I published a Blazor (Server side) application with Windows Authentication to IIS. I disabled "Anonymous Authentication" and enabled "Windows Authentication".
The application can display the login information ("Hello, Domain\Username!") correctly. The application connects to SQL Server using Windows integrate mode.
"ConnectionStrings": {
"MyDatabase": "Server=DBServer;Database=DB1;Trusted_Connection=True"
}
However, it uses the system account (which is used to run IIS?) to connect the SQL Server.
Login failed for user 'Domain\IISMachineName$'.
I tried to enable "ASP.NET Impersonation" for the IIS site and it gets the 500.24 error.
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Most likely causes:
• system.web/identity#impersonate is set to true.
It depends on your hosting and the location of your SQL server, as you say you host in IIS it takes the application pool like any other webservice hosted in IIS.
If SQL Server is on the same server then you can assign the application pool.
You can add the application pool to your SQL Database as a Login and user.
CREATE LOGIN [IIS APPPOOL\MyBlazorAppPool] FROM WINDOWS;
CREATE USER MyBlazorAppPool FOR LOGIN [IIS APPPOOL\MyBlazorAppPool];
On a defend machine you can simply create the machine hosting your blazor app as a user.
CREATE LOGIN [computername$] FROM WINDOWS;
Related
I'm trying to set up impersonation/delegation for a web application using ASP.NET 4.5/SQL Server 2016. The goal is to use the Windows authentication on the web application and the SQL Server.
I reproduced on Azure a setup similar to the one which will be used for production, but I can't seem to find what is making the impersonation not working.
Azure VM #1 [machine name: test-iis-server]: Windows Server 2012 running IIS 8.5 and acting as Active Directory Domain Controller
Azure VM #2 [machine name: test-sql-server]: Windows Server 2016 running SQL Server 2016
Azure VM #3 [machine name: test-client]: Windows 10 machine for simulating a user connecting to the website
I created an Active Directory domain named TEST. It is possible to connect to the 3 machines with users created in Active Directory.
IIS Web server configuration:
In the web.config file:
Authentication mode = Windows
Identity impersonate = True
validation validateIntegratedModeConfiguration = False
Integrated security = SSPI
In IIS Manager:
Windows authentication = Enabled (Kernel-mode authentication = Disabled, Providers = Negotiate:Kerberos)
ASP.NET Impersonation = Enabled
Application pool = Integrated Managed Pipeline (Identity = Custom Identity: test\my-svc-account)
In Active Directory Users & Computers
For each computers (web server, sql server and user computer), I went into Properties and checked in the Delegation tab Trust this
computer for delegation to any service (Kerberos only).
SQL Server Configuration
I did not setup anything here. I assumed that ASP.NET will use the credentials of the user logged in the web application to access the
SQL Server database.
Edit: SQL Server service account: test\my-svc-account
Results:
If I don't use impersonation in the web application and use a defined user/pwd login created in SQL Server, my application works normally and I can get the Windows user credential if I want.
Using impersonation, I get a SQL Server connection error when I open the web application page: Login failed for user 'TEST\test-iis-server$'.
Expected behavior:
The web application will log into SQL Server using the credentials used to log into the "test-client" machine.
I've read a lot on how to implement the impersonation/delegation for my solution, but can't seem to find what's wrong. Anyone has any idea where the proble might come from and how I can resolve it?
Edit #1:
From what I've read, it seems like I need to setup SPNs. I'm confused about how to set them up correctly for my double-hop scenario.
I have created a user account in Active Directory to act as a service account. I've set this account to be trusted for delegation.
I use this account as the identity for my application pool in IIS and as the service account of the SQL Server instance.
Yes, you do need to configure SPNs for both the ASP.NET app pool identity, and the SQL Server service account.
It's relatively straightforward, but you need to make sure you get the right values.
