I am running a Java Application as a Service in Windows that's using JDBC to connect to SQL Server. This application is started as a different user than the one logged into the Machine. My question is will the JDBC Driver use the user assigned to start the service to authenticate against or the logged in user (which there might not be one)?
Thanks
You can change logged in users all you want, the service will keep running in the background under the account that it was initially started.
If the connection is set to using Integrated Security, then the account that the service is started under will be the one that is used.
The service will connect using whatever user the service is running under (as visible in the service control manager).
Your service application is configured to always run as a particular user, for example "Service_User".
Even if user "Bob" logs in to start the service - all connections/files made by that service will appear to be from user "Service_User".
In your service application you make a JDBC connection to a database. If you specify Integrated Security in the connection string, it will log in to the database as "Service_User".
If you specify a Database username / password in your connection string, it will log into the database as that user.
That will happen regardless of the interactive login used to start it on the system.
Related
When I deploy my app to a server, I'm getting the Login failed message. My DB and app are located on two separate physical machines. However this has not posed a problem when developing and testing locally and connecting out to the DB server; only after publishing.
Steps I've taken To attempt to resolve
In my Web.Config I've set Integrated security to false. When integrated security was true, it was giving the same error but with the machine name in place of the user name.
I placed valid credentials in the User ID: and Password: fields of the Web.Config. The credentials placed in Web.Config are also used to log into Sql Server Management Studio directly.
Within SSMS I've also verified those credentials will work under Windows Authentication and SQL Server Authentication.
Those credentials I've set in the app work when I log into the SSMS using Windows Authentication. Advice on how to resolve this would be greatly appreciated. Thanks!
By default, IIS runs your application under a local machine account. This account does not have any permissions to access your SQL Server. In order to achieve integrated security, you need grant it access. There are a few ways to do it, the thread Add IIS 7 AppPool Identities as SQL Server Logons will get you started.
Another way, which is preferred over adding the IIS account, is to create a service account in Active Directory and setting the App Pool Identity in IIS to the service account. Depending on your environment, you should work with your network admin and or DBA to set this up.
Your last option would be to simply use SQL Authentication.
I have asp web page application with Integrated Windows authentication checked on IIS and cleared the Anonymous Access box. From Advanced windows authentication I have Enable kernel-mode authentication checked.
Application pool runs with admin domain user and integrated mode.
When user clicks on some web page inside this app, I can see from log that domain user name is send to server and also I have values in Request.ServerVariables("AUTH_USER").
Everything fine, as it should be. I can see which user access application.
Now, the web page also access SQL database.
I have connection string, like:
"Provider=SQLOLEDB.1;Integrated Security=SSPI;..."
But when I access database, i get the following error:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
How can i say, that connection to the sql server is made with app pool account and not anonymous?
i think that if you check the config file of the web site for the identity tag you will find it set as follow:
<identity impersonate="true"/>
in your configuration it should be:
<identity impersonate="false"/>
this way you tell iis to not impersonate whoever is logged on remotely via web but to use the account specified in the application pool.
here is a page with a brief description of the topic.
After 2 days of testing, i have finally manage to make it work.
There are two forms of impersonation:
"identity impersonate=false" is for application to run in the context of user or user defined in app pool.
But there is also impersonation for application pool to use the user to access the resource on disk. It is under Basic settings and Connect as.
Default is pass-through authentication.
I don't know what it has to do with access to external database, but after set this to the same user of app pool, everything works now.
I hope it will help somebody.
I have developer MVC4 + EF Code First + SQL Server 2008 web app. Uploaded it to prod server with IIS7. Created new credentials PC. Added empty database PCDB to SQL Server and assigned user PC to it with owner permission. When I run web app I get error
Model compatibility cannot be checked because the database does not contain model metadata. Model compatibility can only be checked for databases created using Code First or Code First Migrations
My connection string is
data source=174.xx.x.x;initial catalog=pcdb;user id=pc;password=xxxxx;
The exception is understandable, I can delete PCDB database and let EFCode First create it by itself. But how about credentials PC? I do not want to make PC user as administrator but without it EF Code First will not be able to create new database in SQL Server.
How to solve the problem?
The overall design starts with Forms or Windows authentication at the WebsiteASP.NET/ IIS.
and ends with Application and DB authentication you want/need. Application authorization is another topic. I will not discuss that here.
You dont actually state the authentication model desired.
So I will start with a disclaimer. This a suggestion that I WOULD use in a production site. But it is not the ultimate end game nor is it the ONLY short term solution you might consider.
This is a solution that a one man show can get working. And is secure and without excessive admin effort to keep running.
Use SQL server logon via Windows Auth
BUT you do not need to add every user to SQL server.
