I have asp web page application with Integrated Windows authentication checked on IIS and cleared the Anonymous Access box. From Advanced windows authentication I have Enable kernel-mode authentication checked.
Application pool runs with admin domain user and integrated mode.
When user clicks on some web page inside this app, I can see from log that domain user name is send to server and also I have values in Request.ServerVariables("AUTH_USER").
Everything fine, as it should be. I can see which user access application.
Now, the web page also access SQL database.
I have connection string, like:
"Provider=SQLOLEDB.1;Integrated Security=SSPI;..."
But when I access database, i get the following error:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
How can i say, that connection to the sql server is made with app pool account and not anonymous?
i think that if you check the config file of the web site for the identity tag you will find it set as follow:
<identity impersonate="true"/>
in your configuration it should be:
<identity impersonate="false"/>
this way you tell iis to not impersonate whoever is logged on remotely via web but to use the account specified in the application pool.
here is a page with a brief description of the topic.
After 2 days of testing, i have finally manage to make it work.
There are two forms of impersonation:
"identity impersonate=false" is for application to run in the context of user or user defined in app pool.
But there is also impersonation for application pool to use the user to access the resource on disk. It is under Basic settings and Connect as.
Default is pass-through authentication.
I don't know what it has to do with access to external database, but after set this to the same user of app pool, everything works now.
I hope it will help somebody.
Related
When I deploy my app to a server, I'm getting the Login failed message. My DB and app are located on two separate physical machines. However this has not posed a problem when developing and testing locally and connecting out to the DB server; only after publishing.
Steps I've taken To attempt to resolve
In my Web.Config I've set Integrated security to false. When integrated security was true, it was giving the same error but with the machine name in place of the user name.
I placed valid credentials in the User ID: and Password: fields of the Web.Config. The credentials placed in Web.Config are also used to log into Sql Server Management Studio directly.
Within SSMS I've also verified those credentials will work under Windows Authentication and SQL Server Authentication.
Those credentials I've set in the app work when I log into the SSMS using Windows Authentication. Advice on how to resolve this would be greatly appreciated. Thanks!
By default, IIS runs your application under a local machine account. This account does not have any permissions to access your SQL Server. In order to achieve integrated security, you need grant it access. There are a few ways to do it, the thread Add IIS 7 AppPool Identities as SQL Server Logons will get you started.
Another way, which is preferred over adding the IIS account, is to create a service account in Active Directory and setting the App Pool Identity in IIS to the service account. Depending on your environment, you should work with your network admin and or DBA to set this up.
Your last option would be to simply use SQL Authentication.
When I try to query the linked server outside of IIS, from console application everything works fine without any additional configuration.
When I try to query the linked server from website hosted in IIS, I
get the following error: Login failed for user 'DOMAIN\USER'.
Obviously, I can "fix" this problem by adding that user to SQL
Server, but why is it trying to access the SQL from user account and
not from application's pool account? Why don't I get error Login
failed for user 'IIS AppPool\MyApplicationPool'? Is there a way to
force it to use application pool?
Obviously, I can't access the Linked Server data without giving that user a read permissions on the folder. If I give permissions to Everyone - it works. If I give permissions to Users - it works...but which user is accessing the linked server data? Is it the MSSQL user? Is it the DOMAIN\USER?
Is there a simple way to do the following: Force application in IIS to authenticate with IIS AppPool\MyApplicationPool instead of local account so that I can simply give the read permissions on the folder to that application pool.
If I somehow manage to force it to use the app pool and configure the required permissions, did I bypass the double hop problem? Is there a need for Kerberos delegation?
Thank you in advance.
I am following http://msdn.microsoft.com/en-us/library/ff647294.aspx to add authentication to a WCF. My SQL Server is on a different machine than the development server. In Step 1, I am not using SQLExpress but using SQL Server 2012. When I get to the Step 8: Create a User in the User Store, under Security Tab of ASP.net Web Site Administration Tool I see the following message:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
So looks like setting Windows Authentication is the problem. I am not sure what in the multi-step process I have to modify to add authentication to my WCF. Any help will be appreciated.
The example in Your link Access to SQL server is given to a local user NetworkService. This is the default Identity for the Application pool.
In Your case you cannot use a local user account, since the SQL Server is on a different machine.
