I am converting a website from Oracle to SQL Server 2016. The website is built in ASP.NET Framework 4 using Visual Studio 2015. The original developer made extensive use of Oracle packages for data manipulation and I have successfully converted everything to stored procedures and user-defined functions. I have successfully rewritten all of the web pages to use the new syntax. I can run the website on the localhost with no errors and am trying to get it to work on our development web server.
The problem: all stored procedures return the same error:
The EXECUTE permission was denied on the object 'USP_My_Procedure', database 'WEB_DB', schema 'WEBDATA'
The user is a member of a Database role which is granted DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE, and VIEW DEFINITION permissions on the WEBDATA schema:
I am able to SELECT, INSERT, UPDATE, and DELETE data directly from the webpages on the development server when stored procedures are not used. I am able to run the stored procedures from Management Studio when logged on using the application's SQL account. I just can't use the stored procedures to do the work from the website. Unfortunately, I don't have time to rewrite the entire application to eliminate the stored procedures.
Does anyone have any ideas of what to look for? Thank you.
Stored procedures are executed. See the line in your permissions for EXECUTE? It is not granted to this user.
GRANT EXECUTE ON USP_My_Procedure TO YourUser
https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-object-permissions-transact-sql
Assuming your database connection string is using trusted security...
If you deployed an ASP.NET application to a development server you are likely using IIS. If so, then you are likely using an Application Pool. Verify the Application Pool identity has sufficient privileges on the database. Performing a test includes connecting to the SQL Server as the security context the application pool identity is based on, then simply try to execute the failing stored procedure in a query window (using this security context).
To view Application Pools...
Open Internet Information Services (IIS) Manager (A.K.A., inetmgr.exe)
In left hand pane, expand server node and click to select 'Application Pools'
In middle pane, click to select any application pool
in right hand pane click to select 'Advanced Settings...'
in section 'Process Model' notice value for 'Identity' (this value can be changed to a domain user account which can be assigned to SQL Server resources).
If you have more than one application pool the trick is to identify the one being used by your ASP.NET application...
Related
I'm developing an ASP.NET web app that needs to access an SQL Server database. The server the app needs to run on is running Windows Server 2000, SQL server 2000, IIS6, and .NET 2.0.
If I run the web app on my machine with Visual Web Developer 2010 with the testing webserver in Visual studio, but accessing the database on the actual web server, it works fine. However, If I put this app on the actual webserver, and try to access it through the browser, I get a permissions errors saying I don't have access to those tables.
There are two tables my app needs to access. On one of them I changed the permissions with SQL Management Studio to allow the public group select permissions, and that solved the problem. On the other table (very large table) I tried to do the same, but got an error saying it timed out waiting to get a lock on the table. Is there a way to change this timeout or another way to change the permissions?
I don't believe I should even have to change the permissions though, because there are classic ASP apps on that server that access the very same tables. I think the issue is the user that is being used to access the tables. If I can access the tables running the web app from my machine, and classic ASP apps on the server can access them, but my ASP.NET app can't, my ASP.NET app must be using a different user account. How can I check this and make the necessary changes?
Regarding your permission error, it's probably because on your machine the app is accessing the database with your permissions, with windows integrated login.
Normally, a web application is supposed to access a database using a technical user, that is specified in the web.config file, in the connection strings section. It's something like
<configuration>
<connectionStrings>
<add name="myConnsStr" connectionString="server=myserver.example.com;database=mydatabase;uid=tech_account;pwd=tech_account_password" providerName="System.Data.SqlClient" />
</connectionStrings>
...
</configuration>
How does yours look like?
For the other one, yes, do the permission change in T-SQL. If you are not sure how to do that, do the change in the designer, then before clicking OK, use the Script button in the header area. Script the change to the clipboard and then try to run in a new query window. You can play with the query timeouts in the options dialog.
You could try setting the lock timeout to -1 (meaning it'll never timeout)
SET LOCK_TIMEOUT -1
GO
And you can also try adding the permissions using a query
sp_addrolemember #rolename = 'db_datareader', #membername = 'YourAspApp'
You can also try to change your asp.net user in the asp.net connection string to a user which already has selecting privileges.
Let me know if any of that worked, it's a good place to start with =)
I am having a problem with deploying a multiple tables report into my IIS server. The page shows : "The report you requested requires further information". However, I have tried to set databaselogon at the server-side but it didn't work. (The report is working fine on VS Debugging Mode)
It is confusing that it happens only to a multiple tables report and it is working fine on a single table report.
I am using VS2008 and CrystalReportViewer version 10.
When you get "The report you requested requires further information", are you prompted to log in? I think that is the header message for DB authentication required.
If so, what you need to understand is the concept that the Crystal Reports runtime runs within the security context of the ASP.NET server. Your database connections within the Crystal Report are probably set up to use Integrated Authentication, which means the report will authenticate to the DB server using the credentials of the ASP.NET process.
