The answers I found to this issue didn't seem to work. This is a difficult item to find information about on MSDN and in general.
I am using Windows Server 2003, IIS 6, Dot.Net 3.5 and Visual Studio 2008.
I need to know how to encrypt a connection string for an Asp.Net web application.
Below is my solution to this for Windows Server 2003 and IIS 6 and .Net 3.5 and Visual Studio 2008. Since the encryption is machine-specific, it HAS to be run on the web server.
Encryption Command (change PROJECT_NAME to your web app folder name):
c:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\PROJECT_NAME"
The second command gives the ASPNET account access to the NetFrameworkConfigurationKey in machine.config.
c:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"
The third command gives the NT Authority\Network Service account access to the NetFrameworkConfigurationKey.
c:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
I hope this helps someone.
Related
In the application pool within IIS, I have changed the identity (in advanced settings) of the application pool which is hosting web services to "NetworkService". I expected my web service to now run with identity "nt authority\network service" but instead it runs with identity Domain\computername$.
I would highly appreciate help on any system or IIS configuration parameters that I might have overlooked or missed.
IIS 7.5
Windows 7 Professional Service Pack 1
I built a WCF Data Service hosted in an ASP NET App that runs with IIS 7.
I'm able to access this service from other computers across the network just fine.
The thing is that I have DefaultAppPool set to NetwrokService, if I set it to ApplicationPoolIdentity, then the connection between Wpf Applications and the Data Service breaks.
Why?, In SQL Server Express 2012 I'm using "NT AUTHORITY\Servicio de red" ("Servicio de red" is "Network Service" in spanish) mapped to my database.
I understand that NetworkService is present in IIS7 for compatibility with previous versions, and IIS7 introduced ApplicationPoolIdentity to increase security since many applications use NetworkService.
That´s why I´d like to be able to use this ApplicationPoolIdentity but I don't know what setting is necessary for it to work.
My authentication setting is:
Rafael
Did you add IIS APPPOOL\DefaultAppPool to the users in SQL Server? (I assume your SQL Server is on the same machine as the IIS server? If not, then you have to add your computer name from the domain)
I have an ASP.NET 4.0 application within which I need to forward the authentication to the database.
For the purposes of this request for assistance, lets call the web server "app1" and the database server "sql1".
The SQL2008R2 database service is running as a named instance "SQL2008R2" under a custom domain account "SqlServer". The server is running Windows Server 2008 R2 Enterprise Edition.
I have created an SPN for this...
setspn -a MSSQLSvc/sql1.mydomain.local:SQL2008R2 SqlServer
The ASP.NET application is running under an application pool using a custom domain account "WebApplicationUser", in Integrated Pipeline mode. It is currently running on my laptop running Windows 7 Enterprise, but will eventually be hosted on Windows Server 2008 R2 Standard Edition.
I have created 2 SPN's for the application (on the Windows 7 machine that I am currently running from)...
setspn -a http/app1 WebApplicationUser
setspn -a http/app1.mydomain.local WebApplicationUser
Within Active Directory users and Computers, I have selected the "WebApplicationUser" account and I have enabled constrained delegation to "MSSQLSvc/sql1.mydomain.local:SQL2008R2" using any protocol (I have also tried using Kerbero only).
The Application is setup in IIS 7.5 and the authentication is set to disable Anonymouse, Basic, Digest and Forms whilst enabling "ASP.NET Impersonation" and "Windows". The Windows authentication has "Extended protection" turned off and "Kernel-mode authentication" enabled. The providers are "Negotiate" and "NTLM" in that order.
The ASP.NET application uses EF, and the connection string is configured to use integrated security...
<connectionStrings>
<add name="MyContext"
connectionString="metadata=res://*/Data.MyModel.csdl|res://*/Data.MyModel.ssdl|res://*/Data.MyModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=sql1.mydomain.local\sql2008r2;Initial Catalog=MyDatabase;Persist Security Info=false;Integrated Security=True;MultipleActiveResultSets=True""
providerName="System.Data.EntityClient" />
</connectionStrings>
My web config specifies both Windows authentication and impersonation, since I a using async pages, I have also enabled inpersonation policy flowing...
<runtime>
<alwaysFlowImpersonationPolicy enabled="true" />
</runtime>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
If I log on locally (on "web1") and browse to the application (using IE), this all works - but this does not involve the double hop that I am trying to resolve.
