I am running Server 2003 and client as Windows 7. I am trying to log-in to a website ( openjet.damanhealth.ae ). If my PC is running as Workgroup, I can log-in to the website and everything works normal. But when I join domain, the same website doesn't allow me to log-in and the error message appears as "User credentials are invalid". It looks like the website is failed in some authentication process. Even after dis-joining the same PC from domain, back to Workgroup, I am still unable to log-in.
Do I need to make some settings in the Group Policies? Right now I am running the Server with all default policies. No extra settings done in GP. What can be the changes Server has made in the client PC to stop working?
Related
The article https://learn.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc shows how to connect to an AAD joined PC from another AAD joined PC. I have followed these instructions.
The LENOVO Thinkcenter Edge machines are both brand new installs of Windows 10 updated to 10.0.19042.928 and registered to AAD with the same user. For testing, both PC are on the same network and have 10.6.2.xx IP's. Wireshark shows that the PC's can connect to each other. Remote Credential Guard has not been enabled. The standard "can't connect" error shows. Remote users now connected to Azure AD cannot work remotely. Can anyone advise?
sysdm.cpl
Remote Desktop
Enable Remote Desktop
Connecting
Failed
To make it working from any, even not AzureAD joint PC, just add
enablecredsspsupport:i:0
authentication level:i:2
at the end of RDP file. You may use any text editor to do it.
Credits to:
https://community.spiceworks.com/topic/2129388-remote-desktop-to-azuread-machine-not-working
To use remote desktop to an AzureAD connected PC, you need to change the Network Profile to Private for the network connection that you are using. This isn't documented and no error shows when you try to turn on Remote Desktop if Public is selected.
I was unable to get NLA working so followed this post to disable it..
Disable NLA
Good morning. I have several Django apps running in my work environment. All are running through Gunicorn on Ubuntu. I have a new app that must run on Windows for ODBC reasons. This new app is running in development mode on a Windows 10 PC. I run the dev server while logged in as a service account, it uses a trusted connection (local credentials as I understand) to query a SQL server and works perfectly. I ported this app (virtualenv and all) to a Windows Server 2012 r2 instance and run the dev server successfully from there using my domain admin credentials (again trusted_connection=yes).
I set up IIS on this server to run the app permanently and it appears to run. However, I get a django error page that says the SQL login failed for 'DOMAINNAME\SERVERNAME'.
I have tried editing my Application Pool to use the credentials of the working service account (Advanced Settings > Process Model > Identity). With this configuration I no longer see a Django error page, just Service Unavailable HTTP Error 503. I have tried 'recycling' and restarting the IIS service after the change but that has not worked.
Unfortunately, I do not have admin access to the SQL server to create or edit accounts. Is it possible to configure IIS to connect to SQL, through the app, using the service account credentials that I know work. If I were to configure the Application Pool successfully in this way should I still have the trusted connection setting in my connection string? Thanks!
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
We have an ASP site using Windows authentication to connect to a SQLServer database. There are three instances of the web site, a Dev environment (located on my Workstation), an UAT environment and a production environment, which are on separate servers.
When I access the Dev site (which uses the same DB as the UAT site) I have no issues, the site connects to the database using my Windows account. However when I connect to the UAT site, it uses a different account (one which belongs to me but is not connected to my default Windows login) which is not permissioned on the DB, so the site returns the following error:
Microsoft OLE DB Provider for SQL
Server error '80004005'
Cannot open database requested in login 'ANAML'. Login fails.
/inc/dbconnect.asp, line 4
The ASP files on the Dev and UAT sites are identical, so can anyone explain why the UAT site might be using the incorrect Windows account? This only affects me, from all workstations, and no other users.
Have rebooted the server and my workstation, and cleared my internet files locally.
I found the answer at this page on ServerFault. Seems the login details for the UAT server had been stored in the Users control panel at some point. Deleting the relevant entry in the control panel restored the correct login when connecting to the website.
Well, my ASP knowledge has mostly faded but I'll see what comes out of my brain. My first thought would be that the Virtual Directory security is configured differently on the server where it is failing. It sounds like you would need it to be set to "Integrated Windows Authentication" only.
If that is set correctly then I'd ask about your connection string. Does your connection string specify Trusted Connection (e.g. it does not specify a username and password)?
Where does the ANAML account come from? Is it a SQL only login or is it a windows account?
I have a web site running on IIS on my localhost. This web site has directory security set to only allow Integrated Windows Authentication. It is part of an intranet and needs to authenticate by our domain accounts.
I then connect to SQL Server with Integrated Security = SSPI in the connection string.
This works fine with Microsoft Internet Explorer, it automatically authenticates me as I am logged into the domain, and I can see that the logon_user is my domain account, and the SQL Server connection string works just fine.
However, when I log-in using Firefox, things are different.
Firstly, I am prompted to authenticate, which is fine and correct as Firefox is not configured to trust the localhost enough to automatically send credentials (and indeed I am aware of how to introduce this trust already, this is not the problem). I then login, which again is fine, provided I enter the domain account details everything is fine. Indeed, a debug statement or two show that logon_user is still my domain account and everything is fine.
However, when I come to connect to SQL Server (which is running on a remote server box, to which my domain account has full sysadmin privileges), I get the following error:
Microsoft OLE DB Provider for SQL Server (0x80040E4D)
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
This indicates to me that something is wrong in the authentication stack, for some reason, IIS is not running as the authenticated account when I authenticate using windows authentication from firefox.
This also works fine when using Google Chrome.
Any suggestions?
AS noted by Pontus Gagge, IIS needs to pass a Kerberos ticket to SQL Server. That was enough to tip my Google-fu in the right direction.
Firefox supports Kerberos, but, you have to tell it which domains it trusts to send the Kerberos tokens too.
Open Firefox
In the address bar type: about:config
Firefox3.x and later requires you to agree that you will proceed with caution.
After the config page loads, in the filter box type: network.negotiate-auth
Modify network.negotiate-auth.trusted-uris by double clicking the row and enter yourdomain.com
Multiple domains can be added by comma delimiting them such as yourdomain.com, yourotherdomain.com
Note: This is not the same as gbn's solution which just configures firefox to not prompt you to enter domain account details on login.
Also, if you have already tried to authenticate through the stack in your current Firefox session, you will need to restart Firefox for this to work.
Open Firefox
In the address bar type: about:config
Firefox3.x and later requires you to agree that you will proceed with caution.
After the config page loads, in the filter box type: network.automatic
Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com
Multiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com
I also use IEtab add-on for the intranet sites
IIS needs to pass a Kerberos ticket to SQL Server for this scenario to work. MSIE is picking up the workstation session ticket, whereas Firefox is negotiating its own authentication (and not Kerberos).
Check out e.g. this dense blog post as a starting point for understanding what is needed. I'm not sure if FF support MS-Kerberos.
Be aware that even getting MSIE->IIS->SQL Server authentication can be tricky if you have the wrong versions or trust configuration...