I created a MVC4 web application on my laptop using localdb with a mdf. file. I then exported the project to my desktop, and then I copypasted these files over to my webserver on my Win2k12 running IIS.
After copying it I created the tables on the MSSQL Express 2012 server that runs on the same Win2k12 server, and modified web.conf in my project to target the server and not the mdf file.
And here is where it all stops, I get the following error when I try to send data (that should communicate with the sql server, browsing pages is fine as long as it does not try to talk to the sql server):
Cannot open database "mc.foo.net" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\mc.foo.net'.
And I'm guessing the user IIS APPOOL is something inherited from my laptop, I don't have this user on thw Win2k12 server. How can I change that? And to what? I have several users (from Security of the server in SQL Server Manager):
NT AUTHORITY\SYSTEM
NT Service\MSSQLSERVER
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
In addition to my domain administrators. How can I fix this?
You can easily change the application pool identity in IIS Manager.
On the target application pool (under Root/application pools), select Advanced Settings. The is a Category Process Model, where you can specify pool's identity.
Built-in account allow you to use Network Service/Local System/... whereas Custom allow you to specify a domain or local user. That's all !
It's not recommended to give too many privileges on the application pool. This can hurt security of your application and can be sometimes painful to manage. So, I would highly suggest you to use sql authentication for your database and to encrypt connection string.
Your problem seems like the user doesn't have rights on the DB Server.
There are multiple ways to go around this.
If you are connecting through integrated security to the DB... Change that to a local SQL server or a domain username and password.
Give your appPool account dataReader or dataWriter access (Not recommended for production).
Related
I have a new install of SQL Server Express 2017 running on Windows Server 2016. IIS 10 cannot access the database on this SQL Server. (No problem from Visual Studio.) What security do I need to configure in SQL Server, IIS, and the file system (.mdf files)? I have researched this for many hours, but cannot find a current solution. I used to be able to solve this by adding NETWORK SERVICE or SYSTEM under NT AUTHORITY, but that doesn't seem to do the trick. Does something have to be done with Application Pools?
From your comments I guess that you should map your login to your database:
use xxx;
create user [WEBBER\s4$] from login [WEBBER\s4$];
This will fix your error but for normal working you should also give the necessary permissions to your user.
If it should have control over database xxx, make him db_owner like this:
ALTER ROLE [db_owner] ADD MEMBER [WEBBER\s4$];
The "strange" name you see is your pc's name, this is because Network Service or Local System accounts goes to network under the pc name.
I want to reference these links because they highlight my issue
Create SQL Server Login for IIS APPPOOL - IIS and SQL Server on different machines
and
Configuring ASP.NET MVC app's IIS 7.5 Application Pool identity as login on SQL Server 2008 R2.
To summarize the posts, I have ServerA with IIS and my app pool and ServerB with SQL Server. ServerA SQL recognizes my app pool as a login since that is where IIS resides, but now I need my app pool to access SQL on ServerB.
I have tried to create a SQL login on ServerB for my app pool as Domain\ComputerName$\IIS APPPOOL\AppPoolName, but it does not recognize that. It recognized Domain\ComputerName$, but my application still does not work.
Am I on the right track, if so what user name do I specify? My DBA skills are not as sharp as they should be. Thank you.
I don't think you can use AppPool for remote SQL Server. Give machine account Domain\ComputerName$, access to SQL, or you can run AppPpool with domain user account (domain\username) and give this user access to SQL.
Domain\MachineName$ is more secure and maintainable as you do not have keep updating password for user every n months, and restricts to only one machine. If you have multiple IIS server then you have to go with domain\username method, and set AppPool to use this user account (Windows Auth).
I think You can also create group Domain group and add all (IIS) machine name on this group and give this group permission to SQL.
I'm trying to access a sql server database from an ASP NET app configured to work with IIS.
I have several questions now,
1) Authentication in IIS: I need to know if my authentication settings for the site are ok:
I tried with Windows Authentication set to Disabled, but the problem continues.
2) Are the settings for the user NT AUTHORITY\Sericio de red well configured? ("Servicio de red" means Network Service)
3) When I added the login for network service, I only found "Servicio de red", I guess it's the equivalent for NetworkService, I'm I right?, My windows 7 ultimate is an spanish version, I just changed the windows interface by using a windows upgrade to make it appear in english. Is there a problem with it?, I guess it's right because the access to the database is being done through the IIS APPPOOL\Servicio de red user.
My DefaultAppPool identity is set to to AppPoolIdentity
If you want to see what I have tried, see this thread.
The whole project, along with a backup of the database I'm using can be found here, called MyServiceSolutionInIIS
What I'm trying is to build a WCF Data Service that offers information that comes from an entity data model generated from a sql server database. This service will be used by a WPF App as a client.
I'd like to avoid creating a user for it, I think it can be done with the App Pool
Okay so the way this works is, whatever application pool your endpoint is running under passes its credentials to the SQL Server. So, you have two options:
Run the default application pool under NetworkService, or;
Use SQL Authentication when connecting with your web service to the SQL Server.
Honestly, the latter is the most common, but in your situation you may be just fine by changing the default application pool to run under NetworkService.
This has nothing to do with the authentication you've chosen (well, mostly nothing.. you can control which credentials anonymous users run under). Every website runs in an app pool, and this app pool has an AppPoolIdentity.
