I am trying to deploy an Always Encrypted app to Amazon AWS. There is a 2016 RDS database and a Windows Server 2016 hosting the ASP.NET 4.6 app.
On the Windows Server, when the application is run under Network Service or the Application Pool Identity, we get what I'm pretty sure is this exact problem.
Our Error:
System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out
We tried the solution in that post and it didn't work
We tried the solution in this post and couldn't get the powershell script to return enything except runtime exceptions. I am not very familiar with powershell so maybe I don't understand the script.
If we import the certificate to the Andministrator account, and run the IIS app pool with the Administrator account then everything works fine (not a connectivity issue or anything)
We tried importing the certificate to the local computer "Personal" certificates and giving the application account full control of the keys
We tried importing the certificate to the local computer Trusted Root Certification Authorities (as suggested in a s/o post somewhere).
We tried running certmgr with "runas" for both the DefaultAppPool and Network Service account, but when prompted for the password did not know what that would be (blank password did not work). I even looked up the DefaultAppPool password as suggested here and according to that output the password is blank.
So far nothing (apart from running the app as Administrator) as worked and we're at a loss what to try next. We've looked high and low for some sort of "Microsoft Official Deployment Guide" but all that is out there is tutorials on how to get Always Encrypted working in a local dev environment, nothing about server deployment.
When you originally created the Always Encrypted Keys for the SQL database did you generate them in the Current User Certificate Store or the Local Machine Certificate Store? It turns out its really important to place them under Local Machine. This was the issue for me when I tried to deploy my web app to our web server. No matter where I installed the certificate on the server, SQL was still looking for it under Current User which IIS cannot see and Manage Private Key does not appear for this store so you can't assign IIS user accounts to it (at least I couldn't).
Once I'd temporarily reset my table fields to plain text, deleted the master and encryption keys and regenerated them under Local Machine on my PC, and exported the certificate, it installed into the Local Machine/Personal store just fine and all I had to do was give IIS_IUSRS permissions using "Manage Private Key" to clear the remaining "Keyset does not exist" error. Hope this saves someone else a day of googling.
Related
I am trying to connect PostgreSQL database to Power Bi. Database is hosted on Heroku. I am getting the following error -
An error happened while reading data from the provider:
'The remote certificate is invalid according to the validation procedure.
I think i am getting this error because it needs "sslmode=require". but I am not sure how to proceed.
Can someone help me with this problem.
Thanks in advance.
These steps should help you connect to Power BI desktop via ODBC. Note, you should probably create a follower database in heroku so you're not using your production database credentials.
Download PostgreSQL ODBC driver and install. Note, be sure to check the GAC option during installation (https://www.postgresql.org/ftp/odbc/versions/msi/).
Restart computer.
Open Power BI and click "Get Data" button in the ribbon.
Click "Other" and then select "ODBC".
Choose "None" as the data source name.
Click the "Advanced options" and enter this connection string:
Driver={PostgreSQL Unicode};Server=HEROKU_HOST, where HEROKU_HOST is the "Host" from your heroku database credentials (example: ec2-xx-xxx-xx-xx.xxx.amazon.com).
On the next screen, enter the user name (user from heroku db credentials), password (password from heroku db credentials), and for connection string enter the following (with HEROKU_XXXX replaced with your info:
PORT=HEROKU_PORT;DATABASE=HEROKU_DATABASE;POOLING=True;MINPOOLSIZE=1;MAXPOOLSIZE=20;HOST=HEROKU_HOST;COMPATIBLE=2.2.3.0;USER ID=HEROKU_USER;PASSWORD=HEROKU_PASSWORD;SSLMODE=require
I don't use Heroku but had a similar problem with AWS and had to configure the db provider and certificates as described below. I would think that something similar is needed for Heroku.
I did some digging and found 2 possible solutions for Heroku:
Supply the additional settings sslmode=Require;Trust Server Certificate=true in the database connection. This does not seem to be an option with PowerBI, because even under "Advanced Settings" there is nowhere to provide these.
Download the certificate for you database as described here and then follow much the same process as I did below to register the certificate with Windows. If Heroku supplies a P7B (PKCS#7 or pfx (PKCS#12) format certificate you can register that with Windows without having to do the conversion I described.
My setup of the Npgsql provider and AWS Certificates
PowerBI and Excel support connections to Postgres using the Npgsql .NET Data Provider. This provider is not installed by default on Windows. Here's how to install it:
Download the appropriate .msi installer from the Npgsql releases page. The version you need depends on your version of Excel. I am running Office 365, which required version 4.0.x (I installed 4.0.10, download here).
Run the installer. During the install there is an option to install to the GAC which is switched off by default - you must select to have the files installed to the GAC.
Reboot your computer and you should be able to connect setup a Postgres connection in PowerBI or Excel.
