So, I've been looking into this all day, but haven't made much progress. Just wanted to put the thread out here and see if I can get a better idea of what can be done, if anything.
I have a PHP application running on an IIS server. The application connects to a SQL Server instance on another machine in the same domain. I can connect to the server and pull data all day long if I explicitly specify credentials in the application code. I was thinking it would be better to have the application run in the context of a domain account (or even a managed service account). This would, in my mind, be more secure, and eliminate the need to manage password conflicts in the application layer. However, I've not been successful, and I continue to get the
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
error when trying to access the db through Windows Authentication. I have explored many of the obvious issues, like putting the application in its own application pool, setting the identity for that application pool to an account with access to the db server, etc. It seems like it's just coming down to the fact that the application is not running in the context of the specified user by the time it gets to connecting to the db.
Could I be missing something simple? Is this a double hop issue? And furthermore, is there really a good reason to be going down this road, or is it acceptable to have a login for our SQL Server specifically for this web service (it's basically a sales/product dashboard that pulls live data from our system)?
Any advice would be greatly appreciated!