Microsoft KB Archive/821259

= INF: Integrated Security And SQLXML Queries That Use the ServerXMLHTTP Object =

Article ID: 821259

Article Last Modified on 5/16/2007

-

APPLIES TO


 * Microsoft SQLXML 3.0
 * Microsoft SQLXML 3.0
 * Microsoft SQLXML 3.0
 * Microsoft SQLXML 3.0
 * Microsoft SQLXML 3.0 Service Pack 1

-



SUMMARY
When you use integrated security to post SQLXML queries that use the ServerXMLHTTP object, you must configure and verify different settings. This article discusses the settings that you must configure and verify when Microsoft Internet Information Services (IIS) and SQL Server are installed on two different computers and the client is on a third computer.



MORE INFORMATION
Use the following checklist if you use integrated security to post SQLXML queries that use the ServerXMLHTTP object:  Before you use HTTP to access a SQL Server database, create an appropriate virtual directory. You can create an SQLXML virtual directory on the computer where you installed IIS or SQL Server. For more information about how to create a virtual directory, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa226546(SQL.80).aspx All the computers must be running Microsoft Windows 2000. All the computers should be in the same domain. Kerberos security must be enabled on all the computers. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

264086 How to Automatically Log on to IIS Using NT/Challenge Response

 Kerberos must be enabled for use with the ServerXMLHTTP object. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

314404 HOWTO: Use Kerberos with the ServerXMLHTTP Component in MSXML

 On the client computer, make sure that the domain user is different from the local user. If the domain user is the same as the local user, delete the local user. Log on to the client computer by using the domain user credentials.</li> Make sure that the domain user is a SQL Server user.</li> To use Kerberos, you must use Microsoft Internet Explorer 5.5 or later. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

299270 Kerberos Does Not Negotiate Using Internet Explorer 5.5 If an FQDN Is Used to Connect

264921 INFO: How IIS Authenticates Browser Clients

299838 Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6

</li> Use SQL Profiler to make sure there are no problems with authentication.</li> If SQL Profiler does not receive any hits for the SQLXML query, use the Microsoft Network Monitor tool to monitor the connection between the computer running SQL Server and the computer running IIS. Using Network Monitor helps you to know what type of authentication is being used.</li> If you cannot use Kerberos, you can use NTLM for authentication. Because NTLM does not support double-hop authentication, you may receive the following error message:

Access Denied

</li></ul>

<div class="references_section">