my connection string.  Perhaps that works because I haven't changed anything on the SQL server, it is still running as system or network service, whatever is default.

so I finally have ADFS credentials passing through to SQL server.  very cool!  again, depending on your security this might not be desirable but I am glad that I have got it working and can document the process now for my lab!

thanks for your help Joe.  I'd be happy to try to see why the IP is working if you want to explore that, I'll most likely be using a netbios or FQDN in production anyways.

The IP address really should not work.  :)  I'm not sure why it does.  Is SQL on the same machine as the web server in this case?  If so, you probably aren't really delegating.

In any event, I'm glad you got it working.  I'd be very careful with that piece though.  I wish I had a handy tool to verify Kerb auth with SQL is working, but I don't.  I use wfetch from the IIS res kit to check this for HTTP, but I don't have an equivalent thing for SQL.

the web server is my FSP for the EXT domain, the SQL server is a separate box (all virtuals mind you) but all separate boxes

I've just got my website running on the FS proxy server so that I can show reuse.

I'll try to check logs and such to see if it logs the user who is changing data, that was one of the reasons to do this, as well as not having to put in user/pass into code.

yep, it is working, logs are showing that my ADFS sign on is passing through and my trace shows me what that user did to the database

thanks again Joe for all the help you provide

now it seems that a timeout gives me an error I'm not sure what to do with:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster

to reproduce:

1. open the sql app
2. login via ADFS
3. interact with sql app, create delete etc
4. let it sit past the timeout (ADFS timeout?)
5. try to update sql data via app, get an error
6. browse back to sql app, still logged in (maybe)
7. you might be logged in to ADFS still, if so you can still interact with .net code, button etc
8. once you do that the sql app will work again

seems there is a state that can happen after a timeout (whose timeout?)

the error isn't helpful as this app isn't a farm or cluster, but perhaps machinekey or autogenerate is the thing to look into

Viewstate validation errors can almost always be overcome by setting a static machine key.  Search around for some samples on building a static machine key XML config.

There could still be something else wrong here, but I'd try to address the actual error you are getting first.

any ideas why I don't get a realm selection page for this sql app?  it only takes me to the login page of the FS that the application is a part of, but I want my partners to login in as well.

Make sure you clear your cookies if you want to always get the realm selection page.

 

duh, i was resetting the realm cookie for another app

each app has its own realm cookie right?  both of these apps are in the same resource groups, but resetting the realm on one app doesn't affect the realm of any of the other apps

The realm cookie (_LSRealm) is issued by the resource FS for the resource app after the user is authenticated successfully the first time, so it is scoped to that particular FS.

from my testing it appears that each app has it's own realm cookie, at least between my claims app and token app, both on the same resource FS

Check (again probably :-) ) Joe’s article about keeping your cookies straight, maybe that’s all. A cookie belongs to the issuing server (domain) and path (application).
_WebSsoAuth[n] (often more than one). All FS have them (coorporate claims), Agent enabled applications have them (app claims).
_LSRealm: All FS have them [contains realm URI] (apps don’t)
_LSCleanup: All FS have them (apps don’t)
So your post about a realm cookie per app confuses me. Never seen that before.

I am sure you are right, there is just something weird happening with the Windows NT Token app I have setup

the claims apps i have work fine, but the token app gives me the 20 sec error, they are on the same FS