AWS RDS Postgres - additional requirement
If you are connecting to a Postgres cluster running in AWS, when you attempt to connect to Postgres after installing the Npgsql provider you may get an error saying:
"The remote certificate is invalid according to the validation procedure"
Here's how to fix it:
Download the public keys for AWS RDS regions: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Convert the bundle to a Windows certificate in P7B/PKCS#7 format. There are many ways to do this, and easy one is to use https://www.sslshopper.com/ssl-converter.html.
In Windows, search for the "Manage User Certificates" utility and open it.
Right-click on "Trusted Root Certificate Authorities", "All Tasks", "Import..."
Select the .p7b file which was the output of converting the AWS keys to P7B format.
Choose to place all certificates in the Trusted Root Certification Authorities store.
You will probably have to confirm for each certificate - there is one per AWS region
You should now be able to connect to your AWS RDS Postgres database from PowerBI or Excel.
You need to check if the host based authentication in your postgres database is allowing this from connection from POWERBI.
[https://www.postgresql.org/docs/current/auth-pg-hba-conf.html][1]
The file is usually available in the postgres data folder and the structure is like below. Make sure the client host, username have the right permissions to access the database.
local database user auth-method [auth-options]
Note: If you are using a cluster manager like patroni, the pg_hba.conf file will be overwritten by Patroni every time you edit it. you will have to edit this configuration from the patronictl command.
I have just finished the development of my application on asp.net mvc connected with SQL server, and I will love to deploy it. I want to use Azure App service, but I got an error "Unable to connect to master or target server 'DATABASE_NAME'. You must have a user with the same password in master or target server 'DATABASE_NAME'". I have tried every thing I found online like modifying the SSDT, but nothing changed.
Please is there any recommendation to fix this issue? If not, Please what are other ways for me to launch the application. The application will be used internally for Sales purpose and I don't need any fancy hosting. Thank you in advance.
Did you setup the sql azure firewall to accept connections from your computer?
Even if you set it up once, it is possible that your internet provider attributed a different IP address to your computer. So you must redo your firewall set up again for your computer to be accepted.
It is important to know that only sql logins/passwords are accepted here. So you must give the login/password of the admin user that you mentioned at the moment of creation of you sql server azure (there is a step that sets it up when you create your azure database), or the login/password of a user you created and granted in this database.
I have a .NET MVC project that gets its data from a SQL database.
When I run the project in debug mode on my local machine, it runs without error; however, after I deploy the project to my IIS server (version 6 I believe) using Microsoft's Publish Wizard (create a .zip, move that .zip to the wwwRoot folder the website is pointed at), I encounter an issue: I access the website's main page via URL address, but when I enter the login ID, it produces a built-in error message "Invalid user ID".
The only time this error ever occurs when a valid ID is entered is if the database cannot be reached to check login credentials. So, using SQL Profiler, I tried to see if a query was made to the database - it appears that the answer is "no".
I have verified that the connection strings are configured correctly in the IIS environment, and can safely assume that there are no code-related errors with regards to this issue.
The question: What other troubleshooting methods are available for IIS and SQL interactions to see what the root of this error is, or what suggestions might you have to try and eliminate the problem
Add the user to the database logins and grant this user access to the database. Connection string in your code should have its credentials. Reason why it works on your machine is likely because you are sysadmin or something on the server. Look up a way to enter credentials in your connection string's parameters.
https://www.youtube.com/watch?v=Sp6lR15iWMk
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
We have an ASP site using Windows authentication to connect to a SQLServer database. There are three instances of the web site, a Dev environment (located on my Workstation), an UAT environment and a production environment, which are on separate servers.
When I access the Dev site (which uses the same DB as the UAT site) I have no issues, the site connects to the database using my Windows account. However when I connect to the UAT site, it uses a different account (one which belongs to me but is not connected to my default Windows login) which is not permissioned on the DB, so the site returns the following error:
Microsoft OLE DB Provider for SQL
Server error '80004005'
Cannot open database requested in login 'ANAML'. Login fails.
/inc/dbconnect.asp, line 4
The ASP files on the Dev and UAT sites are identical, so can anyone explain why the UAT site might be using the incorrect Windows account? This only affects me, from all workstations, and no other users.
Have rebooted the server and my workstation, and cleared my internet files locally.
I found the answer at this page on ServerFault. Seems the login details for the UAT server had been stored in the Users control panel at some point. Deleting the relevant entry in the control panel restored the correct login when connecting to the website.
Well, my ASP knowledge has mostly faded but I'll see what comes out of my brain. My first thought would be that the Virtual Directory security is configured differently on the server where it is failing. It sounds like you would need it to be set to "Integrated Windows Authentication" only.
If that is set correctly then I'd ask about your connection string. Does your connection string specify Trusted Connection (e.g. it does not specify a username and password)?
Where does the ANAML account come from? Is it a SQL only login or is it a windows account?