Develop Reference

Cannot open database. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

I'm trying to deploy my first ASP.NET app on IIS, but I'm facing an issue whenever I connect to database. Connecting to database works just fine running the app on visual studio.
I keep getting the following:
SqlException: Cannot open database "RazorPagesMovieContext-ae4522b8-14f6-4dd9-9e71-fb8009d965ad" requested by the login. The login failed.
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
My connection string looks like this:
<add name="LocalSqlServer"
connectionString="Server=(localdb)\MSSQLLocalDB;Database=RazorPagesMovieContext-ae4522b8-14f6-4dd9-9e71-fb8009d965ad;Integrated Security=true"
providerName="System.Data.SqlClient" />
Like stated in the article here: https://learn.microsoft.com/en-us/archive/blogs/sqlexpress/using-localdb-with-full-iis-part-2-instance-ownership I have tried #1 "Run IIS as our Windows user" and #2 "Use LocalDB Shared Instance" of the approaches without any luck so I've moved to trying NetworkService instead of ApplicationPoolIdentity which is where I'm facing the same error (using ApplicationPoolIdentity it fails with
Login failed for user 'IIS APPPOOL.NET v4.5'") just under different user.
In my SQL Server Management Studio I've created a new user with "NT AUTHORITY\NETWORK SERVICE" name and made sure I gave "db owner" permission for the database and ticked all Server Roles. Most of the answers point out to giving permissions, but that still does not address this for me.
Any insights would be appreciated

Problem in your ConnectionString, you haven't any user content CS for Login Database.
First you must add user for database your then set your connectionString
Two Options
Create new user on your database then this user set access for RazorPagesMovieContext-ae4522b8-14f6-4dd9-9e71-fb8009d965ad Create User
Enable sa user, by default disabled sa user, Enable Sa user
Finally Change connection string
if you use option 2
Server=(localdb)\MSSQLLocalDB;Database=RazorPagesMovieContext-ae4522b8-14f6-4dd9-9e71-fb8009d965ad; user=sa; password=yourPassword
**For enable **

The solution in the above link is useful, Run IIS as our Windows user or Use LocalDB shared instance is an approach to the issue.
I am here just to discuss the approach provided in the documentation. In solution1, firstly we should ensure that the VS is running properly because we should ensure the Database instance also is running properly. Then change the application pool identity to the Windows account running the Visual Studio.
In solution2, since Visual Studio2017 has updated the name of the local database instance, we should change the command accordingly.
sqllocaldb share instance mssqllocaldb IIS_DB
Subsequently, apply it to the connection string.
Data Source=(localdb)\.\IIS_DB;Initial Catalog=mydatabase;Integrated Security=True
Here is a detailed description of this issue.
https://codemegeek.com/2018/05/13/configure-iis-to-us-localdb/
Feel free to let me know if there is anything I can help with.

How to integrate an ASP.Net intranet with Active Directory?

I'm currently working on an intranet portal for my company, it will remain internal, only users with accounts on our domain will have access to it. At the moment, I use forms authentication method, and authenticate users against the Active Directory domain with System.DirectoryServices. I also interrogate the AD with System.DirectoryServices.AccountManagement to manage access rights depending on the Active Directory groups the user belongs to and I store some data in user sessions and everything works fine.
I've been asked to study whether Single Sign-On could be implemented in our context, all our users work in RDS without exceptions, so they always are in an authenticated session and the higher-ups would prefer not having to sign in at all. As far as rewritting the code to authentify and authorize users as explained here and here
I'm not too concerned.
I tried everything on a blank ASP.Net MVC5 project, to which I added an ADO.Net model with integrated security. My dev SQL Server is hosted on a remote server (not the dev desktop), the same server also hosts the dev IIS server. In production, both services will be on separate servers. This worked fine as long as I was debugging localy on my desktop, but once I published to the IIS server, I hit the first snag and couldn't get out of it.
When I changed settings in the IIS app to disable anonymous and enable windows authentication, IIS automatically changed <authentication mode="Forms" /> to <authentication mode="Windows" /> in the web.config file (as suggested here), but I couldn't make it work with Integrated Security=True or Integrated Security=SSPI, I get an error page saying [SqlException (0x80131904): Login failed for user 'DOMAIN\MACHINE$'.].
The connection string reads like: <add name="ASPNetProjectEntities" connectionString="metadata=res://*/Models.ModelASPNetProject.csdl|res://*/Models.ModelASPNetProject.ssdl|res://*/Models.ModelASPNetProject.msl;provider=System.Data.SqlClient;provider connection string="data source=MACHINE;initial catalog=DATABASE;persist security info=True;Integrated Security=SSPI;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
I tried to add the machine account DOMAIN\MACHINE$ to SQL logins and grant it rights to the database, but no dice. I tried to authorize delegation in the server AD account and activate identity impersonation, but that didn't work either. I can only make it work on the remote IIS server if I put a SQL user/pass in the connection string.
So I'm at loss what could be missing here to make it work with Integrated Security. Or will I have to put SQL credentials in the connection string and encrypt it on IIS?

