Discussion:
IAS logging SQL server drops authentication if no connection with
(too old to reply)
Marc Jonkers
2008-05-30 08:51:00 UTC
Permalink
Hi,

We have IAS configured to log to a central SQL server. When there is no
connection between the SQL and IAS server, the authentication requests are
dropped on the IAS. Resulting in a lot of things not working.
Is there a solution for this, if the IAS cannot log to SQL that
authentication still occurs?

Thx,

Marc Jonkers
James McIllece [MS]
2008-06-03 17:27:29 UTC
Permalink
Post by Marc Jonkers
Hi,
We have IAS configured to log to a central SQL server. When there is
no connection between the SQL and IAS server, the authentication
requests are dropped on the IAS. Resulting in a lot of things not
working. Is there a solution for this, if the IAS cannot log to SQL
that authentication still occurs?
Thx,
Marc Jonkers
Hi Marc --

IAS was intentionally designed so that authentication fails if logging
fails; the reason is that you would have a big security hole if there were
no logging during an attack and would not be able to track down whoever was
initiating the attack.

There are several SQL server logging scenarios presented in the IAS SQL
Server Logging whitepaper that can assist in preventing this failure of
service in circumstances where the connection between the servers is lost.
You can install SQL Server on the IAS server or you can install MSDE 2000
on the IAS server, then replicate records to a central SQL Server (if you
have more than one IAS server that is logging to SQL).

Another option is to also enable local file logging, so that both local and
SQL logging are occuring simultaneously. If SQL logging fails, the fact
that IAS can log to a local file keeps authentication going.

For more info, see "Deploying SQL Server Logging with Windows Server 2003
Internet Authentication Service (IAS)" at
http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4357F7-4070-
4902-95F1-3AD411D963B2&displaylang=en
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Marc Jonkers
2008-06-05 06:02:01 UTC
Permalink
Hi James,

Another option is to also enable local file logging, so that both local and
SQL logging are occuring simultaneously. If SQL logging fails, the fact
that IAS can log to a local file keeps authentication going.

That is the case, we are logging also to a local file but when the sql
connection drops it stops authenticating, and drops all requests.
Any ideas?

Greetings,

Marc
Post by James McIllece [MS]
Post by Marc Jonkers
Hi,
We have IAS configured to log to a central SQL server. When there is
no connection between the SQL and IAS server, the authentication
requests are dropped on the IAS. Resulting in a lot of things not
working. Is there a solution for this, if the IAS cannot log to SQL
that authentication still occurs?
Thx,
Marc Jonkers
Hi Marc --
IAS was intentionally designed so that authentication fails if logging
fails; the reason is that you would have a big security hole if there were
no logging during an attack and would not be able to track down whoever was
initiating the attack.
There are several SQL server logging scenarios presented in the IAS SQL
Server Logging whitepaper that can assist in preventing this failure of
service in circumstances where the connection between the servers is lost.
You can install SQL Server on the IAS server or you can install MSDE 2000
on the IAS server, then replicate records to a central SQL Server (if you
have more than one IAS server that is logging to SQL).
Another option is to also enable local file logging, so that both local and
SQL logging are occuring simultaneously. If SQL logging fails, the fact
that IAS can log to a local file keeps authentication going.
For more info, see "Deploying SQL Server Logging with Windows Server 2003
Internet Authentication Service (IAS)" at
http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4357F7-4070-
4902-95F1-3AD411D963B2&displaylang=en
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
James McIllece [MS]
2008-06-05 18:59:12 UTC
Permalink
Post by Marc Jonkers
Hi James,
Another option is to also enable local file logging, so that both
local and SQL logging are occuring simultaneously. If SQL logging
fails, the fact that IAS can log to a local file keeps authentication
going.
That is the case, we are logging also to a local file but when the sql
connection drops it stops authenticating, and drops all requests.
Any ideas?
Greetings,
Marc
snip<
If local logging is configured and working properly I don't know what would
cause this problem. It *should* continue to log to the local file in this
scenario. If you want to pursue resolution of this issue without installing
MSDE or SQL Express on the IAS server, you should contact Microsoft
Customer Support Services.

If you can install MSDE or SQL Express on the IAS server (both of which are
free of charge), then replicate data to SQL Server, you can solve the
problem permanently though.
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...