In AD Users and Computers find the 'my-svc-account' account and open the properties. Navigate to the attribute editor tab (if you don't see it, enable advanced features through the ADUC 'View' menu). Find the servicePrincipalName attribute and edit it. Add the following:
http/servicename.foo.com
http/servername <== optional
Where service.foo.com matches your DNS name. If this is a CNAME, you need to also include the underlying A record name as well. So if servicename.foo.com maps to whatever.cloudapp.net, you need to add an SPN for whatever.cloudapp.net. This is for IE, because IE is ...dumb... and trying to be smart (it resolves the DNS down to lowest named record and requests an SPN for that).
Then do the same for the SQL Server service account.
MSSQLSvc/sqlserver.foo.com
MSSQLSvc/sqlserver <== optional
This needs to be the FQDN of the SQL Server host.
Lastly, you need to enable Constrained Delegation between the App Pool identity and the SQL Server service account. This is the 3rd radio button in the delegation control. Add the SQL Server SPN as a delegated target.
Restart IIS and SQL. Try browsing to the app. You should now see it connect to SQL as your named user.
On IIS 8.5, the only authentication method I have enabled is Windows Authentication, with Negotiate and NTLM. When I use a connection string in any ASP.NET application, running under an app pool who's identity is a domain account, I'm able to connect fine. In classic asp I get:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
As far as I know the servers aren't configured for delegation, and I didn't explicitly set the SPN. I'm accessing the box via the FQDN which is netbiosname.mydomain.com .
Why is it working in ASP.NET, but failing in classic asp? Am I experiencing the double hop? Is there a way to confirm it is in fact the double hop?
Here's the error I'm getting:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I found out how to resolve this issue, I believe the last step was the only one that helped, but here's what I did:
Disabled all authentication methods other than Windows Authentication
In IIS Manager, I used the "Convert to Application" option to mark
the folder containing the classic asp code as an application
Assigned the application to app pool running under AD account with access to SQL server
Enabled 32-Bit application support on the app pool
Set pipeline mode to integrated for app pool
At this point I still was getting the same error
I right clicked on the application and set the Physical Path Credentials to the same domain account that the app pool runs under and everything started to work correctly
I would imagine you need to set the classic asp IIS website to run as the domain account you're using for integrated security.
To get ASP to connect to the database, in IIS 6, Directory Security -> Authentication Methods, Under Enable Anonymous Access, I set the anonymous access account to the AD account with permissions to the database.
i was tearing my hair out for a while. then i tried creating a windows user account, with the proper permissions in SQL Server, and used "Integrated Security=SSPI" in the connection string. it worked like a charm - no AD required:
SQLconnex = "PROVIDER=SQLOLEDB;DATA SOURCE={server};DATABASE={db};UID={uid};PWD={pwd};Integrated Security=SSPI"
hope it helps and saves your hair.
In my case to solve it I set the "anonymous authentication" the use of the "application pool identity".
Sites > Authentication > anonymous authentication > Edit > application pool identity
I have a web application which is configured to run under NTLM scheme.
From the web application I am accessing a service in application server.
I am impersonating the user in the web application code which accesses the service in application server.
When I access the web application from the web server everything works fine.
But when I try to access the web application from a different client machine with same credentials the the call to service in application server is failing with access denied.
The same scenario is working in different set of machines.
Am I missing any settings?
If we setup the delegation from the app pool identity account in ADC and choose “any protocol” instead of "Kerberos only" the problem is getting resolved.
I'm trying to access a sql server database from an ASP NET app configured to work with IIS.
I have several questions now,
1) Authentication in IIS: I need to know if my authentication settings for the site are ok:
I tried with Windows Authentication set to Disabled, but the problem continues.
2) Are the settings for the user NT AUTHORITY\Sericio de red well configured? ("Servicio de red" means Network Service)
3) When I added the login for network service, I only found "Servicio de red", I guess it's the equivalent for NetworkService, I'm I right?, My windows 7 ultimate is an spanish version, I just changed the windows interface by using a windows upgrade to make it appear in english. Is there a problem with it?, I guess it's right because the access to the database is being done through the IIS APPPOOL\Servicio de red user.
My DefaultAppPool identity is set to to AppPoolIdentity
If you want to see what I have tried, see this thread.