You're confusing Integrated Security with the authentication mechanism of your website. If you use Integrated Security, the connection used from your web app to SQL Server will use the account that the application pool your web app is running as is using. To use Integrated Security, have a service account created in AD, set your app pool to run as that account, and grant the necessary permissions to that service account in SQL Server.
Note that whether you're using forms auth or integrated security isn't relevant to how the web app connects to SQL Server, unless you're using impersonation, which you should never use.

Can't gain access to local SQL for modification

I've been given a backup of a production SQL database to begin writing an application against.
I've got it running as a local instance and using Windows Authentication and I can READ the information, however I cannot figure out how to get IIS to use my Windows Authentication to log into the SQL server when running a local ASP.Net website.
I don't have the authority on the DB to add users, and I'm getting an error of System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. when I try to access a page that reads the database.
I don't think I will be able to communicate with the DB admin for a while to get him to fix this up for me. Is there anything I can do here?

Your asp code is using the same identity that IIS runs under - the Network Service account. To get it to use your credentials, you can either hard-code them into a connection string or you can use impersonation (see this link: http://msdn.microsoft.com/en-us/library/aa292118%28VS.71%29.aspx)
The gist of the link:
Put this in your web.config file: <identity impersonate="true" />
-t.

You need to create an account in SQL Server for the Network Service account,ex via SSMS via the "Security" section, right click on "Logins" and select add. You will be adding a Windows Account, you can then lookup and validate the name "NETWORK SERVICE". Then switch to the "User Mapping" section and grant permission to view your database.
reference : http://msdn.microsoft.com/en-us/library/ms998320.aspx#paght000015%5Fsqlserver
2nd Alternative
If "integrated security=sspi" is there in your connection string than you should:
Turn on integrated auth in IIS
Turn on windows auth in asp.net
Turn on imerposation in asp.net
Hopefully it will help.

The error "Login failed for user 'NT AUTHORITY\IUSR'" in ASP.NET and SQL Server 2008

My ASP.NET v3.5 web application is throwing the following exception when it attempts to open a connection to a SQL Server 2008 database:
System.Data.SqlClient.SqlException:
Cannot open database "MyDbName"
requested by the login. The login
failed. Login failed for user 'NT
AUTHORITY\IUSR'.
The thing is, I've added NT AUTHORITY\IUSR to the server's list of logins, and to the database's list of users. For the server, I've granted the user the Public role, and for the database I've granted db_datareader permissions.
I've also granted the same for NT AUTHORITY\NETWORK SERVICE, which is the identity that the application pool is running under.
The web application is hosted by IIS7, if that makes a difference. The problem repros when the DB and IIS are on the same physical machine as well.

The trick here is that NT AUTHORITY\NETWORK SERVICE actually appears to the database as DOMAINNAME\MACHINENAME$ (note the $ sign!). That is, when you cross the machine boundary from your web server to the SQL Server, SQL Server sees the machine account if you use the NETWORK SERVICE or LOCAL SYSTEM accounts. If you use any other non-domain account, SQL Server will not receive your credentials.
I'm a bit puzzled by your error message. Truth be told, I don't think that when the DB is on another box, you'll see anything other than Login Failed for NT AUTHORITY\ANONYMOUS LOGON.
IUSR is used for anonymous websites, and can't pass over the wire to SQL Server. You may find a way for it to work if you're doing everything on the same machine, but I'd never know because I'd never do it that way... ;-)

In case it helps someone, in web.config I added <identity impersonate="false" /> for this error to go away (under <system.web>)

