I have an ASP.NET 4.0 application within which I need to forward the authentication to the database.
For the purposes of this request for assistance, lets call the web server "app1" and the database server "sql1".
The SQL2008R2 database service is running as a named instance "SQL2008R2" under a custom domain account "SqlServer". The server is running Windows Server 2008 R2 Enterprise Edition.
I have created an SPN for this...
setspn -a MSSQLSvc/sql1.mydomain.local:SQL2008R2 SqlServer
The ASP.NET application is running under an application pool using a custom domain account "WebApplicationUser", in Integrated Pipeline mode. It is currently running on my laptop running Windows 7 Enterprise, but will eventually be hosted on Windows Server 2008 R2 Standard Edition.
I have created 2 SPN's for the application (on the Windows 7 machine that I am currently running from)...
setspn -a http/app1 WebApplicationUser
setspn -a http/app1.mydomain.local WebApplicationUser
Within Active Directory users and Computers, I have selected the "WebApplicationUser" account and I have enabled constrained delegation to "MSSQLSvc/sql1.mydomain.local:SQL2008R2" using any protocol (I have also tried using Kerbero only).
The Application is setup in IIS 7.5 and the authentication is set to disable Anonymouse, Basic, Digest and Forms whilst enabling "ASP.NET Impersonation" and "Windows". The Windows authentication has "Extended protection" turned off and "Kernel-mode authentication" enabled. The providers are "Negotiate" and "NTLM" in that order.
The ASP.NET application uses EF, and the connection string is configured to use integrated security...
<connectionStrings>
<add name="MyContext"
connectionString="metadata=res://*/Data.MyModel.csdl|res://*/Data.MyModel.ssdl|res://*/Data.MyModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=sql1.mydomain.local\sql2008r2;Initial Catalog=MyDatabase;Persist Security Info=false;Integrated Security=True;MultipleActiveResultSets=True""
providerName="System.Data.EntityClient" />
</connectionStrings>
My web config specifies both Windows authentication and impersonation, since I a using async pages, I have also enabled inpersonation policy flowing...
<runtime>
<alwaysFlowImpersonationPolicy enabled="true" />
</runtime>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
If I log on locally (on "web1") and browse to the application (using IE), this all works - but this does not involve the double hop that I am trying to resolve.
If I log on to another machine and then browse to the application using IE, or I browse from the local machine using FireFox, this does not work - note: FireFox does prompt me for the login details. The connection to the database fails with "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
Unlike a lot of the articles (and here might be part of the problem), I am not using any custom code to impersonate the user. It is my understanding that the impersonation will be applied across the board to the application by the web.config settings above. All I do is to open the connection and then close it again when I am finished with it.
I have obviously missed a step (or two), but having looked at all of the documentation that I can find (and there has been a lot), I still cannot find what that step is. It does not help that 99% of the documentation that I can find is actually related to IIS6 and Windows 2003 but the principles should remain the same.
Has anybody suceeded in getting such a configuration to work on Windows 7 and/or Windows Server 2008?
Checklist for Double Hop issues {IIS and SQL Server}
http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/
http://support.microsoft.com/kb/810572
IIS to SQL Server kerberos auth issues
When you configure the SPNs for SQL Server, we have found that we need to include the PORT on which SQL Server listens (1433).
You should download and use Brian Booth's DelegConfig v2 tool to help you setup the correct configuration settings. http://blogs.iis.net/brian-murphy-booth/archive/2009/04/22/delegconfig-v2-beta.aspx
It will basically hold your hand the whole way through the process. We've found the tool to be invaluable.
Related
I'm having problems connecting to an MSSQL database in an ASP.NET Web Forms application. The error I get the is the user corp\earth3 can't connect. earth3 is the name of the computer ... the logged in user is corp\earth (a domain administrator) which is what works when connecting to the database using MSSQL Management Studio. I'm building the web app on Windows 10 and its being deployed for production use on a Windows 2012 server (which has the same connection problem as the win10 machine).
I've tried each of the following in web.config. This works while connecting to other database instances on the db server, but not on this one.
<add key="sqlConnectString" value="Data Source=db01\pd; Initial Catalog=PDB; Trusted_Connection=Yes;"/>
<add key="sqlConnectString" value="Data Source=db01\pd; Initial Catalog=PDB; Integrated Security=SSPI;"/>
What am I doing wrong here? Why can't I connect to the db using corp\earth?
Thanks.
Modify the Identity in the application pool with a user that can connect to the database. Create a custom app pool if you don't want to make a change that would affect other web sites it uses.
There are two applications setup on the same server, GamesPlayLogin & GamesPlay. [ Windows server 2008 R2 ]
So, once the users are authenticated using the Login application ( GamesPlayLogin),
<authentication mode="Forms">
<forms name="GamesLoginCheck" loginUrl="/GamesPlayLogin/Default.aspx"
timeout="240" path="/" slidingExpiration="true" />
</authentication>
They are redirected to the application : GamesPlay. but on doing redirect, Authentication is failing every time and users are getting redirected back to first application: GamesPlayLogin.
As per the requirements decision, The two applications are setup to run in different application pools, possibly to avoid problems occurring in one of the apps affecting the other. And we are using Autogenerated keys.