The whole project, along with a backup of the database I'm using can be found here, called MyServiceSolutionInIIS
What I'm trying is to build a WCF Data Service that offers information that comes from an entity data model generated from a sql server database. This service will be used by a WPF App as a client.
I'd like to avoid creating a user for it, I think it can be done with the App Pool
Okay so the way this works is, whatever application pool your endpoint is running under passes its credentials to the SQL Server. So, you have two options:
Run the default application pool under NetworkService, or;
Use SQL Authentication when connecting with your web service to the SQL Server.
Honestly, the latter is the most common, but in your situation you may be just fine by changing the default application pool to run under NetworkService.
This has nothing to do with the authentication you've chosen (well, mostly nothing.. you can control which credentials anonymous users run under). Every website runs in an app pool, and this app pool has an AppPoolIdentity.
I'm a little confused as to why it would be claiming it's IIS AppPool\NetworkService, since NetworkService should be NT AUTHORITY\NetworkService, or IIS AppPool\MyAspService or IIS AppPool\DefaultAppPool.
There is a lot more information on App Pool Identities here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Note: There is a bug in IIS 7.5 (the version of IIS that comes with Windows 7 and Windows Server 2008 R2) that sometimes causes authentication problems with AppPoolIdentities if the users password changes (say, if you have mandatory password change policies). There is a hotfix here:
http://support.microsoft.com/kb/2545850/en-us
More info here:
IIS application using application pool identity loses primary token?
There so many scenarios in which this issue occurs.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost: when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication. Here your web service would not be able to communicate to the SQL server because of access rights issue and Login Failed for user_______ (here your user will come)
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings. You need to change IIS Application pool's identity to:
local System (for single windows user).
Network Service (for intranet users or domain users)
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem (for single windows authentication user).
or select Network Service (for Intranet users)
Now open your sql server management studio: open run-> then type ssms then press ok in ssms, login using your windows authentication account. open security tab expand logins tab then you will be able to view your account.
Now open properties of your account go to userMapping then select the database you want to connect then check the role membership services you want to use for the selected database click ok. (For network services i.e. intranet users you need to configure above settings for NT AUTHORITY\SYSTEM user too)
add Trusted_Connection=True; property in your connection string. Save it & deploy the web service. Restart app pool.
you will be able to connect the database now.
I've written a simple ASP.NET application that works as a frontend for a simple MSSQL database. The application is accessible over the Internet.
There are two physical servers involved: a WS2008R2 Active Directory domain controller which is also running MSQL Server 2008 R2, and another server, the webserver (WS2008R2/IIS7.5) where my application resides.
The Application Pool for my application "FooPool" has its own AD User identity it runs under "FooUser". FooUser does not have any permission to access the SQL Server database, instead only my own personal user account "MyUser" has that permission.
The idea is that attempts to access this web application first perform Windows Authentication with IIS, my web application then uses Impersonation to access the SQL Server database.
However my application does not work.
I tested the application without it touching SQL Server, just to test impersonation, so I did Response.Write( WindowsIdentity.GetCurrent(false).Name ); which correctly shows the application impersonating MyUser and not acting as FooUser. This works from all modern browsers and across the Internet.
But as soon as it touches MSSQL Server I get the error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." but that should not be happening because no user tokens are for Anonymous Logon.
I've done my homework and read all about Delegation and Impersonation in ASP.NET and I have set up delegation: The FooUser account has a Service Principal Name set-up (I set the SPN to an arbitrary string, is that doing it right?) and is marked for delegation in ADUC.
Finally, my connection string has SSPI enabled, Connection pooling disabled, and the network library set to "dbmssocn".
What else am I forgetting?
Finishing the Configuration for Delegation to Work you must enable constrained delegation:
Open Active Directory Users and Computers
Find the user account that the IIS Web site is using for the web application pool and double-click it
Select the option: Trust this user for delegation to specified
services only.
Make sure that the user is constrained to the
SPN associated with the MSSQLSvc service
Restart IIS
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx