I have an App Service in Azure and have created a System Assigned Identity , it gave a Object (principal) Id . I then went to Azure Active Directory and Under Al applications searched for that Identity, it was there.
I then went to the Sql Server and turned on System assigned managed identity under Identity.
I then went to my connection string in the database and set it as
Server=my-sql-server.database.windows.net,1433;Database=my-database;Authentication=Active
Directory Default
But if i start up my App Service and try to login , it requires a connection to the database but it doesnt connect , it just gives
<appservice_url>?error=database
Any ideas on what is not setup correctly ? or is there a step by step guide on setting this up ?
The part that seems missing is: The managed identity of the app service needs to be granted permissions to access the database
Tutorial is here:
https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database?tabs=sqldatabase%2Csystemassigned%2Cnetfx%2Cwindowsclient
Related
I'm trying to set up impersonation/delegation for a web application using ASP.NET 4.5/SQL Server 2016. The goal is to use the Windows authentication on the web application and the SQL Server.
I reproduced on Azure a setup similar to the one which will be used for production, but I can't seem to find what is making the impersonation not working.
Azure VM #1 [machine name: test-iis-server]: Windows Server 2012 running IIS 8.5 and acting as Active Directory Domain Controller
Azure VM #2 [machine name: test-sql-server]: Windows Server 2016 running SQL Server 2016
Azure VM #3 [machine name: test-client]: Windows 10 machine for simulating a user connecting to the website
I created an Active Directory domain named TEST. It is possible to connect to the 3 machines with users created in Active Directory.
IIS Web server configuration:
In the web.config file:
Authentication mode = Windows
Identity impersonate = True
validation validateIntegratedModeConfiguration = False
Integrated security = SSPI
In IIS Manager:
Windows authentication = Enabled (Kernel-mode authentication = Disabled, Providers = Negotiate:Kerberos)
ASP.NET Impersonation = Enabled
Application pool = Integrated Managed Pipeline (Identity = Custom Identity: test\my-svc-account)
In Active Directory Users & Computers
For each computers (web server, sql server and user computer), I went into Properties and checked in the Delegation tab Trust this
computer for delegation to any service (Kerberos only).
SQL Server Configuration
I did not setup anything here. I assumed that ASP.NET will use the credentials of the user logged in the web application to access the
SQL Server database.
Edit: SQL Server service account: test\my-svc-account
Results:
If I don't use impersonation in the web application and use a defined user/pwd login created in SQL Server, my application works normally and I can get the Windows user credential if I want.
Using impersonation, I get a SQL Server connection error when I open the web application page: Login failed for user 'TEST\test-iis-server$'.
Expected behavior:
The web application will log into SQL Server using the credentials used to log into the "test-client" machine.
I've read a lot on how to implement the impersonation/delegation for my solution, but can't seem to find what's wrong. Anyone has any idea where the proble might come from and how I can resolve it?
Edit #1:
From what I've read, it seems like I need to setup SPNs. I'm confused about how to set them up correctly for my double-hop scenario.
I have created a user account in Active Directory to act as a service account. I've set this account to be trusted for delegation.
I use this account as the identity for my application pool in IIS and as the service account of the SQL Server instance.
Yes, you do need to configure SPNs for both the ASP.NET app pool identity, and the SQL Server service account.
It's relatively straightforward, but you need to make sure you get the right values.
In AD Users and Computers find the 'my-svc-account' account and open the properties. Navigate to the attribute editor tab (if you don't see it, enable advanced features through the ADUC 'View' menu). Find the servicePrincipalName attribute and edit it. Add the following:
http/servicename.foo.com
http/servername <== optional
Where service.foo.com matches your DNS name. If this is a CNAME, you need to also include the underlying A record name as well. So if servicename.foo.com maps to whatever.cloudapp.net, you need to add an SPN for whatever.cloudapp.net. This is for IE, because IE is ...dumb... and trying to be smart (it resolves the DNS down to lowest named record and requests an SPN for that).
Then do the same for the SQL Server service account.
MSSQLSvc/sqlserver.foo.com
MSSQLSvc/sqlserver <== optional
This needs to be the FQDN of the SQL Server host.
Lastly, you need to enable Constrained Delegation between the App Pool identity and the SQL Server service account. This is the 3rd radio button in the delegation control. Add the SQL Server SPN as a delegated target.
Restart IIS and SQL. Try browsing to the app. You should now see it connect to SQL as your named user.
I having the following error message:
Cannot open database "SmallBakery" requested by the login. The login failed. Login failed for user 'IIS APPPOOL\MyAppPool'
How can correct this? I am using windows 7 Enterprise Edition and Sql server 2012.
If you don't change, each app pool has it's own identity. In your case, just add a new user to your database SmallBakery with the name IIS APPPOOL\MyAppPool using SQL Management Studio. You find the users list in the "Security/Users" subnode of your database. This should look something like that:
For testing, let the user be member of the db_owner role. If that works, remove this role and just let it be member of db_datareader and db_datawriter.
This way, each app pool (perhaps each website, if they all use their own app pool) only has access to the corresponding database.