If I log on to another machine and then browse to the application using IE, or I browse from the local machine using FireFox, this does not work - note: FireFox does prompt me for the login details. The connection to the database fails with "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
Unlike a lot of the articles (and here might be part of the problem), I am not using any custom code to impersonate the user. It is my understanding that the impersonation will be applied across the board to the application by the web.config settings above. All I do is to open the connection and then close it again when I am finished with it.
I have obviously missed a step (or two), but having looked at all of the documentation that I can find (and there has been a lot), I still cannot find what that step is. It does not help that 99% of the documentation that I can find is actually related to IIS6 and Windows 2003 but the principles should remain the same.
Has anybody suceeded in getting such a configuration to work on Windows 7 and/or Windows Server 2008?
Checklist for Double Hop issues {IIS and SQL Server}
http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/
http://support.microsoft.com/kb/810572
IIS to SQL Server kerberos auth issues
When you configure the SPNs for SQL Server, we have found that we need to include the PORT on which SQL Server listens (1433).
You should download and use Brian Booth's DelegConfig v2 tool to help you setup the correct configuration settings. http://blogs.iis.net/brian-murphy-booth/archive/2009/04/22/delegconfig-v2-beta.aspx
It will basically hold your hand the whole way through the process. We've found the tool to be invaluable.
I´m having trouble connecting to SQL Server 2008 R2 Express with Northwind database using ApplicationPoolIdentity in IIS 7.5, resulting in the following error message:
Failed to generate a user instance of SQL Server due to failure in retrieving the user's local application data path. The connection will be closed.
notes:
I´m using Windows 7/VS 2010/IIS 7.5/SQL Server 2008 R2 Express (all in the same machine).
my site is using "ASP.NET v4.0" application pool;
ASP.NET v4.0 application pool is using ApplicationPoolIdentity as Identity;
the SQL Server 2008 R2 express has the Login "IIS APPPOOL\ASP.NETv4.0" with the server role sysadmin granted;
the Northwind database has the user "IIS APPPOOL\ASP.NET v4.0" configured with the following permitions: db_accessadmin, db_backupoperator, db_datareader, db_datawriter, db_ddladmin, db_securityadmin;
the w3wp.exe process is running with the user "IIS APPPOOL\ASP.NETv4.0"
I can see that the user profile folder is created (C:\Users\ASP.NET v4.0);
the same problem occurs using the application pool "DefaultAppPool".
If I change the ApplicationPoolIdentity user to another user that has rights to access the database it works.
Additional informations:
connection string:
<connectionStrings>
<add name="NorthwindEntities" connectionString="metadata=res://*/NorthwindModel.csdl|res://*/NorthwindModel.ssdl|res://*/NorthwindModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=NOTEBOOK\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
Could anyone help me to solve this issue?
Thanks in advice.
It looks like you're trying to use SQL Server Express's "user instancing" feature, i.e. your connection string looks like:
AttachDBFilename=|DataDirectory|xxxxxx.mdf;User Instance=true
This won't work for ApplicationPoolIdentity accounts in IIS7.5. For more information see this MS Knowledgebase article:
Problems with SQL Server Express user instancing and ASP.net Web Application Projects
Web applications built with Visual Studio 2005, Visual Studio 2008, or
Visual Studio 2010 and that rely on user instancing with either SQL
Server Express 2005 or SQL Server Express 2008 do not work with the
new application pool identity. These products were developed and
tested against application pools running with the older NETWORK
SERVICE account.
Also Microsoft discourage using this feature now:
This feature will be removed in a future version of Microsoft SQL
Server. Avoid using this feature in new development work, and plan to
modify applications that currently use this feature.
If you've not already done so, I would attach the database to SQL Express and use a regular SQL connection string instead, just like you'd do in a production environment. You may need to enable TCP/IP for your SQL Express instance using the SQL Server Configuration Manager if it's not already enabled:
And ensure that port 1433 is configured as well on the next tab of that dialogue.
I have a WCF Service talking to a web application. In the web.config files I want to encrpyt the connetion string section.
I'm using
aspnet_regiis -pe "connectionStrings" -app "/WebAppFolder"
for the web applications web.config and this works fine.
But when I do the same for the WCF service I get an internal server error when I try and connect to it via the web app.
The problem was I needed to give my machine access to the configuration key
aspnet_regiis -pa "NetFrameworkConfigurationKey" "MYMACHINE\ASPNET"