This had been working fine in our prior server Windows 2012. New server is 2019.
IIS Setup:
DefaultAppPool using ApplicationPoolIdentity as its identity.
Anonymous and Windows Authentication enabled.
Both prior and current server hitting same SQL Server.
When we try launching the ASP Page, we get this error:
SqlException (0x80131904): Login failed for user 'DOMAIN\MACHINENAME$'.
In other posts I've read that it could be the connection string Trusted Connection setting that is incorrect, but the connection string is built inside the page code and it's never changed.
We've also read that since ApplicationPoolIdentity uses NT AUTHORITY\NETWORK SERVICE as its user, then we'd need to add that service account to the SQL Server.
Again, it had been fine without it in the prior server. But just to try it, we added it to the User list as DB_OWNER in SQL Server.
But still get same error.
Connecting to the SQL server outside of this scenario is no an issue, we can get to it in SSMS and otherwise.
Any ideas and help appreciated!
Thanks
If you see a failure like this: Login failed for user 'DOMAIN\MACHINENAME$'. It means that a process running as NETWORK SERVICE or LocalSystem accessed a remote resource, authenticated itself as a machine account and was denied authorization. When access to the machine account is denied, the machine account must be granted access. If the server denies login to 'DOMAIN\MACHINE$', then you must grant login permission to 'DOMAIN\MACHINE$' instead of NETWORK SERVICE.
I've developed a website which connects to a SQL Server 2012 instance. This works fine in my development environment. However, when trying to deploy to a production environment, the page returns the following error:
Server Error in "/theapp" Application.
Invalid User Account
Description: an unhandled exception occured during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code
Exception Details: System.Data.SqlClient.SqlException: Invalid User Account
screen shot of stack trace
I am struggling to find any documentation regarding this on the Internet; is there anyone who might know where I can start looking for a resolution?
Thanks kindly!
Update (4/7/2016 # 3:18pm): The service account is a domain account which has correct permissions on the database. In addition, the same account is used by another website to connect to the same database, and this works fine.
Update (5/7/2016 # 10:16am): The only thing I can think of is something to do with the usage of LINQ to SQL queries within the application. Does this sound like a possible cause?
As the error says, the credentials you are using to connect to sql server are incorrect.
Make sure you are using correct credential viz. user name and password in your connection string. You can check it by logging on to sql server instance from these credentials.
If you are using integrated security, i.e. windows authentication, verify if the user have given permission on sql.
When you pass Windows authentication through a website, the identity of your app pool is the user credentials that are supplied. Be sure your app pool for the site is set to use the same user as you expect in the identity of the app pool. Also, be sure integrated security is set to SSPI, not true, in the connection string.
I have an asp.net application running in IIS using the account which has access to my database. With windows authentication, I am able to log into this account in sql server manager and other things. In my connection string, I have Integrated Security=true, and the error message I get when loading a page using this connection string references the correct user. (Not 'IIS APPPOOL\ect...' like all the other instances of this question I have found on SO). Is there something else that can cause this issue? I just dont understand why I am able to log in with the same windows account in other applications.
can anyone help me on connection strings using custom service account.
I have gone through the MSDN guidance on connect to SQL Server using Windows authentication
but somehow unable to figure out how to get the custom service account to work.
My connection string is as follows:
<add name="GTR.MDFConnectionString" connectionString="Server=SGDB3;Database=GTR;Trusted_Connection=Yes;"/>
Have also created the an app pool successfully using the custom service account as identity and checked the application is running under this new app pool.
In the SQL server 2008r database, i have also added the custom service account as a new login to my database GTR with read write access roles
However, when my ASP.NET web application runs and access the database, it throws a login failed sqlexception referencing my personal domain ID and not my custom service ID.
"Cannot open database "GTR" requested by the login. The login failed.
Login failed for user 'ryan'."
Custom service id: SGImport
My domain id: ryan
Can anyone please guide me on whats wrong and how i should get the web application to connect to database as the custom service account and not the user account?
I been strugling with this for 2 days now without comming any closer to solution. I have read 20-30 threads alteast and stil can not resolve this.
Please help me out.
