Wondering if anyone has encountered this authentication issue? My web server is running IIS7 on a Windows Server 2008 machine and the .NET 4.0 runtime. The virtual directory for my application has ASP.NET impersonation and Windows authentication turned on. Anonymous, Basic, Digest and Forms Authentication are turned off.
"There was a failure using the default 'ProfileProvider'. Please make sure it is configured correctly. Failed to generate an instance of SQL Server due to a failure in starting the process for the user instance. The connection will be closed."
Due to this error, my Silverlight 4 application is unable to retrieve the current user's windows loginid
information. The error does not happen locally on my dev machine, but only out on the deployed IIS server. I have fiddled with the roleManager config value and tried setting it to true and commenting out the whole entry, but I'm still seeing the same error message.
Hoping someone out there has come across this error and a solution/explanation for what's causing it to happen.
thanks in advance,
John
Here are my current web.config authentication and role settings. (angle brackets omitted)
roleManager enabled="false"
identity impersonate="true"
authentication mode="Windows"
After a lot of experimentation and googling, turns out that there was a profile section in my web.config file.
<profile enabled="false">
<properties>
<add name="FriendlyName" />
</properties>
</profile>
I needed to add enabled="false" to the profile tag to turn off any default ProfileProvider functionality to the site.
Why it isn't set to false, by default, is beyond me.
I faced exactly same issue mentioned in this question and the following simple steps solved it:
Open IIS Manager
Select Application Pools from the Connections pane.
Then select the application pool you use with your application.
Select Advanced Settings... from Actions pane.
Now turn Load User Profile option to True then hit OK
That's all.
Related
I have two identical Windows 2012 R2 environments. One is for development and the other is for staging.
For my server-side language I am using PHP and the Laravel 4.1 Framework.
I have a service account that I use for both environments to connect to our MSSQL development database. I set the service account to the application pool and assign that application pool to the application within IIS 8.5. I have done this numerous times with no issues. This avoids us storing the password in the PHP database config file within Laravel.
Now, the application I built is running fine in development. I can connect to the database using the method described above. I copied the identical code over to staging, again using the same environment and the same service account, but I get the dreaded:
PDOException
SQLSTATE[28000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Because it is working in development with no issues and because I have other applications on my staging box that are successfully able to connect, I am at a complete loss as to why this application can't connect in test. I spent hours yesterday troubleshooting with no luck.
Any ideas?
The issue had to do with the ApplicationHost.config file. The other applications and app pools had an attribute of userName="" which the application that was causing the issue did not. I manually added the attribute and this resolved my issue.
<location path="Default Web Site/application-name">
<system.webServer>
<security>
<authentication>
<basicAuthentication enabled="false" />
<anonymousAuthentication enabled="true" userName="" />
</authentication>
</security>
<handlers>
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
I have a situation where clients connecting to my webservice(that exists on another server) must access SQL Server databases and SSAS servers.
It must use the credentials of the client that is calling the service when accessing the SQL Servers and SSAS cubes.
For this to work I do
var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database/SSAS
ctx.Undo();
in my service which works fine when accessing SQL Server databases.
However when I access the SSAS servers I get
"The connection either timed out or was lost"
There are a number of posts like
http://denglishbi.wordpress.com/2009/03/31/windows-server-2008-kerberos-bug-%E2%80%93-transport-connection-issues-with-ssas-data/
http://sqlblogcasts.com/blogs/drjohn/archive/2009/03/28/kerberos-kills-large-mdx-queries-on-windows-server-2008-ssas.aspx
on this but I am using Windows Server 2008 R2
where my service lives so this should not be a problem as this bug should have been fixed by Microsoft.
Any information as to how to best diagnose this problem would be appreciated.
To clarify the SSAS servers do have SPNs. This was actually working at one point but has now stopped. Appears no sign of duplicate SPNs or anything.
What is interesting is it works intermittently on one SSAS server but seems to work all the time for the other.
They both have named SPNs as mentioned by this document
https://support.pyramidanalytics.com/entries/22056243-Configuring-Kerberos-Delegation-for-Named-Instances-of-SSAS-with-Active-Directory-and-additional-pro
My production environment is a load-balanced (and under heavy load) on a very large corporate Active Directory network. The following took a lot of testing to finally nail down settings that work.