It's important to note that you'll get this error, as I just did, if you don't have IIS configured to allow impersonation, but you do have your web.config attempting to do impersonation.
I just came across this exact error, and all of the following steps are required:
Ensure ASP.NET impersonation is enabled on your IIS web server:
Combine that with configuring your site to use impersonation (web.config):
<system.web>
<identity impersonate="true" userName="your_service_acct" password="***" />
</system.web>
The above steps presume that you have a SQL Login setup on your MSSQL for 'your_service_acct' with permissions
When running on localhost, against a localdb, or even a remote db that you personally have permissions on, the development IIS runs as if it were YOU - and everything just magically works. So, in debug mode, you don't need to create a special web.config..
As soon as you deploy your site onto some kind of server (in my case, our TEST environment) you'll likely need to have done the above steps I just detailed, because IIS will try to connect as the application pool user, which is not usually what you want administratively speaking. So, that's when you want to start using web.config transformations, so Visual Studio will insert the appropriate identity impersonate="true" during your 'Publish...' deployment step.

I would suggest to create a separate (preferably domain) account and specify it in the connection string (usually in web.config)
Then you can limit permissions on the web server what this account can and cannot do.
Then you can grant this account required permissions in SQL server.

I had had the same problem and solved this by changing application pool.

Instead of using Integrated Security=True; in connection string, just use username and password authentication user=sa; pwd=mypassword;

The simple solution is to check your web.config file and make sure one of these is part of the db connection string:
Trusted Connection=false
OR
Integrated Security=True

This problem is shown when you restore a new database on your last database.
To resolve this you must go to sqlserver, then security and then set your apppool again.

this worked for me:
Open the IIS Manager (inetmgr)
In the "Connections" panel, drill down to your site's node and select it
In the right-hand panel, under the "IIS" group, double click the "Authentication" icon.
Right-click on "Anonymous Authentication" and choose "Edit..." from the context menu.
In the popup dialog, select the "Application pool identity" radio button.
Click OK.

what does 'run the ASP.NET worker process with dbo privileges' mean?

I am having issues implementing SqlSiteMapProvider using the Wicked Code article. I am using VB.NET and SQL Server 2008 - and the OnSiteMapChanged event is not firing (the SqlDepdencyCache just seems to simply be not working at all).
The article states "You also need to run the ASP.NET worker process with dbo privileges for SQL Server 2005 cache dependencies to work automatically.)"
I don't understand what this means. I know what the ASPNET user account is and that it runs aspnet_wp.exe which is basically the ASP.NET run time as I understand it. I know what DBO privs are on SQL. But my SQL and web servers are on different machines, and ASPNET is not a domain account. And it seems crazy to make it one to try to simply get the SqlDepdencyCache to work, and I have trouble believing everyone is doing this?
Anyone have any clue what I'm missing here?
Thanks very much
EDIT: I FOUND MY ISSUE!!! SET NOCOUNT ON INSIDE MY STORED PROC WAS CAUSING IT!! BEWARE AS THIS IS NOWHERE IN THE MSDN DOCUMENTATION!!!!

Your worker process identity needs to be changed to either a domain user OR a user with a matching username/password on both the web and database servers. The SQL Server would also need Windows authentication (or Mixed authentication) enabled.
Under IIS 5 (Windows XP/2000), you need to modify the ASP.NET Process Identity in the machine.config file.
Under IIS 6 / 7 (Windows Vista/7/2003/2008/R2) you should just be able to modify the Application Pool identity. If this doesn't work, enable <identity impersonate="true" /> in your web.config.

SqlDependencyCache uses SqlDependency and SqlDependency deploys at runtime a set of services, queues and stored procedures in your database as part of its infrastructure. You can read this article on more details what really happens The Mysterious Notification.
When you create your site map provider, you provide a connection string. This connection string specifies either a SQL login and password, or it specifies that SSPI (or Trusted, or Integrated) Authentication should be used. When a user and password are provided then this user is used to log in into your application database (the ASP database). When SSPI is used then the conenction is made using the ASP thread identity, which is either the app pool identity or the impersonated user identity. Whichever login ends up being used, this login must have the priviledges necessary to deploy the SqlDependency infrastructure (create a queue, create a service, create a stored procedure). The simplest way is to simply make this login's user in the database member of the db_owner role (which is the correct wording for what the article calls 'dbo priviledges').
So depending on yoru connection string, your app pool identity and your impersonation settings, the database user that corresponds to the login used by the map provider must be added to the db_owner role. I can't tell what you need to do, because it all depends on the variable factors enumerated above.