There is also the option of impersonation. But that can get tricky and this explanation is not NOT impersonation. That is another another approach.
first make sure Website is using Windows Authentication
set IIS to use Windows Authentication:
Now the APP Pool behind the website on IIS you have configured. .
Im going to suggest a Psuedo-service user in the APP pool as a good way to start.
ie WEBAPPLICATION_X_USER. You can have a separate user per APP pool. Each user can access only its DB. So you get application separation. Your enter a user and password here. IIS will encrypt and decrypt as required. (better than plan text in Web.config)
This user should have reduced auth on the server itself. NOT AN ADMIN user on domain or even local admin. Just enough so it can use Sql server to create a DB. So create a regular windows user
Let ASP.Net logon to DB. Let ASP.net encrypt and decrypt the password.
So now the situation is Windows AUTH on IIS. IIS has an App pool with a special windows user that can logon to SQL server. You have added this user to SQL server instance and Allocated this service user the ability create DBs. Dont give the user access to ALL Dbs :-) Just the one it will create. Plus public access (via EF).
Verify the user credential situation in your WEB APP.
See [System.Security.Principal.WindowsIdentity]
This should show your windows authenticated end user.
System.Environment.UserName should have the service user ID you placed in the IIS APP POOL.
Now when EF goes to create or access data on the SQL server instance, it will connect with
System.Environment.UserName if the WEB.CONFIG entry is set to use windows integrated security
<connectionStrings>
<add name="DbContextName" connectionString="Data Source=Your SQL server Instance;Initial Catalog=The DBNAME;Integrated Security=True;MultipleActiveResultSets=True;App=EntityFramework" providerName="System.Data.SqlClient" />
And you KNOW the authenticated user.
httpContext will give it to you as does thread current principal.
HttpContext.User is by default mapped to {System.Security.Principal.WindowsPrincipal}
So you can perform application level checking.
The same approach should also work with Forms Authentication.
WARNING: If you have windows WPF approach (ie you are not using IIS and therefore no APP pool), then this approach MUST be changed and is more complex and no longer the best place to start.
I hope this helps you get started
I have a classic ASP app that I am trying to connect to a SQL Server 2008 database on a different server. The ASP app is being served from IIS7 on Windows Server 2008.
I have changed the web site's application pool to run under a specific windows account, that I have verified has access to the database on the remote server.
However, when I run the app in the browser, I get this error:
Application Error
Number: -2147217843 (0x80040E4D)
Source: Microsoft OLE DB Provider for SQL Server
Description: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Why is it trying to connect using NT AUTHORITY\ANONYMOUS LOGON?
Does the App pool identity not apply to classic ASP code?
How can I make this connect as a specific user?
EDIT
Here is the connection string I am using:
Provider=SQLOLEDB.1;Data Source=myDbServer;Initial Catalog=myDatabase;Integrated Security=SSPI
For a site to use the application pool identity for classic ASP, you need to change the credentials used for Anonymous Authentication. By default, the site will be set to use a specific user, namely IUSR.
Select Authentication from the IIS area of your site, then select Anonymous Authentication followed by Edit. Change from Specific user to Application pool identity.
It's advisable to use Windows authentication (integrated security) over SQL authentication so that you don't have credentials in your config files so that if those files are compromised, you don't lose control of the credentials.
Does your app impersonate the caller? You need to enable constrained delegation: Configuring Servers for Delegation.
you should specify a username and password for the connection string www.connectionstrings.com or set the IIS application to run as a specific user however that would then render a lot of the security settings in IIS obsolete.
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Uid=myUsername; Pwd=myPassword;
And have a look here: aspfaq
Lastly, make sure anonymous access is disabled on the IIS site so that it actually impersonates the user you selected instead of passing the anonymous tokens through.
I have a web service that stores data in a local SQL Server 2008 database. If I run the web service under my account the web service can successfully access the database. However, if I use the DefaultAppPool (IUSR) account then accessing the database from the web service fails.
How do I set security on SQL Server to allow access to a specific database via IIS?
The specific error message I am getting is:
Login failed for user 'IIS APPPOOL\DefaultAppPool'
You have two options (obvious maybe!):
Instead of using Windows Integrated
Security use SQL Authentication
instead.
If you can't or don't want to, then you have
to create a new user in SQL Server
that relates to that Windows account.
Or (third option) you can change the web service to run under an account that you know works.
I generally run the app pool under a domain user account, that way you control the specific user for each site on your server.
If I can't use a domain account, I'll run the site as "Network Service" - and the user that would correspond to that in SQL would be the machine account (MACHINENAME$ - replace "machinename" with your IIS server name").
If you plan to use the new IIS7 IIS users - which are not windows users - you'll have to use SQL Authentication instead of Windows authentication for your SQL database access.