When I try to query the linked server outside of IIS, from console application everything works fine without any additional configuration.
When I try to query the linked server from website hosted in IIS, I
get the following error: Login failed for user 'DOMAIN\USER'.
Obviously, I can "fix" this problem by adding that user to SQL
Server, but why is it trying to access the SQL from user account and
not from application's pool account? Why don't I get error Login
failed for user 'IIS AppPool\MyApplicationPool'? Is there a way to
force it to use application pool?
Obviously, I can't access the Linked Server data without giving that user a read permissions on the folder. If I give permissions to Everyone - it works. If I give permissions to Users - it works...but which user is accessing the linked server data? Is it the MSSQL user? Is it the DOMAIN\USER?
Is there a simple way to do the following: Force application in IIS to authenticate with IIS AppPool\MyApplicationPool instead of local account so that I can simply give the read permissions on the folder to that application pool.
If I somehow manage to force it to use the app pool and configure the required permissions, did I bypass the double hop problem? Is there a need for Kerberos delegation?
Thank you in advance.
Related
I am deploying a web application with asp.net core 2.1 using IIS, the process completed successfully and the site is working as it should except for the database (which is a localdb instance) I always get this error:
SqlException: Cannot open database "Mydb" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\CORE'.
I already enabled loadUserProfile="true" and setProfileEnvironment="true"
in the applicationHost.config for the site pool
and using these links Link#1 - Link#2 I added the user 'IIS APPPOOL\CORE' with the right permissions to the database users and localdb with SSMS and using this Link I made sure all the SQL Server services are running and under the right port.
I also tried shared instances of localdb but didn't work either.
I saw some duplicates of this question but none of them worked for me.
I did manage to make it work under the local windows account the one I am logged in with, but I think it's not the right approach since it poses some security risks in case the site got hacked that's why virtual accounts are recommended for this use because they have limited access to system resources, so with this being said the connection string is fine and the problem should be with the virtual pool account not being able to access the database.
Is there something that I am missing?
When I deploy my app to a server, I'm getting the Login failed message. My DB and app are located on two separate physical machines. However this has not posed a problem when developing and testing locally and connecting out to the DB server; only after publishing.
Steps I've taken To attempt to resolve
In my Web.Config I've set Integrated security to false. When integrated security was true, it was giving the same error but with the machine name in place of the user name.
I placed valid credentials in the User ID: and Password: fields of the Web.Config. The credentials placed in Web.Config are also used to log into Sql Server Management Studio directly.
Within SSMS I've also verified those credentials will work under Windows Authentication and SQL Server Authentication.
Those credentials I've set in the app work when I log into the SSMS using Windows Authentication. Advice on how to resolve this would be greatly appreciated. Thanks!
By default, IIS runs your application under a local machine account. This account does not have any permissions to access your SQL Server. In order to achieve integrated security, you need grant it access. There are a few ways to do it, the thread Add IIS 7 AppPool Identities as SQL Server Logons will get you started.
Another way, which is preferred over adding the IIS account, is to create a service account in Active Directory and setting the App Pool Identity in IIS to the service account. Depending on your environment, you should work with your network admin and or DBA to set this up.
Your last option would be to simply use SQL Authentication.
I have asp web page application with Integrated Windows authentication checked on IIS and cleared the Anonymous Access box. From Advanced windows authentication I have Enable kernel-mode authentication checked.
Application pool runs with admin domain user and integrated mode.
When user clicks on some web page inside this app, I can see from log that domain user name is send to server and also I have values in Request.ServerVariables("AUTH_USER").
Everything fine, as it should be. I can see which user access application.
Now, the web page also access SQL database.
I have connection string, like:
"Provider=SQLOLEDB.1;Integrated Security=SSPI;..."
But when I access database, i get the following error:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
How can i say, that connection to the sql server is made with app pool account and not anonymous?
i think that if you check the config file of the web site for the identity tag you will find it set as follow:
<identity impersonate="true"/>
in your configuration it should be:
<identity impersonate="false"/>
this way you tell iis to not impersonate whoever is logged on remotely via web but to use the account specified in the application pool.
here is a page with a brief description of the topic.
After 2 days of testing, i have finally manage to make it work.
There are two forms of impersonation:
"identity impersonate=false" is for application to run in the context of user or user defined in app pool.
But there is also impersonation for application pool to use the user to access the resource on disk. It is under Basic settings and Connect as.
Default is pass-through authentication.
I don't know what it has to do with access to external database, but after set this to the same user of app pool, everything works now.
I hope it will help somebody.
I am following http://msdn.microsoft.com/en-us/library/ff647294.aspx to add authentication to a WCF. My SQL Server is on a different machine than the development server. In Step 1, I am not using SQLExpress but using SQL Server 2012. When I get to the Step 8: Create a User in the User Store, under Security Tab of ASP.net Web Site Administration Tool I see the following message:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
So looks like setting Windows Authentication is the problem. I am not sure what in the multi-step process I have to modify to add authentication to my WCF. Any help will be appreciated.
The example in Your link Access to SQL server is given to a local user NetworkService. This is the default Identity for the Application pool.
In Your case you cannot use a local user account, since the SQL Server is on a different machine.
You need to:
Create a domain account
Grant Access to SQL server to that domain account
Change the Identity for Your Application pool to that of the domain accout
I have a classic ASP app that I am trying to connect to a SQL Server 2008 database on a different server. The ASP app is being served from IIS7 on Windows Server 2008.
I have changed the web site's application pool to run under a specific windows account, that I have verified has access to the database on the remote server.
However, when I run the app in the browser, I get this error:
Application Error
Number: -2147217843 (0x80040E4D)
Source: Microsoft OLE DB Provider for SQL Server
Description: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Why is it trying to connect using NT AUTHORITY\ANONYMOUS LOGON?
Does the App pool identity not apply to classic ASP code?
How can I make this connect as a specific user?
EDIT
Here is the connection string I am using:
Provider=SQLOLEDB.1;Data Source=myDbServer;Initial Catalog=myDatabase;Integrated Security=SSPI
For a site to use the application pool identity for classic ASP, you need to change the credentials used for Anonymous Authentication. By default, the site will be set to use a specific user, namely IUSR.
Select Authentication from the IIS area of your site, then select Anonymous Authentication followed by Edit. Change from Specific user to Application pool identity.
It's advisable to use Windows authentication (integrated security) over SQL authentication so that you don't have credentials in your config files so that if those files are compromised, you don't lose control of the credentials.
Does your app impersonate the caller? You need to enable constrained delegation: Configuring Servers for Delegation.
you should specify a username and password for the connection string www.connectionstrings.com or set the IIS application to run as a specific user however that would then render a lot of the security settings in IIS obsolete.
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Uid=myUsername; Pwd=myPassword;
And have a look here: aspfaq
Lastly, make sure anonymous access is disabled on the IIS site so that it actually impersonates the user you selected instead of passing the anonymous tokens through.