The client application and the sql server instance are on separate machines. I'm working with Entity Framework and have created the Data Model for the database. Locally the application works fine with the database. But after the application has been deployed on IIS, I cannot access to the database. I'm getting the error message:
The underlying provider failed on Open.
Login failed for user 'domain\account'.
In the Web.config of the WebAPI is the connectionString defined as follows:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
</system.web>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="mssqllocaldb" />
</parameters>
</defaultConnectionFactory>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
</providers>
</entityFramework>
<connectionStrings>
<add name="QuReContext" connectionString="metadata=res://*/Models.QuReModel.csdl|res://*/Models.QuReModel.ssdl|res://*/Models.QuReModel.msl;provider=System.Data.SqlClient;provider connection string="data source=spartak,2500;initial catalog=First_DB;User Id=domain\account;Password=MyPW;MultipleActiveResultSets=True;"" providerName="System.Data.EntityClient" />
</connectionStrings>
I've tried many kinds of solutions from threads in stackoverflow. But nothing has helped. I'm using the ASP.NET WebAPI 2, the Entity Framework 6, IIS 7.5 on a remote Webserver with Windows Server 2008 R2 and the SQL Server 2014 where my domain account is defined for access the database. This domain account I've written in the connection string of Web.config.
On IIS is created in Default Web Site "MyClientApp" and in this application is an extra application "RestApi" available. The Application Pool is defined as follows: Identity: ApplicationPoolIdentity, Managed Pipeline Mode: Integrated, Under the authentication of the application "RestApi" is just Windows authentication and basic authentication enabled.
Do anyone has an idea?
You can set up SQL Server to support two authentication modes:
Integrated (Windows) security
Mixed (Windows + SQL Server logins)
The first mode uses the current user credentials to try to login in SQL Server. In this case, the credentials are the ones from the process running the ASP.NET application, in other words, the app pool user. To specify this kind of login you need to include this in your connection string: Integrated Security=SSPI. (I've seen on some occassions that, apart from specifying integrated security, people specify user and password, but I'm not sure if you can override the current user credentials. In fact, I think that only worked in Windows CE).
The second mode supports integrated security, and also SQL Server logins, where the user and passwords are managed by SQL Server itself, and have nothing to do with Windows users and passwords. To authenticate a SQL Server login you must specify the user ID and password as you're doing in your query string: User Id=myUsername; Password=myPassword;
You should read about integrated and mixed security mode in SQL Server. This is quite an old information, but still applies.
Related
I have an application pool that I use for development… and I have it running under my credentials (so I don't have to worry about permission/access issues). Two things make me think my credentials might be just sitting in a file (or registry entry)… which is worrisome:
When I change my password, I have to update the stored credentials
The setup dialog has a confirm password field
If IIS was just storing some authentication token or something, I would expect to only enter my password once (because authentication was happening immediately).
Anyone know where my credentials are being stored? Are they just encrypted using some system key then pulled out and used when the app pool spins up?
Here is the dialog where I'm entering the identity's credentials:
I open that dialog from the app pool's Advanced Settings:
Other Info
IIS 7.5 on Windows 7
I am using virtual accounts for other application pools, but that's not what I'm using here: I'm using actual Windows account credentials
UPDATE
Based on nicolas-dietrich's response, I found the following…
The application pool credentials (and general settings) for IIS 7.5 are stored in %systemroot%\System32\Inetsrv\config\applicationHost.config.
Encryption is handled by AesProtectedConfigurationProvider, which is the standard (?) way to protect sensitive config info (like db connection strings or–you know–passwords)
Here are the relevant sections with sensitive/irrelevant info replaced by ellipses (…):
<configProtectedData>
<providers>
<!-- … -->
<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="…" />
</providers>
</configProtectedData>
<system.applicationHost>
<applicationPools>
<add name="DefaultAppPool" queueLength="5000" managedRuntimeVersion="v4.0" />
<add name="GeneralDev" queueLength="5000" autoStart="true">
<processModel identityType="SpecificUser" userName="mydomain\myusername" password="[enc:IISWASOnlyAesProvider:…:enc]" />
</add>
<!-- … -->
<applicationPoolDefaults managedRuntimeVersion="v4.0">
<processModel identityType="ApplicationPoolIdentity" loadUserProfile="true" setProfileEnvironment="false" />
</applicationPoolDefaults>
</applicationPools>
<!-- … -->
</system.applicationHost>
Hopefully, safe enough? ¯\_(ツ)_/¯
In IIS6 the AppPool identities were stored within the IIS metabase (%systemroot%\System32\Inetsrv\metabase.xml) in an encrypted string located under W3SVC/AppPools//WAMUserPass.
