I have a new install of SQL Server Express 2017 running on Windows Server 2016. IIS 10 cannot access the database on this SQL Server. (No problem from Visual Studio.) What security do I need to configure in SQL Server, IIS, and the file system (.mdf files)? I have researched this for many hours, but cannot find a current solution. I used to be able to solve this by adding NETWORK SERVICE or SYSTEM under NT AUTHORITY, but that doesn't seem to do the trick. Does something have to be done with Application Pools?
From your comments I guess that you should map your login to your database:
use xxx;
create user [WEBBER\s4$] from login [WEBBER\s4$];
This will fix your error but for normal working you should also give the necessary permissions to your user.
If it should have control over database xxx, make him db_owner like this:
ALTER ROLE [db_owner] ADD MEMBER [WEBBER\s4$];
The "strange" name you see is your pc's name, this is because Network Service or Local System accounts goes to network under the pc name.
Related
I have an ASP NET APP that's trying to access a sql server database, when I run it, I get an error saying
"Login Failed for user IIS APPPOOL\DefaultAppPool"
Searching the web I found that I should grant access to this user, so I executed the following script:
grant execute on schema :: dbo to [IIS APPPOOL\DefaultAppPool]
It executed succesfully as a script for my database, but I still get the "Login Failed" error.
What's missing?
Check the user your DefaultAppPool is using to connect.
On your IIS manager check DefaultAppPool advanced properties and look for Identity. You need to give it a user with enough privileges, depending on what your site is going to do.
I usually create different AppPools for different sites depending on what they will do, for example, if your app will write documents to a folder on your server, the user of the AppPool will need writing access to that folder.
Also is not a good idea to use an administrator user, as it could lead to potential security breaches. However it could be a good way to check if your problem comes from there.
I think I already know what it is. When I upgraded SQL Server Express, it installed a new server .\SQLEXPRESS (because I used "new sql instance"), remote connections where configured in this server and not LocalDB, my database was still in LocalDB. But now I get other error, maybe related to WCF Data Services...
I created a MVC4 web application on my laptop using localdb with a mdf. file. I then exported the project to my desktop, and then I copypasted these files over to my webserver on my Win2k12 running IIS.
After copying it I created the tables on the MSSQL Express 2012 server that runs on the same Win2k12 server, and modified web.conf in my project to target the server and not the mdf file.
And here is where it all stops, I get the following error when I try to send data (that should communicate with the sql server, browsing pages is fine as long as it does not try to talk to the sql server):
Cannot open database "mc.foo.net" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\mc.foo.net'.
And I'm guessing the user IIS APPOOL is something inherited from my laptop, I don't have this user on thw Win2k12 server. How can I change that? And to what? I have several users (from Security of the server in SQL Server Manager):
NT AUTHORITY\SYSTEM
NT Service\MSSQLSERVER
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
In addition to my domain administrators. How can I fix this?
You can easily change the application pool identity in IIS Manager.
On the target application pool (under Root/application pools), select Advanced Settings. The is a Category Process Model, where you can specify pool's identity.
Built-in account allow you to use Network Service/Local System/... whereas Custom allow you to specify a domain or local user. That's all !
It's not recommended to give too many privileges on the application pool. This can hurt security of your application and can be sometimes painful to manage. So, I would highly suggest you to use sql authentication for your database and to encrypt connection string.
Your problem seems like the user doesn't have rights on the DB Server.
There are multiple ways to go around this.
If you are connecting through integrated security to the DB... Change that to a local SQL server or a domain username and password.
Give your appPool account dataReader or dataWriter access (Not recommended for production).
I have an ASP.NET application on Server A and a SQL Server on Server B.
When running the appliction it calls a stored procedure. This procedure try to bulk insert from a file from a shared folder on Server A, but the following error occured:
Cannot bulk load because the file "\serverA_address\sharedFolder\test.txt" could not be opened. Operating system error code 5(Access is denied.).
The strange is that when I execute the bulk insert from the sql management studio directly, it runs without any exeptions.
Another observation: if I change the shared folder address to a local folder where the sql server runs (Server B) without shareing, no access denied error...
I tried to set bulkadmin permission to all the users, including the technical users: sql_serviceusr who runs the sql service, another technical user who runs the application and make the call to sql server and to the user who logged in to the application. All users are domain accounts and all servers using Kerberos authentication.