It depends on how you want to authenticate in your app. Are you trying to use impersonation in your app?
What's happening right now is the identity of your app pool in IIS is getting passed when trying to access the database. You can change the identity of your app pool to be something that has access to the database or you could change your connection string to use a specific login instead of integrated security.
Check this post out. Your problem sounds similar to one I was running into, with the same exact error message.
http://blogs.msdn.com/b/sqlexpress/archive/2011/12/09/using-localdb-with-full-iis-part-2-instance-ownership.aspx
Like others said so far you need to take your app pool system user (IIS AppPool\myapppool) and add it as database user for that database with appropriate permissions.
Note that this will work just find on your IIS/Server but if you plan on migrating application to a different IIS/Sql server it will require changes in both SQL Server and IIS. I’d suggest you also consider sql server authentication – it may be more convenient for your specific case.
In my case these steps lead me to successfully handle this error.Hope it will help you also
Earlier mdf file was in app_Data folder, and application was working fine.
When I attached mdf file into sql server. I can execute queries. But when I try to use it from asp.net application it give following exception.
Cannot open user default database. Login failed.
Login failed for user 'domain\username'
So if I understand correctly you no longer specify the AttachDBFilename but instead you have attached the database 'for real' to an existing SQL Server instance.
since you are no longer conencting to your own personal RANU instance, your application must have proper credentials to connect to the SQL Server instance where you attached the database. The correct solution depends on a number of factors, but possible answers are:
create a SQL Server login for the ASP app pool identity and grant this loggin proper access to the required database. Use CREATE LOGIN [domain\user] FROM WINDOWS and CREATE USER [domain\user]. Better still, for extra credit, add the app pool identity to a security group and grant this security group the needed permission.
change the app pool identity to an indetity that has the proper permissions already granted
if the ASP application uses impersonation and the SQL Server instance is on a different machine from the ASP application, make sure your ASP app pool is allowed to do constrained delegation.
That error indicates that you are trying to use Intergrated Security. Depending on your version of IIS and your configuration, you are probably trying to connect to the database with the IUSR or NETWORK SERVICE accounts.
The simplest fix is to use SQL Authentication. Include a SQL account username/password in your connection string.
Here is the scenario:
IIS 6 and SQL Server 2005 on same machine:
I have just created a new application inside of my main website in IIS.
The root website has its own database. The application I just created under the root site has its own database, as well.
ASP.net pages in the root site connect to their database using trusted security. This web site is running in the default app pool which uses Windows' Network Service account.
The new application I just created is using that same app pool.
I added the network service account to the new application's database's users and granted db_owner, just like the root site's db is set up. When I try to run my new application I get this error:
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
When I switch the new app's connection string to use the sql server sa account, it works. I do not want to use the SA account.
I cannot figure this out! Please help.
By default IIS will try to use an ASPNET account which needs to be granted access to SQL Server. I don't have a setup anymore to describe this but the following link offers a couple of solutions:
bytes.com/groups/net-asp/290050-setting-up-integrated-security-sql-server
Sounds like the database is expecting SQL Authentication instead of Windows Authentication.
In that case you have to add the login as a user to the database you want to use and give the appropriate permissions
I am having a problem with deploying a ASP.NET V2 web application to our deployment environment and am having trouble with the sql server setup .
When I run the website I get a Login failed for user 'MOETP\MOERSVPWLG$'. error when it tries to connect to the database.
This seems to be the network service user which is the behaviour I want from the application but I don't seem to be able to allow the network service user to access the database.
Some details about the setup. IIS 6 and SQL Server 2005 are both setup on the same server in the deployment environment. The only change from the test setup I made is to point the database connection string to the new live database and of course copy everything over.
My assumption at this point is that there is something that needs to be done to the SQL server setup to allow connections from asp.net. But I can't see what it could be.
Any Ideas?
It sounds like you're able to connect to the database alright and you're using integrated windows authentication.
With integrated windows authentication your connection to your database is going to use whatever your application pool user identity is using. You have to make sure that the user identity that asp.net is using is on the database server.
If it is a fresh install not everything may be setup. Check SQL Server Configuration Manager, http://msdn.microsoft.com/en-us/library/ms174212.aspx. Step by step instructions http://download.pro.parallels.com/10.3.1/docs/windows/Guides/pcpw_upgrade_guide/7351.htm.
The user name you've indicated in your post is what the Network Service account on one machine looks like to other machines, ie "DOMAIN\MACHINENAME$".
If you are connecting from IIS6 on one machine to SQL Server on another machine and you are using Network Service for the application pool's process identity then you need to explicitly add 'MOETP\MOERSVPWLG$' as a login to the SQL Server, and map it to an appropriate database user and role. Type that name in exactly as the login name (minus quotes, of course).
Make sure there is a login created for the user you are trying to log in as on the sql server.
There's a few different things it could be.
Are you using integrated windows authentication? If so, you need to make sure the user ASP.net is running as can talk to the database (or impersonate one that can).
Does the web server have permission to talk to the database? Sometimes a web server is deployed in a DMZ.
If you are using a SQL Server login, does that same login exist on the production server with the same permissions?