My Asp.Net/C# web app hosted on IIS is using 2 different service accounts to access 2 DBs on 2 SQL servers on the network. IIS is running as service account1 coonnecting to DB1 on SQL server1.
I have the User ID, Password for account 2 configured in the web.config connectionstring expecting this to supersede the IIS setting just for DB2 on SQL server2. This is not working. Is there a better way to handle this? Appreciate your help.
Obviously, DB1 uses Windows Authentication and should be configured for that. Make sure, the connection string is configured to select "Integrated Security=true;" in its connection string. DB2 needs SQLServerAuthentication enabled. No impersonation will work for DB2 but a regular connection string will do:
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
See also: http://www.connectionstrings.com/sql-server-2008
Related
I'm creating an ASP.NET application for my company.
In Visual Studio, I used EntityFramework to connect to my SQL Server database with an edmx file. The application is using Windows authentication to connect to both the website and SQL Server.
When I run the application locally, all is working great. The Windows authentication works so my app know who I am, then it connects to SQL Server correctly and shows up data.
But when I try to deploy it on my IIS Server, I get the following error :
Login failed for user 'DOMAIN\SERVERNAME$'.
The Windows authentication works great to identify who I am in the app, but the integrated security used to connect to SQL Server is using the server identity instead of the identity of the application's user.
What you may want to know :
All users have an SQL Server account to connect through integrated security
The server is on the same Domain than our computers
The SQL Server is on another server than the machine where IIS is running, but the remote connection is activated and working
I'm using Google Chrome to test my app locally and remotely
There is the connection string I am using :
<connectionStrings>
<add name="DatabaseEntities" connectionString="metadata=res://*/Models.DatabaseModel.csdl|res://*/Models.DatabaseModel.ssdl|res://*/Models.DatabaseModel.msl;provider=System.Data.SqlClient;provider connection string="data source=SQLSERVERNAME\INSTANCE;initial catalog=Database;integrated security=True;multipleactiveresultsets=True;application name=EntityFramework"" providerName="System.Data.EntityClient" />
Is it possible to use the same Windows authentication for both ASP.NET application and SQL Server ?
You should add your domain user to SQL-server logins - look here
Or remove integrated security option from connection string and add user id and password of sql server user:
<add name="DbConnectionString" connectionString="Data Source=SERVER;Initial Catalog=db;User Id=sqlusername;Password=sqluserpass;MultipleActiveResultSets=True;App=EntityFramework" providerName="System.Data.SqlClient"/>
note that exampled connection string does not contains metadata for model-first approach
I was looking on how to set this up for SQL FILESTREAM in my API.
Update the Host File with the IPV4 for the FQDN or SERVERNAME of the SQL Server.
In Credential Manager add 2 Credentials.
One for File Share the other Port 1433.
The File Transfer does not require the Domain, but the Port 1433 version does.
After this was able to use Trusted Connection or Integrated Security=SSPI to access the FILESTREAM.
My applications use data from one SQL server on our network. The SQL server is on separate machine from the IIS server that hosts my applications. I am using integrated security, Windows authentication, and impersonation in the web.config. Now I need to connect to another SQL box that does work with the impersonated account. So how do I pass proper identity to each of the SQL servers to get data from each? The web.config only allows one impersonation.
I'm trying to connect and getting an error like:
Login failed. The login cannot be used with Windows Authentication
I'm using mirrored local accounts on SQL Server and web server because I'm simply trying to use a trusted connection between machines not on the same domain. It seems like something that would be fairly common, but after days of trying to find an answer that applied to my situation, I do not recognize that any of the answers were applicable... that or the fact that I'm only a .NET developer and not a sysadmin or DBA means I have it and just don't know it.
Here's what I can say:
CMS web server: ASP.NET 4.0 web app running on Windows Server 2008, IIS7, on corporate DMZ
CMS database server: SQL Server 2008 R2 on a domain server
For various reasons that I won't go in to, encrypting the credentials is not sufficient.
The database port that the application needs to connect on is not the standard port and is set up to listen on a different port.
Setting up DB mirroring isn't an option and doesn't really address the requirements (in my way of thinking)
Also, FYI if this is helpful to know:
Content entry happens on internal web server which publishes content to same DB that is accessed by the DMZ web server.
Content server is set up to have the website run the app pool in integrated mode with a windows domain user that has been set as a service account using the -ga switch and given all the appropriate rights and everything runs perfect.
External web server, without domain access, using mirrored accounts (same username and password set up on the SQL Server machine and web machine).
