Setting the ASP.NET ConnectionString to a specific domain user - asp.net

We have a windows account in the SQL Server 2008 called drwho for example
and a password. In the connection string we disabled integrated security and added User Id and password values.
User Id=THEDOMAIN\drwho;Password=......
However ASP.NET keeps thinking we are using SQL server authentication.
Any suggestions?

You cannot connect to SQL server using a domain user/pass. If you wish to connect as a domain user, you need to specify integrated security and run your ASP.NET process as that user.
See this page at Microsoft for more information.

You will have to use impersonate to do this. As far as I'm aware you can't pass domain usernames/passwords in connection strings only a trusted connection, .e.g.
<identity impersonate="true"
userName="domain\user"
password="password" />

the best place to check the validity of your connections strings is here
I suspect that you have not quite got the format correct.

Have you had a look at http://www.connectionstrings.com/? Always a good resource if you're having connection problems.

Related

ASP.NET accessing a SQL Server in a different server

I have installed a new web application that access a SQL Server database in a different server. I'm using Windows Authentication and get the error of:
Login Failed for user XXX
When I try to set identity impersonate="true" in the web.config file, it just throws an error
Login Failed for anonymous user
Also, I'm using forms authentication to validate users from my website and using a different application pool.
Update: connection string Basically like this:
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Update:
My Virtual Directory has Anonymous Authentication and Windows Authentication enabled.
Typically ASP.NET runs as an anonomous account. In order to access a remote SQL Server using integrated authentication (SSPI), you'll need to have a bit more "permenant" presence. Easy way would be to shift the app pool to use the NETWORK SERVICE built-in account. Slightly trickier would be to use a named account. On the SQL server side of the equation you will need to give the same account -- either matching user/pass or NETWORK SERVICE -- proper permissions to your database.
Your DBA should be able to help.
It is difficult to provide you with an exact answer because you have not provided your connection string or info on your SQL Server config. Your best bet is to look at the IIS configuration and work out what user is attempting to access the different SQL Server. You then need to give this account access to the database. This is a common problem and most of the changes need to happen in SQL Server unless you can change the account that the web server is running under.

setting connection string

I have been building my web application with visual studio and sql server express and now I'm in the process of deploying it on a server. I need to change the connection string
This is what I have:
<add name="MySiteDBConnectionString"
connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\MySiteDB.mdf;Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
This is what I need to replace it with:
<add name="LocalSqlServer"
connectionString="Data Source=DBServerName;Integrated Security=false;Initial Catalog=DBName;User ID=DBLogin;Password=DBPassword"
providerName="System.Data.SqlClient" />
The problem is that I don't know where or even if I set up a password for the database. What is integrated security?
I'm using linq-to-sql, do I also need to make some changes in the dbml file?
Thanks for some suggestions.
If you are not using Intergrated Security you will need to set up a user and password on the database server itself. If you are using shared hosting it is possible this will be provided for you. You can then replace DBLogin and DBPassword with your credentials.
Intergrated security uses your windows login/password details to authenticate against the database.
With your linq to sql if you are not passing in a connection string yourself you will need to use the designer to change the connection to the new database (or just overwrite the one in your config file).
Integrated security means that it will use credentials that the web site (app pool) is running under to access the database. You'd need to have SQL server set up to allow this account access to read/write your tables in order for this to work. If your web site is set up to run under the anonymous network account, then it's unlikely that this would be the case. If your web site runs under a domain account, then it's possible that you would need to use integrated security.
If you're not using integrated security, then your DB admin will have set up a SQL login for your application. This is the id/password that you need to use in your connection string. It's possible that multiple accounts have been set up, an admin account, a read/write account, a read-only account, execute SP account (these describe the permissions assigned to the account, not necessarily their names). In that case choose the appropriate one -- it's almost certainly not the admin account unless your DBAs know nothing about security.
FYI, if you use the User ID=...;Password=... format, you can omit the Integrated Security=false as it will assume a SQL login account and password.
'Integrated Security' mode is what was formerly called 'Use Trusted Connection': it uses the credentials of the currently logged on Windows user (in this case, most likely the IUSR_xxx account the web application is running as, or sometimes the computer account) as its login credentials.