I also run on Windows 2008 Server R2
My web services are in ASP.NET in IIS. For authentication I enabled "Windows Auth" and "ASP.NET Impersonation". Kernel mode is disabled and provider is "Negotiate:Kerboros"
SPNS and Trusted Delegation are setup for an AD account. My AD account looks like sys_myservice (sys_ is just a naming convention at my company)
The Application Pool identity is set to use the sys_myservice
After you make all these changes in your dev env, restart the entire server. For some odd reason this is always necessary when we bring on new servers and configure them.
With this setup my web services access SSAS, SQL Server, and more that use Windows Kerboros auth and all queries are performed correctly under the user's credentials.
The difference in my setup from yours is ASP.NET Impersonation is enabled at the IIS level. I had trouble doing the impersonation in code which is what you are trying to do. If you get code-level impersonation to work with your workflow I would be really interested in seeing you post an update.
Forgot to mention. My services are in a MVC application, I apply a global filter to all Action methods to force the application to authenticate all connections.
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}
and in my web.config system.web section
<authentication mode="Windows" />
<identity impersonate="true" />
I agree that the intermittently 'successful' SSAS instance is suspicious. I wonder if it's really using Kerberos all the time. Could be using a combination of negotiate/NTLM and Kerberos, with one auth method actually working and the other approaching failing. Might be worth another look at the SPN. This link might help: http://msdn.microsoft.com/en-us/library/dn194200.aspx
Did you try using Wireshark or any other Network Analysis tools to see anything red happening at that point of failure? Probably its better if you provide more troubleshooting observations from your end.
Also, does your web services has a Load balancer?
Regards,
Sasi.
I configured SSRS 2008 on a remote server.
I can access the report manager from my local machine using http://SERVER_NAME/Reports_INSTANCE_NAME
problem is that when I try to deploy a report from BIDS, I get the "reporting services login" dialog box that asks me for user and password. I try my AD user and it doesnt work.
I already added myself to all possible roles, including System Administrator.
I saw online that the problem maybe with the IIS website that must be configured to allow anonymous access. That's fine, but where can I configure that since SSRS2008 doesn't create the websites on IIS anymore (also read that online) and I don't seem to have this possibility using the Reports Service Configuration Manager
Take a look at the link below...it's in reference to 2008 CTP, but there are still some items to check in your setup...
http://blogs.msdn.com/b/lukaszp/archive/2008/03/26/solving-the-reporting-services-login-issue-in-the-february-ctp-of-sql-server-2008.aspx
Similar issue / resolution here as well...
Repeated Reporting Services Login issue when deploying through BIDS to a remote server
In your report configuration file, try removing the RSWIndowsNegotiate from the Authentication tag:
<Authentication>
<AuthenticationTypes>
<RSWindowsNegotiate />
</AuthenticationTypes>
<EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>
After rebooting the Windows 2003 Server with the IIS I receive the follow error message:
Cannot connect to the configuration database
in the browser. The error occur on different pages and with different clients. that I think it is a server problem.
What can I do to solve this error?
A quick web search suggests that this error message is probably coming from SharePoint Services, and indicates that SharePoint cannot connect to its database.
There seem to be several reasons suggested:
The SQL database is not running, has been removed, or you otherwise can't connect to it (firewall, login credentials, network failure)
IIS is running in the wrong mode
The latter could be IIS 6.0 configured for IIS 5.0 compatibility mode, or the application pool configured for 32-bit worker processes on a 64-bit system.
I hade the same problem, and it did happen just after a windows update, hmm...
First of all, someone (windows update) hade change the user account on the service "Windows Internal Database (MICROSOFT##SSEE)". Changed back to the right account and the WSS started to work, but with an error (Application / error or something)
This new problem was something I just got for free after I hade run the Exchange Analyzer tool and done some modifications to my system, that was recommended by the tool.
If i changed my web.config too look like this (c:/inetpub/wss-dir/web.config):
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly"/>
</system.web>
</configuration>
I discovered what the problem was, it was a access/security issue. The error message told me:
Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\root\8c91a6b5\649b28ba" is denied.
But this was not the hole truth... the access denied was not to the ..\Temporary ASP.NET Files\root\8c91a6b5\649b28ba folder, it was to the %TEMP% folder, that I hade just moved due to a suggestion from the Exchange Analyzer Tool.
Have a nice day!
I had that problem with sharepoint I used this to fix the sql database
http://heresjaken.com/sharepoint-cannot-connect-to-configuration-database-error-after-installing-kb2687442-update-on-sbs-server-2008/