Add IIS 7 AppPool Identities as SQL Server Logons - sql-server

I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!

The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.

CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];

You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.

If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.

As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.

Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'

This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.

I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....

In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc

For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.

Related

The permissions granted to user 'MachineName\Administrator' are insufficient for performing this operation. (rsAccessDenied)

(Revised based on comments below)
I know there's a ton of posts like this online and I've browsed many and found no useful help.
I have setup and configured SSRS many times and have not had this problem. The setup is similar to other servers in the past (all stand alone servers - no AD). I can log into Report Manager from a browser on the local server but when I try to access from my remote dev machine or from deploying a report from VS I get the above message.
This is how I'm trying to login which works on other servers but not this one.
http://Server IP/Reports
-Username: Administrator
-Password: admin password
I get the above error even though this is exactly the same as on other servers.
I should mention that I connect using a VPN to the network so I have access to the private IPs as well.
I also tried using he private IP
I also tried MachineName\Administrator
I also tried creating an SQL user with admin privileges and that did not work either.
This is a screenshot from a server where everything is working as expected. Administrators had default permissions (Content Manager). Users has browse:
This is a screenshot from the server that’s having permission issues. I assigned all roles to both admin accounts
and then I added all roles to both admin accounts:
Now I can deploy from VS using the username "administrator".
and I made a little progress (i think...) trying to access report manager from my pc. From IE (run as admin) on my local pc I try to access report manager from this URL
http://server ip/Reports/browse/
-Username: Administrator
-Password: admin password
And now I gain access to server manager but cannot see any content. When I click on the home button I get this error:
Any recommendations?

SQL Server Agent - Untrusted domain message

Running SQL Server 2016. Currently have a solution that is hosted in one domain and of course our access point is in another. we need to pull data in an automated fashion.
We have added a windows credential with the credential manager which collects endpoint information and a set of credentials.
e.g.
Internet or Networkaddress: mydatabase.remotedomain.com
Username : remotedomain\username
Password : password
This solution works with many tools, Excel, SSMS direct query, Visual Studio. The user enters the endpoint (server url or IP/port) and uses windows integrated security. the connection is made and credential store does the trick and user is authenticated.
SSMS example
Server name: mydatabase.remotedomain.com
Authentication: Windows Authentication
My challenge is SSIS and SQL Agent. The SSIS package runs in VS2015. deploy the package to Integration Services Catalog - highlight package and execute and it runs.
Create a SQL Server Agent Job and execute the job and I receive this gift.....
Login Failed: The login is from an untrusted domain and cannot be used with Windows authentication
I have created a SQL credential, created a Proxy (SSIS Package Execution), created a job that uses the Run As with the Credential but this ends with the same result. The credential has to be in my local domain or the job wont run....and of course localdomain\username does not authenticate against the remote data connection. So Proxy does not help the situation.
What I was expecting is that the windows credential manager would swap the credentials as it does when the job is run manually, or through excel or a number of any other ways...
I opened a ticket with Microsoft and worked with one of their senior resources on this.
this appears to be a bug in SQL Agent. There is no known reason or issue that prevents SQL Agent from picking up the remote credential from the Windows Credential Store, but it is not.
A working alternative was to use the command line utility DTEXEC. some slight modification to the SSIS project to make sure all connection managers are at the package level instead of project (created a reference issue).
this solution is not ideal, but it worked and DTEXEC allowed SSIS to pickup the required credential in the store and execute without issue.
I will follow up once Microsoft completes their research and gets back to me, the ticket is still open.
Sorry but changing the group to Global or Universal for the local AD account is not having any effect. I am bit lost on how making a change on the local account in use for SQL Agent will make any difference. The solution works in all the tools by local account substitution with the remote account setup in Credential Manager. If I missed it, and making this change should work, please provide an example of the setup if possible.
Again it appears this process is not being executed/followed by SQL Server Agent since it works everywhere else but not in a job executed by the Agent.
so again my hope is somebody has seen something like this before and has a solution.
my end goal is to just automate pulling data from a remote SQL server where there is no trust. I was hopeful that the proxy solution would work, but when you set the credentials to the remote domain\username, the job wont even execute.
Is there a way to setup my connection in the SSIS package to expressly set the credentials to the remote domain\username\pwd. I took a stab at that and couldnt get that to fly either. if so, an example is priceless to me.
I dont care how i get to the goal line, just need to...thanks all for the help
Your window credential account should be an AD user account which is in a Group with a scope of either Global or Universal. Universal groups are useful where you have multiple domains.
The process will execute in whatever context it's called in (i.e. by you, SQL Agent, or the proxy account). It doesn't change executable context as it calls different processes, unless you pragmatically make it, and that's bad idea anyway...
Had similar issue and it was a nightmare to resolve! Learned a lot of fun AD configuration tips along the way.
Understanding User and Group Accounts states the following:
Groups can have different scopes—domain local, built-in local, global, and universal. That is, the groups have different areas in which they are valid.
Global groups:
Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.
Universal groups:
Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.
EDIT
If it's just a data pull from one domain to another, can the data be first exported to a csv in the untrusted domain and then SFTP'd into your environment where the TL(Transform and Load) of the ETL(Extract-Transform-Load) process could take place?
SSIS would be a good tool for this, but C# and Powershell could also be used.

InterSystems Caché - How to get access to Caché Studio?