You need to:
Create a domain account
Grant Access to SQL server to that domain account
Change the Identity for Your Application pool to that of the domain accout
When I run my website from Visual Studio it all works fine. Now I am trying to move forward and start testing the multi tenancy part, so I had to move my website to IIS.
For some reason I can't get access to the database. The error I get when I open a page that requires database access is:
Cannot open database "GWD" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\gwd'.
Exception Details: System.Data.SqlClient.SqlException: Cannot open
database "GWD" requested by the login. The login failed. Login failed
for user 'IIS APPPOOL\gwd'.
Another forum describes how to add NT AUTHORITY\NETWORK SERVICE. But that doesn't resolve the issue. I did create the NT AUTHORITY\NETWORK SERVICE and added the dbowner for all existing databases (including master) but no result.
I am out of ideas, can anybody help?
You'll need to change the application pool identity to NETWORK SERVICE as well. Fire up Internet Information Services (IIS) Manager, drill down to Application Pools, and select the Application Pool that you're using. (Not sure? Drill down to your virtual directory under Sites on the left side and then click Basic Settings on the right.) Then click your Application Pool, click Advanced Settings, and then change Identity under Process Model to NetworkService.
In SQL Server Management Studio, you'll need to add the NT AUTHORITY\NETWORK SERVICE user under Security for your database, but it sounds like you already did that.
You see the error "Cannot open database "GWD" requested by the login. The login failed. Login failed for user 'IIS APPPOOL\gwd....." because you copy the application to the IIS server and the membership provider has been added in the web.config file without an applicationName attribute.
I suggest you add an “applicationName” attribute to your provider declaration. Example:
<membership>
<providers>
<add name ....
.
.
.
.
applicationName="/yourWebApp" />
</providers>
</membership>
Just look in the aspnet_Application table to find out the application name that was used when creating the users/data during development.
I hope it helps.
#Nicholas Piasecki has offered one potential solution, and the other would be to leave the app pool as it, and instead grant the AppPoolIdentity that it is currently running under access to the database instead.
First, you'd need to add a new Windows login to the SQL Server for the user: 'IIS APPPOOL\gwd'.
Once you do that, you'll be able to add that user to the database with the appropriate permissions, just as you did for Network Service.
i think you must read this article
Configure IIS, asp.net and SQL Server from codeproject
In this article you will learn how to configure IIS and SQL Server using Network SERVICE (with screenshot)
Content of this article
Install IIS
Configure IIS for Network SERVICE
Configure SQL Server PERMISSIONs
On your IIS
Select the application pool you use on your site > right click > click Advance Settings. On Identity select "NetworkService"
enter image description here
On you database [SQL]
Create Login for NT AUTHORITY\NETWORK SERVICE. Modify User Mapping
enter image description here
I have a classic ASP app that I am trying to connect to a SQL Server 2008 database on a different server. The ASP app is being served from IIS7 on Windows Server 2008.
I have changed the web site's application pool to run under a specific windows account, that I have verified has access to the database on the remote server.
However, when I run the app in the browser, I get this error:
Application Error
Number: -2147217843 (0x80040E4D)
Source: Microsoft OLE DB Provider for SQL Server
Description: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Why is it trying to connect using NT AUTHORITY\ANONYMOUS LOGON?
Does the App pool identity not apply to classic ASP code?
How can I make this connect as a specific user?
EDIT
Here is the connection string I am using:
Provider=SQLOLEDB.1;Data Source=myDbServer;Initial Catalog=myDatabase;Integrated Security=SSPI
For a site to use the application pool identity for classic ASP, you need to change the credentials used for Anonymous Authentication. By default, the site will be set to use a specific user, namely IUSR.
Select Authentication from the IIS area of your site, then select Anonymous Authentication followed by Edit. Change from Specific user to Application pool identity.
It's advisable to use Windows authentication (integrated security) over SQL authentication so that you don't have credentials in your config files so that if those files are compromised, you don't lose control of the credentials.
Does your app impersonate the caller? You need to enable constrained delegation: Configuring Servers for Delegation.
you should specify a username and password for the connection string www.connectionstrings.com or set the IIS application to run as a specific user however that would then render a lot of the security settings in IIS obsolete.
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Uid=myUsername; Pwd=myPassword;
And have a look here: aspfaq
Lastly, make sure anonymous access is disabled on the IIS site so that it actually impersonates the user you selected instead of passing the anonymous tokens through.