Local account on the web server set as a service account using -ga switch and running as the app pool identity for my app.
On the SQL Server box, created local user with identical creds and given same permissions that the domain user identity has
Connecting to SQL Server via MGMT studio installed on web server with the SQL Server user creds works fine.
Now, if I put in the username in to the connection strings, everything is perfect. As soon as I put the trusted_connection=yes in the connection string like I did with the domain server connection strings, I get the trust error.
So if my connection string is like this, it works fine:
Server=myServerAddress;Database=myDataBase;Username=MyUser; Password=MyPassword;
If I change my connection string to either of these, it fails:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
or
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
I'm working with one of the client's network admins and he's not necessarily a DBA and doesn't have experience with configuring web apps. So it's possible that we're missing something and any advice or ideas would help. What am I missing?
If using SQL credentials are not an option, then you should use Active Directory and create a one-way trust (have DMZ server domain trust your internal domain), create a service account in your internal domain which your DMZ application can use, and grant that account access to the database. Then it will be able to generate SSPI context.
I am using Amazon EC2 server, with Windows Server. It has installed SQL Server 2008 R2 Express and IIS7. I have made a web site, and want to test this web app. But it is not connecting to the SQL Server. I have tried different connection strings. But it is giving this error:
Server Error in '/' Application.
Cannot open database "Avon" requested
by the login. The login failed. Login
failed for user 'NT AUTHORITY\NETWORK
SERVICE'.
I have tried to change it from windows authentication to SQL Server authentication and vice versa. But same error.
My connection string is
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|Avon.mdf;Integrated Security=True;User Instance=true;"
I have copied Avon.mdf and Avon.ldf file into App_data. I want it to connect either by local server, or by IP address.
I appreciate your answers.
Thanks
If the identity under which the application is running does not have access to the database, you will need to provide user name and password in the connection string.
Example:
Password=somepassword;Persist Security Info=True;User ID=someuserid;Initial Catalog=DatabaseName;Data Source=.\SQLEXPRESS
You could also try changing your Application pool identiy to a user that has access to the database. or set up asp.net impersonation
Application pool on II7 work in context of user NETWORK SERVICE. In your connection string you have Integrated Security=True.
Solutions:
1) Change connection string to use userId+password
2) Change application pool user - not recommended if you don't understand how it works
3) Allow user NETWORK SERVICE connect to your sql server\data base - not recommended because many others services use this technical account.
We are upgrading from an environment where the development web server, the SQL Server 2005, and SQL Server data are all on the same machine, a Windows XP Machine. We are upgrading to having the web server on one Windows 2008 server, the SQL Server on a 2nd Windows 2008 Server, and to Server to a Windows 2008 server, nd the data on a SAN.
Now we are getting the error message:
A connection was succesfully established with the server, but then
an error occured during the login
process. (provider: named pipes
provider, error 0, no process is on
the other end of the pipe.)
The network guy thinks it is a problem with the connection string:
<add name="CNString"
connectionString="Data Source=WEBSERVER;
Initial Catalog=PCIdb;
User ID=sa;Password=pass;"
providerName="System.Data.SqlClient"/>
Can anyone help out here?
Is your SQL Server really called WEBSERVER (DataSource="WEBSERVER") ??
Also, I would never EVER use the sa account in a connection string - NEVER, period. Use an application specific user or something, but do not use the sa account under any circumstances.
This can be caused by any number of reasons, but the first thing to look at is the configuration and setup of the SQL Server itself.
Are named pipes enabled on the server? You can check this through the server configuration manager (on the SQL Server machine itself).
Is the user on the connection string (or the connection pool user if you are using SSPI) setup on the server?
Note:
I do hope the connection string you put up is an edited version of your real one, as there are a couple of issues with it:
Using the sa login - you should never do that as now any SQL exploit can do any damage it wants
Calling a sql server "webserver" - a really confusion naming decision
When it comes to connection strings, look at connectionstrings.com - they hold a good list of valid connection strings to many databases using different providers.
I got that error before...Make sure SQL server services are started
If that's not it, change the authentication mode to both server and windows.
It could be a connectionstring problem. Try comparing your connectionstring to the connectionstrings at http://www.connectionstrings.com but it could also be that the remote connection or the remote server (the webserver in this case) isn't allowed to connect to SQL.
Check if remote connections are allowed and named pipes and/or TCP/IP protocols are enabled on the database server.
But, based on the scenario you've described, I'd say it's the database-end that's refusing the connection (since you've already had a working solution).