ASP.Net web application trying to use Impersonation and Delegation to connect to SQL Server

I'm trying to use Impersonation and Delegation in an intranet ASP.Net web-app in order to pass authenticated users' credentials onto a SQL Server.
The web server and SQL server are two separate machines, but in the same domain, so Delegation is required.
I've done the following:
set <authentication mode="Windows"/> and <identity impersonate="true"/> in my web-app's web.config.
enabled Constrained Delegation from the web server to the MSSQLSvc service on the SQL Server, in Active Directory.
enabled only Windows Authentication in the website, through IIS.
Apparently this should all work, but it doesn't (the SQL Server is denying access to the anonymous user - "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'").
In IIS7, the Application Pool is set to use Integrated Pipleline Mode and is running with the NetworkService Identity. The website only has Windows Authentication enabled, Extended Protection is Off, Kernel-mode authentication is enabled, and NTLM is the provider.
All the web pages I've read seem to indicate that my setup should work. What am I missing?
I've discovered the answer:
The Windows Authentication provider in IIS7 must be set to Negotiate:Kerberos, not NTLM. This means that the Kernel-mode authentication setting must be disabled. This seems to be fine. I think I'm right in saying that Kernel-mode authentication is required when using a custom identity, i.e. one specific identity. Delegation can use an arbitrary number of identities. So all is well.
I've written a blog post about this too, which goes into a bit more detail.
No - it is not accurate to say you need Kerberos, an SPN, to trust the server for delegation, and that this is the ONLY way to do it. Yes, this is one way to do it (and you do need all of it to make it happen via Kerberos), but it is not the ONLY way, or even technically the most secure way or easiest way. Do you really want to have to do extra configurations and create a login for every web user to your DB in SQL? What if any one of those accounts is compromised? More accounts, more vulnerabilities.
No, create a Domain service account, instead, and let that access SQL. If your security guys lock down things, give that user these rights: Logon as a service, Logon as a batch job, and Allow logon locally. Or, if this is just to develop and test the theory or you don't care or can't find the settings or are still getting errors later on, and this might not get a large following, but give it local Admin (sometimes you gotta do what you gotta do - some security pros lock down things tighter than I would care to write about - can always troubleshoot security later to lock it back down). Then set that account as the custom account on the app pool and give that account a login in SQL. Give it dbo on just THAT ONE database.
On the website in IIS, set the authentication type as Windows. I've seen them say "Basic" in other blogs so Kerberos will work, but NTLM uses Windows authentication. In IIS 7, you may also want to enable ASP .NET impersonation. Personally, I've only tried this on IIS 6, but the principal is the same.
In the web.config, add this under <configuration>, which is a "peer" to <system.web>:
<connectionStrings>
<add
name="NorthwindConnectionString"
connectionString="Data Source=serverName;Initial
Catalog=Northwind;Integrated Security=SSPI;User
ID=userName;Password=password"
providerName="System.Data.SqlClient"
/>
</connectionStrings>
And in <system.web>:
<authentication mode="Windows"/>
<identity impersonate="true"
userName="domain\user"
password="password" />
Then read the string into your app like this:
using System.Configuration;
string connString = String.Empty;
if (ConfigurationManager.ConnectionStrings.ConnectionStrings.Count > 0)
{
connString = ConfigurationManager.ConnectionStrings["NorthwindConnectionString"].ConnectionString;
if (connString != null) // do DB connection stuff here
Console.WriteLine("Northwind connection string = \"{0}\"",
connString.ConnectionString);
else
Console.WriteLine("No Northwind connection string");
}
See http://msdn.microsoft.com/en-us/library/ms178411.aspx.
If it will not connect with the service account after filling in that account in the web.config for the impersonate tag and the SQL connection, you can then use impersonation methods using WindowsImpersonationContext (http://msdn.microsoft.com/en-us/library/system.security.principal.windowsimpersonationcontext.aspx). Specifically, you want wic.Impersonate() and wic.Undo() after getting their token. You can read in the service account domain, name, and password from the web.config, in the form of AppKeys.
In short, there are ways around the issues. You can even encrypt the password in the web.config - both in the ConnectionString, and if you want to store it in an AppKey instead of directly in the "impersonate" tag, if you don't want plain text passwords in there (which I'd recommend against), and so you can have it for the creation of a Logon token, if you need to use the Impersonation methods (as I did).