I am a Caché admin so I have have all access to the system managment portal. I would like to use Caché studio but my login doesn't seem to be setup properly for that. I am new to Caché, only been using it for 2 months now, I am learning the Jargon. So things may be flying over my head as I sift through manuals.
Is it possible for me to create the credentials in the system management portal so that I may access Caché Studio?
I'm using Caché 2010.2 and I have Caché Studio and Terminal installed.
From my research, I have gathered:
To log in to Studio, you need to use a user who holds the following privileges: %Development:Use and %Service_Object:Use
My system management portal (SMP) Id has %all privileges and I added in those 2 privledges for the heck of it to no avail.
You can only connect to a namespace that you have R/W permission to in the default database.
Our database is used by one application. I already have R/W for the application database. When I open up Studio, the only namespace that I see is: CACHE (localhost(1972)). I assume that it's the whole system database. I then granted my Id R/W access to it to no avail. Also everything is happening locally, I am doing all of this on the db server.
I tried the default logins (leaving Username and Password blank) and the default system login, to no avail.
I am the only one at my organization administering this database.
I would like to gain access to our own Caché studio.
Try this:
Caché cube -> Preferred server -> Add/Edit
Add the server with the System Management Portal (SMP) here. Give it any name, copy the IP.
Set ports to 1972(1973), 23, 57772(57773), authentication to password, everything else blank.
If I'm right, you have the SMP address in browser's bookmarks, not the Caché cube. When you do this, you should be able to open Studio from Caché cube and SMP or Terminal, too.
If the ports differ, try to find the right ports in the SMP. The portal changed a lot, so I can't really say where you should look for it, I have Ensemble 2012 on my work PC.
Predefined User Accounts
use
login: _SYSTEM
pass: SYS
I believe you are trying to connect to a wrong server. localhost:1972 is your local computer. To add a new server to that list, go to cache cube -> Remote access -> add/delete... and add your real server.
Or, just press "connect..." button in that Studio dialogue and enter server info there.
click in the bottom of windows bar next to hour. And then you will see Studio in the context menu
welcome !
I have found an answer (there may be more).
I had no Caché studio and terminal access because these services in the System Management Portal (SMP) under "Home>Security Management>Services" were set to delegated only: %Service_Bindings and %Service_Console. %Service_Bindings is the service that controlled access to caché studio. My caché admin account is not a delegated account. The default account _SYSTEM is not enabled (Home>Security Management>Users). I have tried enabling the account but something in the background seems to lock it after I do that - I have yet to find out what that is (new to Caché). It's probably not a good idea to have the default account enabled anyways.
Now, after editing the definition for service %Service_Bindings to allow a password authentication method, I can now use my Caché admin credentials to get into Caché Studio.
To edit service defintions through the SMP, follow these menu breadcrumbs: "Home>Security Management>Services" then click on the service that you wish to edit. In Caché 2010.2, there's 3 authentication methods that you can use for each serivce: unauthenticated, password, delegated.
If anyone has a better solution please inform!
Sorry for my English. When installed, the program asks for a password, write to the SYS. Then you can go without a shed under the account "Admin"

SSRS 2005 - No one has Content Manager rights in the Report Manager

We have the report server installed in the Domain Controller. In the report server, I removed all the roles assigned for BUILTIN\Users (except Browse), and left all the roles (including Content Manager) for BUILTIN\Administrators.
Now when I log in as the Domain Administrator, I cannot access the Security Settings page! I do not get the "Properties" tab in the Report Manager home page.
Since, the server I have installed the SSRS is our domain controller, it doesn't have any BUILTIN groups. However, the Domain Administrator is in the Domain\Administrators group and I was under the impression that will act as the BUILTIN\Administrators group in this case. But I was wrong.
Now since we cannot login as BUILTIN\Administrator, nobody has full access to the Report Manager.
I tried entering entries for ReportServer database PolicyUserRole table, so that I can assign content manager role to the BUILTIN\Users group. Although I added the entries successfully, the Report Manager still shows nothing when I login as a user to the website!
I need to do one of two things, Either
some how login as BUILTIN\Administrator to the Report Manager. - But cannot do this coz the Domain Controller doesn't have this group. Domain\Administrators group doesn't seem to be working
or
2.Somehow give ContentManager permission back to the BUILTIN\Users group. But I cannot do this using the ReportManager website OR the SQL Management Studio, as they do not recognize that my domain\Administrator has permission.
What nonnb said:
SSRS will allow any "local" administrators to the computer SSRS is running on to do administrative stuff.
You should be able to go to the domain controller, check local users and groups, add in your domain user as a local administrator to the computer. As far as i can remember, even the domain controller also has some local stuff. If not, it could be a discussion on if it is smart or recommended to install SSRS on a domain controller, but that is out of scope for this question :)
Well, I couldn't find anything :(... I ended up re-installing the reporting services.

Limit access to the database

how do I limit the user access to the database I installed to the management studio for only certain people(probably me alone) to access?
But I got a surprise when I saw the database I installed to my client pc was able to be opened using window authentication. I thought it is only able to be opened by the new user I created for that database.
so how do I remove the database from being viewed by those login using window authentication.
In the SQL management studio go to "Security". Its quite possible that you will find some Windows accounts in there. This is normal behavior and they are put there on installment of the SQL instance.
What you can do is delete the ones you don't want poking around in the DB. Make sure that you at least keep 1 db administrator.
You can also restrict their access to read_only. Read this article on creating/editing users. Goto the properties of the user you want to edit and goto "Manage Server Roles". Learn more about server roles here

Resources