I'm a little confused as to why it would be claiming it's IIS AppPool\NetworkService, since NetworkService should be NT AUTHORITY\NetworkService, or IIS AppPool\MyAspService or IIS AppPool\DefaultAppPool.
There is a lot more information on App Pool Identities here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Note: There is a bug in IIS 7.5 (the version of IIS that comes with Windows 7 and Windows Server 2008 R2) that sometimes causes authentication problems with AppPoolIdentities if the users password changes (say, if you have mandatory password change policies). There is a hotfix here:
http://support.microsoft.com/kb/2545850/en-us
More info here:
IIS application using application pool identity loses primary token?
There so many scenarios in which this issue occurs.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost: when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication. Here your web service would not be able to communicate to the SQL server because of access rights issue and Login Failed for user_______ (here your user will come)
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings. You need to change IIS Application pool's identity to:
local System (for single windows user).
Network Service (for intranet users or domain users)
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem (for single windows authentication user).
or select Network Service (for Intranet users)
Now open your sql server management studio: open run-> then type ssms then press ok in ssms, login using your windows authentication account. open security tab expand logins tab then you will be able to view your account.
Now open properties of your account go to userMapping then select the database you want to connect then check the role membership services you want to use for the selected database click ok. (For network services i.e. intranet users you need to configure above settings for NT AUTHORITY\SYSTEM user too)
add Trusted_Connection=True; property in your connection string. Save it & deploy the web service. Restart app pool.
you will be able to connect the database now.
I am using SQLServer2005 and VS2008. My connection string in web.config is:
add name="library" connectionString="Data source=KMT; Initial Catalog=Library;Integrated Security=SSPI"
Here, KMT is my server name, Library is my database.
When I run my page through VS2008 localhost, it's fine. However, when viewing through IIS it shows an error message like "login failed for user, 'KMT/ASP.NET'". My sqlserver authentication mode is windows and it's ok in web.config. What will be the solution?
Using "Integrated Security" means logging in to the database with the identity of the user running the process. When you run the local VS web server, it runs as your login. But in IIS, the web server worker process runs as a predefined user account. Your worker process identity must have rights to your SQL Server and database.
Check the properties of your App Pool in IIS. If you are running as Network Service for example, go into SQL and create a new user, enter Network Service as the Windows user name, and grant that user rights to your database.
one of my friends helped me to solve this problem as
i executed the SQL to add ASPNET as a login to
my DB and setup DA permissions
exec sp_grantlogin N'MACHINE\ASPNET'
exec sp_defaultdb N'MACHINE\ASPNET', N'Database'
use Database
exec sp_grantdbaccess N'MACHINE\ASPNET', N'ASPNET'
exec sp_addrolemember N'db_owner', N'ASPNET'
here MACHINE is machine name and database is my database name.
but through this the ASPNET user has total
control over that DB.
VS2008 uses your credentials to authorize to the db, IIS is using different account.
Make sure the IIS account has enough permissions.
If you use Integrated Security=SSPI, the credentials of the current user (in VS that would be YOU) are used to connect to SQL Server.
From an IIS app, the user associated with the IIS service is used for log in.
Solutions:
Assign the IIS service a special user that's allowed to connect to SQL
Use SQL Server authentification to access the database, and stored username/password in the connection string
Were you planning to use the ASP.NET system account or the users windows account?
If the latter you need impersonation. That works if SQL and IIS are on the same machine, otherwise it is a double hop and requires a non trivial amount of work to set up delegation.
If the server is windows 2003 you can give the Network Service the permissions to access to SQL Server
I am having a problem with deploying a ASP.NET V2 web application to our deployment environment and am having trouble with the sql server setup .
When I run the website I get a Login failed for user 'MOETP\MOERSVPWLG$'. error when it tries to connect to the database.
This seems to be the network service user which is the behaviour I want from the application but I don't seem to be able to allow the network service user to access the database.
Some details about the setup. IIS 6 and SQL Server 2005 are both setup on the same server in the deployment environment. The only change from the test setup I made is to point the database connection string to the new live database and of course copy everything over.
My assumption at this point is that there is something that needs to be done to the SQL server setup to allow connections from asp.net. But I can't see what it could be.
Any Ideas?
It sounds like you're able to connect to the database alright and you're using integrated windows authentication.
With integrated windows authentication your connection to your database is going to use whatever your application pool user identity is using. You have to make sure that the user identity that asp.net is using is on the database server.
If it is a fresh install not everything may be setup. Check SQL Server Configuration Manager, http://msdn.microsoft.com/en-us/library/ms174212.aspx. Step by step instructions http://download.pro.parallels.com/10.3.1/docs/windows/Guides/pcpw_upgrade_guide/7351.htm.
The user name you've indicated in your post is what the Network Service account on one machine looks like to other machines, ie "DOMAIN\MACHINENAME$".
If you are connecting from IIS6 on one machine to SQL Server on another machine and you are using Network Service for the application pool's process identity then you need to explicitly add 'MOETP\MOERSVPWLG$' as a login to the SQL Server, and map it to an appropriate database user and role. Type that name in exactly as the login name (minus quotes, of course).
Make sure there is a login created for the user you are trying to log in as on the sql server.
There's a few different things it could be.
Are you using integrated windows authentication? If so, you need to make sure the user ASP.net is running as can talk to the database (or impersonate one that can).
Does the web server have permission to talk to the database? Sometimes a web server is deployed in a DMZ.
If you are using a SQL Server login, does that same login exist on the production server with the same permissions?