Server A: Windows Server 2008R2
Server B: Windows Server 2008R2, SQL Server 2008R2
Appreciate any help or guidance.
You are doing a double hop, so you need to enable Kerberos delegation.
You could create a connect account and use SQL authentication.
In my experience, getting our network folks to properly set up Kerberos is like pulling teeth. We had it working for one glorious week once and then it suddenly stopped working. It just wasn't worth the hassle after that.
This might not be the exact answer you're looking for, but could be an interim solution for you.
By your description of the error, I assume the problem is in sharing the folder.
When sharing a folder, you should give access to the user who will be accessing the folder from remote computer in two places in folder's properties: under the Share tab and under Security tab.
Did you give access in both of them?
I'm having trouble configuring my ASP.NET web.config and my IIS web site to get the setup I want. Here's what I want at the end of the day:
The application connects to SQL Server using a particular NT ID
The NT ID used to connect to SQL Server is not in the web.config. Or at least its password isn't.
I can use HttpContext.Current.User.Identity.Name (or some other means) to get the NT ID of the real user that is connecting to the application.
If I setup an ASP.NET 3.5 in Visual Studio 2008, this basically is all working locally. But when I deploy to IIS, I can get the first two bullets successfully, but I can't get the third bullet. Identity.Name is null. The way I have it deployed right now is impersonation is set to true in the web.config, and IIS has anonymous access enabled with the anonymous user set to the NT ID I want to connect to the SQL Server.
The connection string I'm using to connect to SQL Server looks like this:
Server=[My Server];Database=[My DB];Trusted_Connection=Yes;
I have tried setting authorization to which was suggested in other posts, but that just makes Internet Explorer pop up a login box.
This is a Windows Server 2003 box running IIS 6.0.
This may very well be a stupid question, and/or duplicate question. But I've done a lot of searching and trial and error and I can't seem to get the magic settings.
By default, the machine\ASPNET account or the NETWORK_SERVICE account, depending on the version of IIS you are using (I'm not sure if IIS 7 is using NETWORK_SERVICE but 6 did). If you want a different account, the impersonation is applied on the configuration file (both user name and password) to run the account as. Now you can encrypt this part of the config section using the aspnet_regiis utility. But you have to supply an account. I don't think you can get away without this that I know of... unless maybe it can be done through IIS.
HTH.
This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).
The problem will not appear if you host IIS and SQL Server on the same machine.
There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.
I am having a problem with deploying a ASP.NET V2 web application to our deployment environment and am having trouble with the sql server setup .
When I run the website I get a Login failed for user 'MOETP\MOERSVPWLG$'. error when it tries to connect to the database.
This seems to be the network service user which is the behaviour I want from the application but I don't seem to be able to allow the network service user to access the database.
Some details about the setup. IIS 6 and SQL Server 2005 are both setup on the same server in the deployment environment. The only change from the test setup I made is to point the database connection string to the new live database and of course copy everything over.
My assumption at this point is that there is something that needs to be done to the SQL server setup to allow connections from asp.net. But I can't see what it could be.
Any Ideas?
It sounds like you're able to connect to the database alright and you're using integrated windows authentication.
With integrated windows authentication your connection to your database is going to use whatever your application pool user identity is using. You have to make sure that the user identity that asp.net is using is on the database server.
If it is a fresh install not everything may be setup. Check SQL Server Configuration Manager, http://msdn.microsoft.com/en-us/library/ms174212.aspx. Step by step instructions http://download.pro.parallels.com/10.3.1/docs/windows/Guides/pcpw_upgrade_guide/7351.htm.
The user name you've indicated in your post is what the Network Service account on one machine looks like to other machines, ie "DOMAIN\MACHINENAME$".
If you are connecting from IIS6 on one machine to SQL Server on another machine and you are using Network Service for the application pool's process identity then you need to explicitly add 'MOETP\MOERSVPWLG$' as a login to the SQL Server, and map it to an appropriate database user and role. Type that name in exactly as the login name (minus quotes, of course).
Make sure there is a login created for the user you are trying to log in as on the sql server.
There's a few different things it could be.
Are you using integrated windows authentication? If so, you need to make sure the user ASP.net is running as can talk to the database (or impersonate one that can).
Does the web server have permission to talk to the database? Sometimes a web server is deployed in a DMZ.
If you are using a SQL Server login, does that same login exist on the production server with the same permissions?