I have disable anonymous authentication, enable asp.net impersonation.
I have added <identity impersonate = "true" />
I have added the a user to the security logins that is connected to the database I try to connect to
This is the connectionstring I use:
Data Source=IPTOSERVER;Initial Catalog=Phaeton;User Id=User;Password=Password;
errormessage:
Cannot open database "Phaeton.mdf" requested by the login. The login failed.
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
I was experiencing a similar error message that I noticed in the Windows Event Viewer that read:
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database. [CLIENT: local machine]
The solution that resolved my problem was:
Login to SqlExpress via SQL Server Management Studio
Go to the "Security" directory of the database
Right-click the Users directory
Select "New User..."
Add 'NT AUTHORITY\NETWORK SERVICE' as a new user
In the Data Role Membership area, select db_owner
Click OK
Here's a screenshot of the above:
The error message you are receiving is telling you that the application failed to connect to the sqlexpress db, and not sql server.
I will just change the name of the db in sql server and then update the connectionstring accordingly and try it again.
Your error message states the following:
Cannot open database "Phaeton.mdf" requested by the login. The login failed.
It looks to me you are still trying to connect to the file based database, the name "Phaeton.mdf" does not match with your new sql database name "Phaeton".
Hope this helps.
If the error message is just
"Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.", then grant
the login permission for 'NT AUTHORITY\NETWORK SERVICE'
by using
"sp_grantlogin 'NT AUTHORITY\NETWORK SERVICE'"
else if the error message is like
"Cannot open database "Phaeton.mdf" requested by the login. The login
failed. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'."
try using
"EXEC sp_grantdbaccess 'NT AUTHORITY\NETWORK SERVICE'"
under your "Phaeton" database.
I liked Jed's solution but the issue with that was every time I built my project in debug mode, it would deploy my database project and removed the user again. so I added this MySQL script to the Post-Deployment script.
it practically does what Jed said but creates the user every time I deploy.
CREATE USER [NT AUTHORITY\NETWORK SERVICE]
FOR LOGIN [NT AUTHORITY\NETWORK SERVICE]
WITH DEFAULT_SCHEMA = dbo;
Go
EXEC sp_addrolemember 'db_owner', 'NT AUTHORITY\NETWORK SERVICE'
You said it worked fine when you were using SQL Express edition. By default express editions create a named instance & run in NT Authority\Network Service.
SQL Server STD by default install a default instance & run in NT Authority\SYSTEM.
Do you have both the full SQL edition & Express edition installed on the same machine?
It could be that somewhere the connection string still refers to the Named instance 'SQLEXPRESS' rather than the default instance created by the full version.
Also where is the connection string defined? In IIS or your code? Make sure that if defined in many places, all point to same SQL instance & database.
Also try looking at the detailed error present in the SQL Server error logs. The error logged in event log are not complete for secuirty reasons. This will also help you to know if the connection was made to the correct SQL Server.
Also make sure that the machine on which SQL is installed is accessible & IIS is trying to access the same machine. In my company sometimes due to wrong name resolution, the query fails since most of our computers have SQL installed & the query lands in the wrong SQL Server.
Make sure that the database exists in the SQL Server. The name displayed under databases in SQL Management Studio should match that in the connection string.
The SQL Server login required is DOMAIN\machinename$. This is the how the calling NT AUTHORITY\NETWORK SERVICE appears to SQL Server (and file servers etc)
In SQL,
CREATE LOGIN [XYZ\Gandalf$] FROM WINDOWS
The Best way is to create a user for your application and assign the permissions that are suitable for that user. Dont use 'NT AUTHORITY\NETWORK SERVICE' as your user it has its own vulnerability and it is a user that has permissions to so many things on the OS level. Stay away from this built in user.
I am using Entity Framework to repupulate my database, and the users gets overridden each time I generate my database.
Now I run this each time I load a new DBContext:
cnt.Database.ExecuteSqlCommand("EXEC sp_addrolemember 'db_owner', 'NT AUTHORITY\\NETWORK SERVICE'");
Make sure that the database is created. I got the same error when I applied the migration to the wrong project in the solution. When I applied the migration to the right project, it created the database and that solved the error.