I have a web application (on IIS 7.0) developed with ASP.NET MVC 4. The application manages a database on a SQL Server 2008 R2. Only Windows Authentication is enabled on the site. In my intranet, the domain users access the program without authentication requests. web.config sets a connection string on the site that uses a sql user. All operations on the database are done by this last user. The application should access the database with a windows user instead of a sql user. For this, I created a windows user “MyUser” on Sql Server. I thought I could set a new “connection string” with windows authentication but I wasn't able to pass the credential of “MyUser”. When I set windows authentication on the connection string it uses the client user, and I don't want this.
How I can operate on the database with a different user? I would like all operations on database to be performed by a single windows user (MyUser).
You can give "MyUser" privileges over the folder where your app is. Then you can create an application pool and set the identity to "MyUser" (read this) and assign your app to this application pool.
Your application will be executing with "MyUser" account thus login into SQL with its credentials.
Hope it helps.
Related
I have one machine running IIS10, another machine running SQL Server Express. I have create an ASP.NET Razor pages web application. All machines are Windows 10 pro.
I cannot for the life of me figure out how to take the credentials from the web app, pass to IIS, and pass to SQL Server. I want to manager access to SQL Server at the user level, not the IIS DefaultAppPool identity.
Has anyone done this before?
Are you trying to pass the user's network login to the database instead of using a dedicated DB account? I think you need a trusted connection.
Grant your users access to your DB
Disable anonymous access in IIS and set the site up SSL
In your connection string set the Trusted_Connection property to true
Connection Strings
If the user is on any browser except IE, they'll probably be prompted for their credentials.
I have a question about how to configure my web site and IIS using Active Directory.
I have a web app which will be running exclusively on our company's internal network. The SQL Database that the app needs to connect to (via active directory) can only be accessed by one specific AD user DBAccess but I am using Windows Authentication mode to validate my users. I would put the identity impersonate right into my Web.Config but the DB user does not have rights on the web server computer.
How would I configure IIS to use the DB Access user for connecting to the SQL Server and not for running locally on the web server?
Thanks in advance and sorry if this is a bit basic.
Set the application pool your application is using to run as the user you wish to connect to the DB as.
Add Integrated Security=true; to your connection string.
I have a classic ASP app that I am trying to connect to a SQL Server 2008 database on a different server. The ASP app is being served from IIS7 on Windows Server 2008.
I have changed the web site's application pool to run under a specific windows account, that I have verified has access to the database on the remote server.
However, when I run the app in the browser, I get this error:
Application Error
Number: -2147217843 (0x80040E4D)
Source: Microsoft OLE DB Provider for SQL Server
Description: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Why is it trying to connect using NT AUTHORITY\ANONYMOUS LOGON?
Does the App pool identity not apply to classic ASP code?
How can I make this connect as a specific user?
EDIT
Here is the connection string I am using:
Provider=SQLOLEDB.1;Data Source=myDbServer;Initial Catalog=myDatabase;Integrated Security=SSPI
For a site to use the application pool identity for classic ASP, you need to change the credentials used for Anonymous Authentication. By default, the site will be set to use a specific user, namely IUSR.
Select Authentication from the IIS area of your site, then select Anonymous Authentication followed by Edit. Change from Specific user to Application pool identity.
It's advisable to use Windows authentication (integrated security) over SQL authentication so that you don't have credentials in your config files so that if those files are compromised, you don't lose control of the credentials.
Does your app impersonate the caller? You need to enable constrained delegation: Configuring Servers for Delegation.
you should specify a username and password for the connection string www.connectionstrings.com or set the IIS application to run as a specific user however that would then render a lot of the security settings in IIS obsolete.
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Uid=myUsername; Pwd=myPassword;
And have a look here: aspfaq
Lastly, make sure anonymous access is disabled on the IIS site so that it actually impersonates the user you selected instead of passing the anonymous tokens through.
I have a web service that stores data in a local SQL Server 2008 database. If I run the web service under my account the web service can successfully access the database. However, if I use the DefaultAppPool (IUSR) account then accessing the database from the web service fails.
How do I set security on SQL Server to allow access to a specific database via IIS?
The specific error message I am getting is:
Login failed for user 'IIS APPPOOL\DefaultAppPool'
You have two options (obvious maybe!):
Instead of using Windows Integrated
Security use SQL Authentication
instead.
If you can't or don't want to, then you have
to create a new user in SQL Server
that relates to that Windows account.
Or (third option) you can change the web service to run under an account that you know works.
I generally run the app pool under a domain user account, that way you control the specific user for each site on your server.
If I can't use a domain account, I'll run the site as "Network Service" - and the user that would correspond to that in SQL would be the machine account (MACHINENAME$ - replace "machinename" with your IIS server name").
If you plan to use the new IIS7 IIS users - which are not windows users - you'll have to use SQL Authentication instead of Windows authentication for your SQL database access.
To cut a long story short: As part of an online database access system I'm writing I want to use the new BLOB access features in SQL 2008 - this means I have to use Windows Authentication when logging into the SQL Server; however due to it's very nature the website front end to all this uses Forms authentication with the membership data stored on that SQL server.
How do I get the web application to impersonate a user account so it can connect to the SQL server, i.e. I don't want to use the account of a user logged into the website. (Not that you could do this as the membership details are stored on the SQL server)
The webserver and the SQL server are on different machines on the same network, there is a user account set up just for the web application to use.
The connection string should look something like:
< add name="MyConnectionString" connectionString="Data Source=THESQLSERVER;Initial Catalog=TheDatabase;Persist Security Info=True; Integrated Security=True;Application Name=CRM.Sales" providerName=""/>
Where you use Integrated Security. Then your application pool should use an identity that has access to your sql server.
You would grant rights to that identity.