Good morning. I have several Django apps running in my work environment. All are running through Gunicorn on Ubuntu. I have a new app that must run on Windows for ODBC reasons. This new app is running in development mode on a Windows 10 PC. I run the dev server while logged in as a service account, it uses a trusted connection (local credentials as I understand) to query a SQL server and works perfectly. I ported this app (virtualenv and all) to a Windows Server 2012 r2 instance and run the dev server successfully from there using my domain admin credentials (again trusted_connection=yes).
I set up IIS on this server to run the app permanently and it appears to run. However, I get a django error page that says the SQL login failed for 'DOMAINNAME\SERVERNAME'.
I have tried editing my Application Pool to use the credentials of the working service account (Advanced Settings > Process Model > Identity). With this configuration I no longer see a Django error page, just Service Unavailable HTTP Error 503. I have tried 'recycling' and restarting the IIS service after the change but that has not worked.
Unfortunately, I do not have admin access to the SQL server to create or edit accounts. Is it possible to configure IIS to connect to SQL, through the app, using the service account credentials that I know work. If I were to configure the Application Pool successfully in this way should I still have the trusted connection setting in my connection string? Thanks!
Related
We have the infamous Kerberos double hop issue.
This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).
WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)
The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled. SPN created:
HTTP/<url of web service> <AppPool Creds>
We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.
The SQL server is a named instance, running under domain creds. SPNs created:
MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>
MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>
The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.
When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.
When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000225 KLIN(0)
Server Name: MSSQLSvc/<sql server fqdn>:49942
Target Name: MSSQLSvc/<sql server fqdn>:49942#<domain.com>
We also tried unconstrained delegation, but received same result.
SETSPN -X shows no duplicates.
Thank you in advance for your help!
When all else fails, and you've literally spent days and days working on the problem and reading every article on the Internet:
REBOOT
Yup. That was the fix. Rebooting the IIS server which was the server delegating the permissions, fixed the issue.
For those looking to quickly and easily setup constrained delegation between IIS and an instance of SQL, both running under custom domain creds, set your settings exactly as above and reboot.
Best wishes.
I have 2 web applications on the same web server (IIS 7.5 on Windows Server 2008) that connect to the same database(on a separate server). Both applications use the same connectionstring and both use the same application pool. The app pool uses a custom account for the App Pool Identity. One site works just fine but the other site gets "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON" as soon as it attempts to connect to the database. Any suggestions on what the problem may be?
I found the problem. In IIS, under the site's Authentication settings, I had to disable "ASP .NET Impersonation".
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
I have an ASP.NET application which needs to connect to Analysis Services database.
All components are on the same machine:
Web application
IIS
Visual Studio 2008
SQL Server 2008
My domain account (DOMAINNAME\MyWindowsUsername) is an administrator on the SQL Server and also in "Administrators" group on the local machine.
Web application uses Windows Authentication and identity impersonate="true".
My IIS Windows Authentication settings (I have also tried other combinations but no success...):
Extended Protection: Off
Enable Kernel-mode authentication: true
Enables Providers: NTLM
When I use web application on ASP.NET Development Server (deployed from Visual Studio) then everything works ok. My domain account and corresponding database roles are recognized correctly, and security is working as defined in database roles.
But, when I deploy the same web application (without any changes in code) to IIS I get error (in browser):
An error was encountered in the transport layer.
The peer prematurely closed the connection.
In SQL Profiler (for IIS case when connection fails) I get only these two events:
Audit Login MyWindowsUsername DOMAINNAME
Audit Logout MyWindowsUsername DOMAINNAME
It seems Analysis Services recognizes the impersonated account, but still the connection breaks.
I have noticed that ASP.NET Development Server runs under DOMAINNAME\MyWindowsUsername while IIS under LocalSystem (the default setting). I tried to play with the accounts, adding various system/network account as Analyis Services administrators (just to understand the logic behind this), but also with no success (always the same error).
You must use delegation to pass on the user credential from the web browser to SSAS,
http://msdn.microsoft.com/en-us/library/ff647404.aspx
ASP.NET Development Server simply runs under your log on account, which prevents you from noticing this issue earlier.
Database: Sql Server 2005
Webserver: IIS 5.0
IDE: Visual Studio 2010
I've created a Silverlight RIA application which will allow users of our intranet query one of our databases.
In the config I have set the authentication to windows and enabled impersonation.
In IIS i have disabled anonymous access and only enabled windows authentication.
This all works fine in my development environment and when running it from VS2010.
When i publish it to my local web server and connect to it from my local pc it works too.
However if i access the URL to the application on my local web server from another machine the application does not work. It gives the following error: "Load operation failed '[QueryName]'. Exception type 'System.ServiceModel.DomainServices.Client.DomainOperationException' was thrown.
The database sits on its own server. However i have the same database locally and if i change the connectionstring to local at the local version of that database it works fine.
IIS on my PC does not seem to forward requests to the SQL Server machine. As im running profiler to see what requests come in.
Any help on this would be greatly appreciated. Im sure im missing something.
Thanks
this was an issue was a classic double hop problem when using windows authentication. instead i used annoymous access on IIS and set the App Pool to an account that had access to the database on SQL Server