Database connections work fine when application is run from localhost. Login fails from dev server

I have an application which connects to a database, retrieves a username from a user's table and matches it against the username retrieved with System.Security.Principal.WindowsIdentity.GetCurrent.Name
On my localhost, everything works fine. The database exists on the development server but the application lies on my localhost. All of my authorization and authentication techniques are running smoothly.
However, when I publish my application to the development server, I'm faced with the following error.
Cannot open database requested in login 'databaseName'. Login fails.
Login failed for user 'DevelopmentServerName\ASPNET'.
I can't put my finger onto what would cause this. Any help would be greatly appreciated.
Thanks!
Edit: Here is the connection string!
<add name="connectionStringName" connectionString="Initial Catalog=myDatabase;Data Source=DevelopmentServerName;Integrated Security=True"
providerName="System.Data.SqlClient" />
Also, for context. This authentication needs to grab the user's Windows username and match it against the username in the database. Users will have the Computername\Myname username built into the database (if they are authorized to use the required section of the program, that is).
Thanks again :)
It appears that your application is attempting to connect to the database under the ASPNET account, which may have limited permissions on the development server, as opposed to logging in on your own (you local machine may actually be using your windows identity). I can see two potential solutions.
Make sure to add into the system.web section of your web.config file.
Check with the system administrator and the SQL administrator to make sure the ASPNET account has proper authorization to connect to the database, if indeed your environment allows this account to connect.
Adding some additional code to your question, such as your connection string may help things out as well.
EDIT:
Okay, you are indeed using IntegratedSecurity, so typically with this kind of setup (using impersonation), you need to make sure you are getting prompted to add your Username and Password to authenticate against.
We have a similar setup, and to do this, we have to go to the IIS settings for the virtual directory, select the Directory Security tab, and click the Edit button under Anonymous access and authentication control.
Make sure Anonymous access is unchecked, and you may will most likely need to enable the proper authentication for your environment. Unfortunately we're still using Basic authentication (clear text) here, but Integrated Windows authentication may will work for you too. It depends on your environment.
I'm adding this comment to the main post since this seemed to have done the trick...
I just found this post which may help you get the proper configuration setup to handle what you need based on your IIS environment.
The answer may lay with your connection string. My guess would be that you are using integrated authentication to log into the database. This works fine when it's your machine because the application is using your credentials. When you publish to the development server you would be using the aspNet user and wouldn't have the right credentials to login. I would either add this user to your database server or change your connection string to use SQL authentication.
It could be a firewall setting that's preventing your server from seeing your database.
It might also have something to do with your connection string. If you're using anything besides a username/password combo in your web.config file, you will probably require additional configuration to convince the database server to let you connect.
It seems that what you want to do is impersonate the caller of the web page. You need to add a line to your web.config to do this:
<identity impersonate="true" />
See this article for an explanation.

ASP.NET web app can't use multiple impersonation for authenication

I have a asp.net app (uses windows authentication for access) which (stipulated by the security team) needs to connect to a remote SQL Server 2005 using integrated security.Because of the fact that it is remote SQL server I needed to impersonate a custom account (impersonating the original caller would not work) via :
<identity impersonate = "true" userName="domainname\user" password="password" />
This workes fine. The rub is my app also connects to an SSRS server for reporting needs using the ReportViewer control. The report server is on a separate server and the security team mandates that all calls to this server must be using the original window's account for auditing purposes. It seems my only option was to to try and separate my app into folders and use a "location" tag in my web.config and use separate identity tags. Such as:
<location path="Reporting">
<system.web>
<identity impersonate = "true"/>
</system.web>
</location>
Note: no username and password specified which means it should impersonate the original caller.
However to make matters even more complicated my app is a Masterpage/content page app. The master page makes calls to SQL to populate menus and such. Bottom line is the dual impersonation track is not working. I am ready to throw my hands up and declare that that this can not be done. If there was a way where I could have the app impersonate the original caller which would satisfy my SSRS auditing needs yet make connections to SQL server as the custom domain account. I cannot use SQL authentication: not allowed although that would solve this issue.
Have you tried the following setup:
Set impersonation to true. This is necessary for authentication into the application and for access to the SSRS to use current user logged in.
Use one connection string to SSRS that has Integrated Security set to true, so that the impersonated user passes straight through.
Use a second connection string, with the custom user name and password hard coded into the connection string. You can encrypt the connection string section of the web.config so that it isn't visible to human eyes, but the framework will automatically decrypt this on the fly when creating a connection.
I have a similar situation (need a specific account to retrieve specific data, but the general impersonation for the rest of the service functionality) and this setup is working.
EDIT: The general syntax for encrypting your web.config from the command prompt is:
aspnet_regiis -pef "connectionStrings" [PhysicalPathToApplication] -prov "DataProtectionConfigurationProvider"
Encryption is done on a machine per machine basis, so the encryption will have to be done on the specific server. You can pull up more documentation on this if needed.
You should be able to switch the impersonation on and off, so you can go back to using the default account running the site. I will have to check, it's been a while since I have done it.
This looks like a start as to how to do it:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
Essentially you just impersonate the appropriate user for the calls you need, and then "undo" the context and turn it off. It goes back to the default user after that.
Here is a link to the windows identity class:
http://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx

Resources