That was not so secured though as it was possible to decrypt and to show it as plain text (http://www.jasonsamuel.com/2010/04/28/how-to-get-the-iusr-and-iwam-user-account-passwords-on-an-iis-server/)
I am making a .Net Web API that gets data by calling an SQL server. The user is authenticated via Windows Authentication (Kerberos). I would like the user credentials to be passed to the SQL server via delegation, but the SQL server sees an anonymous user.
This is what I have done:
IIS application:
Windows Authentication and asp.net impersonation enabled. Anonymous and forms authentication disabled.
Enable kernel mode authentication is checked.
Providers: Negotiate, Kerberos.
Use app pool credentials: True.
Application pool:
Managed pipeline mode: Classic.
Identity: Network service.
In AD, the computer the web server runs on is set to "Trust this computer for delegation to any specific service (Kerberos only)"
The connection string to the SQL server contains Integrated Security=SSPI;
Edit: In my web.config I have
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
and
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="Kerberos" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
</security>
The generic HOST spn is set for the machine.
From the browser I access the web application via http://machinename.domain.net.
I would expect in this setup that my IIS application is run under the machine account?
When I catch a request in the debugger on the web server, I can see that WindowsIdentity.GetCurrent().Name is the account of the user browsing the web application and WindowsIdentity.GetCurrent().AuthenticationType is set to "Kerberos". So that should be good.
However WindowsIdentity.GetCurrent().ImpersonationLevel is only set to "Impersonate". I would have expected it to be set to "Delegate"?
When I make a request to the SQL server, I get "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" so obviously the user credentials are not passed to the SQL server.
I hope someone can see what I am doing wrong. I really need a push in the right direction.
For future reference if someone runs into the same issue:
The issue was that we tried from Chrome. It works in IE, but on Chrome the registry change mentioned in this post was needed: Kerberos delegation doesn't work in chrome
You should be able to set the Authentication to ASP.NET Impersonation within IIS. You will probably be required to set the following in your web.config file too, as part of < system.web> section.
<identity impersonate="true" />
This may be required in the < system.webServer> section to, although not always recommended due to security concerns.
<validation validateIntegratedModeConfiguration="false" />
Firstly, this is not a repeat of the same old:
provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified.
Here's the scenario. I'm using ASP.NET membership with a SQLMembershipProvider. This used to work fine, however since a clean install on my development machine and upgrading to SQL Server 2014 Express, I'm now experiencing a strange issue.
When I run the website I get the login form. If I enter an incorrect username and password I get the normal message "invalid username/password". If I enter the correct username / password I get the error 26 as above. I can successfully connect to the database using the same connection string in SQL Server Management Studio, just not from within my ASP.NET Web App.
Connection String:
<connectionStrings>
<add name="WEBConnectionString"
connectionString="Server=SERSQL01\SQLEXPRESS;Initial Catalog=WEBAPP;User ID=MyLogin;Password=MyPassword"
providerName="System.Data.SqlClient"
/>
</connectionStrings>
Things I have checked:
Instance name is correct.
Firewall is disabled.
Remote connections are enabled.
TCP/IP enabled, port 1433.
SQL Browser Enabled.
Mixed mode authentication is enabled.
Telnet connects successfully.
SSSM connects successfully.
Environment:
Development Machine: Windows 8.1 with Visual Studio 2013
Server: SQL Server 2014 Express on Windows Server 2012 R2
Finally found the problem.
I was using a custom sql membership provider. But I hadn't extended the role provider:
<roleManager enabled="true" defaultProvider="SqlProvider" >
<providers>
<clear/>
<add name="SqlProvider" type="System.Web.Security.SqlRoleProvider"
connectionStringName="WEBConnectionString" applicationName="/" />
</providers>
</roleManager>
So I have few ASP.NET apps all running off SQL Server Express 2008 and working fine and dandy. I just put up a new one to test something and am now getting the Error 26 - can't find instance. What's weird is that the app is talking to the DB partially because it brings up the user login page and if I enter wrong data it returns a message about that (which is good). When I enter the correct login info it takes it then thinks for a few seconds and then throws the Error 26.