In debug mode, the ASP.NET development server runs as your user account. Undoubtedly, you have access to the DB. However when you try to run in production mode, the ASP.NET server (by default) is either running as a local account called ASPNET on the IIS server, or as the NetworkService account, depending on what version of IIS you are running.
If you are running IIS 7.x, you need to either give the IIS server's directory object (NtDomainName\ServerName$) access to the DB, or change the security identity of the application pool associated with your ASP.NET application.
Hopefully this sets you on the right track and if you still need more help please post what version of IIS you are running and more information on the error message you are getting.
Response to Comment:
To configure Application Pools, in IIS Manager, select the Site in question, click Basic Settings... and check the Application Pool it is assigned to. Then go into Application Pools, you should see the current Identity of the pool listed. This is the account the application "runs as". This account needs to have access to all the files and resources in your web application, including your MySQL DB.
You can edit the Identity settings in the Advanced Settings dialog for the Pool.
Unfortunately I can't give you any advice on MySQL since I have never worked with it.
I'm stumped. I have a client site on a virtual private server - Windows Web Server 2008 SP2, IIS7, SQL Server 2008 Express.
I'm trying to setup a second web application, to allow him to review updates prior to their going live. I've created the web application in IIS7, and I have added a second database to SQL Server. The second db is essentially a copy of the production db, with 'DEV' prefixed to the database name and a few new fields in a few tables.
My production site works fine. However, the test site comes back with an SqlException: "Invalid column name 'version'." This is one of the new fields - which leads me to believe that my dev site is referring to the production database, and not the dev database. Connection strings, however, do point to different databases (although the login is the same for both):
Production site: "Server=.\SQLExpress;Database=myDbName;User ID=myUserName;Password=myUserPassword;"
Dev site: "Server=.\SQLExpress;Database=DEVmyDbName;User ID=myUserName;Password=myUserPassword;"
Seems like this should be something obvious that I'm missing. A colleague suggested that I create another application pool for the second IIS application, but it does not seem to have helped.
UPDATE, following further testing:
I changed the dev site's connection string to
"Server=.\SQLExpress;Database=DEVmyDbName;User ID=devuser;Password=myNewDifferentPassword;"
and created a new SQL server login on the database, and only gave it access to the dev database. I also set the dev database as the account's default database. I removed access to the dev database from the production login. When I try to login to the site, I get the following error:
The server principal "devuser" is not able to access the database "myDbName" under the current security context.
As a result, there are two things I know for certain:
Since it's using the new username to login, I know the app is using the connection string I'm feeding it;
For some reason, once logged in, it appears to be ignoring the specified database and trying to use the production database instead.
I don't think it should make a difference, but I will mention I'm using NHibernate for database access.
Still stumped.
It turns out that NHibernate was significant. One of the NHibernate configuration options that was set was "default_schema" - when I removed it, the app started connecting to the correct database.
It appears that the default_schema property was overriding whatever database was specified in the connection string.
I have a web app that I am working with on a separate server. I didn't originally create it, but I have to maintain it. I had to to do some manual editing of one of the database tables, which I did through Visual Studio 2008 installed on the same machine. Now I get SQL exceptions regarding Network Service not having the right privileges.
How do I avoid this from happening? I haven't modified any settings regarding the security or access information. It was working before I made the modification, and now it isn't.
Thanks!
Did you by chance change the connection information stored for the DB? Perhaps remove a explicit user (SQL Authentication) and replace it with a Trusted_Connection?
Also did you change the webserver to no longer use authentication?
The error sounds like it is coming from the fact that the Network Service account (the one generally responsible for running ASP.NET pages) cannot access the DB. This happens mostly when authentication is disabled, and there is no explicit SQL Authentication.
Should the ASPNETDB be left in default app folder created by Visual Studio when deploying on webserver? I have another DB that is in the mssql data folder, should that be placed in same directory as well? Im not clear on whether it matters one way or the other.
It depends what environment you are deploying your application to. Specifically, what database servers are available to you or what you are able to deploy.
If you have, or can install, SQL Server and have full administration rights over the instance then the easiest option is to attach both databases to that instance and change your connection strings appropriately. In this case both files should reside outside wwwroot, in a SQL Server specific directory.
I presume this is how the database in your 'mssql' data folder is being accessed. The connection string SHOULD NOT contain 'AttachDbFilename'.
The other option involves SQL Server Express Edition and User Instances. User Instances are created on demand to host a database when the application user does not have the right to attach it to a setup created instance. User Instances run in the context of the application user, ASPNET in your case, and lack advanced security features.
Visual Studio uses this same setup. ASPNETDB is likely using this method. The connection string SHOULD contain 'AttachDbFilename'.
A database that has been created in a user instance can be migrated to a setup instance. However, a database from a setup instance cannot be attached to a user instance because the security information is unavailable.
See Configuring ASP.NET 2.0 Application Services to use SQL Server 2000 or SQL Server 2005 and SQL Server 2005 Express Edition User Instances for further information.