Also, we made sure that the the box for “Generate a unique key for each application” is unchecked by checking the IIS ( Version 7.5).
event log shows::
Event message: Forms authentication failed for the request
Reason: The ticket supplied was invalid
I got to see many solutions related to above event log but NO success. Firstly My applications are on SAME WEB SERVER, and also the same setup using Autogenerated key was working earlier ( Windows server 2008 ,, until we recently did a migration to windows server 2008 R2).
I'm still looking for reasons why the same setup worked earlier ( Windows server 2008) but not after moving to Windows 2008 R2 recently.
There was a difference between IIS 7 & 7.5 that default identity of the application pool was changed from Network Service to an automatically generated AppPool identity.
Also, the two application pools were running under different users.
Since, the autogenkey are stored on a per user basis,, and the two processes are running under different users they will have different autogen keys, which finally explains why we are seeing issues here.
Going through the DEV'S Blog, finally proved a lot helpful.
Finally, taking into account our requirements, we changed the identity of the application pool to the same user for each app pools.
Also,this blog post by Kev describes how are autogenkey stored in the registry.
I have created a website using asp.net every thing is running fine when i run this using visual studio development server but when i tried to run it by IIS server then Home page of website loads but it couldn't make connection with database server
<add connectionString="Data Source=ASHUTOSH-PC\SQLEXPRESS;Initial Catalog=CloudStorage;Integrated Security=True" name="connectionStr"/>
</connectionStrings>
this works fine on visual studio develoment server but not with IIS.... Please help
Since you are using Integrated Security=True you use the application pool identity to connect to the DB. When you run Cassini, you use your own credentials. You should set up the application pool identity with a user that has permissions to login and query SQL Server.
From MSDN:
When you run a page using the ASP.NET Development Server, the page runs in the context of your current user account. For example, if you are running as an administrator-level user, a page running in the ASP.NET Development Server will have administrator-level privileges. In contrast, in IIS, ASP.NET by default runs in the context of the special user (ASPNET or NETWORK SERVICES) that typically has limited privileges. The ASPNET or NETWORK SERVICES accounts are local to the server computer (not domain accounts), which restricts access to resources on other computers.
Database access
When working with the ASP.NET Development Server, you can typically rely on Windows Integrated authentication to access SQL Server. However, when the same page runs in IIS under the ASPNET or NETWORK SERVICES account, the page is running in the context of a local user, and you often have to configure the page to use a connection string that includes information about a user and password. For details, see Accessing SQL Server from a Web Application and ASP.NET Security Architecture.
I'm baffled, and am stuck, and have been for 2 hours now.
Here is my connection string:
<add name="yafnet" connectionString="Data Source=localhost;Initial Catalog=Scirra;User Id=Gullanian;Password=12345;" providerName="System.Data.SqlClient" />
And I get:
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'Gullanian'.
I've created the database 'Scirra'. I've also attempted to add a login, but nothing seems to work. Logging into SQL management via Windows Authentication is the only way I can gain access to my DB's.
Ideally I just want to create a user, and that user having full control of DB. So I can run scripts etc.
Here's a few details:
Microsoft SQL Server Management Studio 10.50.1600.1
Microsoft Data Access Components (MDAC) 6.1.7600.16385
Microsoft MSXML 3.0 6.0
Microsoft Internet Explorer 8.0.7600.16385
Microsoft .NET Framework 2.0.50727.4952
Operating System 6.1.7600
Idk why it says v2 for asp.net, all my application pools are set to 4.0.
You need to enable SQL Server authentication (will need a restart) or use Windows Authentication.
I created an ASP.NET website with Visual Studio 2008 sp1 and in the code I use SQL connection to reach a data base in my SQL Server 2008. It all wiorks great but then I wanted to deploy the website in IIS7 (Windows 7) which was hell to discover how to do it-
(I added a virtual directory and converted it to an application and only then it didn't show me the error that I was getting before I copied it to inetpub\wwwroot and converted it to an application). After doing it I tried to run it from the IIS7 but it just keeps showing me an error that it gets in the command sqlconnection.open() which works great when I run the website from the Visual Studio. How do I resolve this?
I am using the following connection string: "Data SourceEDI-PC\SQLEXPRESS;Initial Catalog=SyncMaster;Integrated Security=True"
And my IIS7 is on the same computer as the SQL Server, so what exextly do I have to do to make it work?
Your connection string probably looks like this...
<add name="ConnectionString"
connectionString="Data Source=servername;
Initial Catalog=dbname;
Integrated Security=True"
providerName="System.Data.SqlClient" />
Which means it is using the windows account IIS runs under, NETWORK SERVICE, to connect. When you run from Visual Studio it uses your windows account which has access to the SQL server.
Create a sql user to use as a service account and specify that info in the connection string. This way it will try to connect using the same account that you created in both Visual Studio and IIS.
ie.
<add name="ConnectionString"
connectionString="Data Source=servername;
Initial Catalog=dbname;
Persist Security Info=True;
User ID=sqluser;
Password=sqruserpassword"
providerName="System.Data.SqlClient" />
When running in IIS7 (or any other IIS for that matter) the connection to sql server is made as the user that runs the application pool in iis. In IIS7 this is usually NETWORK SERVICE. So if you are using integrated security, you need to grant this account access to the database. If your SQL server instance is running on another machine, say SQLSERVER01, and your web app is running on your machine, YOURMACHINE, then the NETWORK SERVICE account on your machine will be called YOURMACHINE$ as seen by SQLSERVER01.