Here is my connection string --
<connectionStrings>
<add name="db_BPEntities" connectionString="metadata=res://*/App_Code.Data.db_BP.csdl|res://*/App_Code.Data.db_BP.ssdl|res://*/App_Code.Data.db_BP.msl;provider=System.Data.SqlClient;provider connection string="data source=LOCALHOST\SQLEXPRESS;initial catalog=db_BC_Build;user id=USER;password=PASSWORD;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
<add name="Default" connectionString="server=LOCALHOST\SQLEXPRESS;database=db_BC_Build;USER ID=USER;password=PASSWORD;Min Pool Size=10;Max Pool Size=800;Network Library=dbmssocn" providerName="System.Data.SqlClient" />
</connectionStrings>
Note: I've changed user/password info. The DB is running locally off the same box with IIS (it's a test intranet site so I'm ok with that for now).
So summary:
Other apps running off same DB have zero connectivity issues. They all connect and work fine.
This app partially works but on login throws the Error 26 - Instance not found.
Would it be that there are 2 connection strings here vs 1 connection string on my other DBs?
Really stumped.
Thanks for any/all help :)
Edit: I think the issue is with the Entity Framework and SQL Server Express. It seems to connect initially to authenticate the user, but then the EF connectivity to display data, etc is where it breaks. That's where I'm at right now and stuck in trying to figure this out (I didn't develop this application).
Try to connect without "Network Library=dbmssocn" in your connectionstring. I have had the same (error 26) issue and it did work for me.
I change app config file to this
<connectionStrings>
<!-- TLPL_ICT_OPR\MSSQLSERVER1;Initial Catalog=FMS;User ID=fms -->
<add name="DBConnectionString" connectionString="user id=fms;data source=TLPL_ICT_OPR\MSSQLSER;persist security info=True;initial catalog=username;password=password" providerName="System.Data.SqlClient"/>
<!--<add name="DBConnectionString" connectionString="user id=fms;data source=TLPL_ICT_PHOLIB\SQLEXPRESS;persist security info=True;initial catalog=FMS;password=fms4321"
providerName="System.Data.SqlClient" />-->
</connectionStrings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
after this it works fine....
To quote from SQL Network Interfaces, error: 26, these are the steps to overcome this issue:
Make sure your server name is correct, e.g., no typo on the name.
Make sure your instance name is correct and there is actually
such an instance on your target machine. [Update: Some application
converts \\ to \. If you are not sure about your application, please
try both Server\Instance and Server\\Instance in your connection
string]
Make sure the server machine is reachable, e.g, DNS can be
resolve correctly, you are able to ping the server (not always
true).
Make sure SQL Browser service is running on the server.
If firewall is enabled on the server, you need to put
sqlbrowser.exe and/or UDP port 1434 into exception.
Please visit the link for more detail.
I have an ASP.NET app using built-in Membership functionality. As such, I have a connection string in my web.config that looks like this:
<add name="MembershipSqlServer" connectionString="Data Source=servername;Database=aspnetdb;uid=user;pwd=password;" />
When working on my dev machine, everything is peachy keen. But when I move things to the web server (which also happens to run the SQL Server), I get this error when User.IsInRole() is called:
System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
F$%*&!! Why is it attempting to connect in this way? Why isn't it using user/password from the connection string? Web.config is identical on dev and server, I am using the DB on the server during development.
OK, I figured it out... only 35 minutes. :P
Long story short: There are two parts to asp.net membership… a membership provider and a ROLE provider. Why you’d ever want these two things separated, I don’t know… But my web.config wasn’t specifying the role provider and connection string, so it was defaulting to the settings in machine.config (aka LocalSqlServer connection string).
So all this time, my app users were on the server... but the roles were stored in a local .MDF file in App_Data. Ugh.
What does the membership providers section in your web.config look like? Is it possible that you left out the connectionStringName attribute? In which case, I believe it would be trying to connect to the database on your local machine using integrated security.
The membership providers section in your web.config should look something like:
<membership defaultProvider="SqlProvider">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MembershipSqlServer"
...
/>
</providers>
</membership>
Do you see this <authentication mode="Windows" /> in your web.config? And your other connectionString uses Integrated Security=True; On your Sql server in order to use windows authentication you must have a Login(on the server) for the windows user or group as well as have an associated user in the database.
The simple but not suggested fix would be to create a login for 'NT AUTHORITY\NETWORK SERVICE'
on you sql server and then a user in your specific database for that maps to that login.
The secure way is to do this for each of the network security groups that need to access the sql server so you can manage the group permissions independently.
i think the answer is that :
public static string ConnectionString(SPSite site)
{
var connectionStringField = BaseMembershipProvider(site).GetType().GetField("_sqlConnectionString", BindingFlags.Instance | BindingFlags.NonPublic);
if (connectionStringField != null)
{
return connectionStringField.GetValue(BaseMembershipProvider(site)).ToString();
}
else
{
return "";
}
}
it worked for me with out any Error
thanks babania