I can not seem to get sql server to recognize my credentials.
Asp.net recognizes me when I login but when I execute a sql command I get a login failed message.
The IIS server and SQL server are on different machines.
There are other applications the IIS server which are able to authenticate to the sql server. I believe the Active Directory settings are correct. I am investigating what I am doing differently.
I must be missing something.
I check the IIS settings
The web config is set to impersonate.
Below is the relevant information. If anyone has any idea as to what I missed or am doing wrong I would appreciate some help.
IIS Settings:
'Integrated Windows authentication' is checked
'Enable anonymous access" is not checked
Web Config
<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<deny users="?" />
</authorization>
Page_Load Code:
Dim winId As IIdentity = HttpContext.Current.User.Identity
TextBoxMessage.Text = winId.Name + Environment.NewLine
Dim cnn As SqlClient.SqlConnection
Try
Dim sql As String = "*****"
cnn = New SqlClient.SqlConnection("Data Source=*****;Initial Catalog=****;Integrated Security=True")
cnn.Open()
Dim cmd As New SqlClient.SqlCommand(sql, cnn)
cmd.ExecuteNonQuery()
cnn.Close()
Catch ex As Exception
TextBoxMessage.Text += ex.Message
cnn.Close()
End Try
Output:
Domain\UserName
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
This is key = The IIS server and SQL server are on different machines. You're facing the classic double hop issue. Think of it in this way:
You access the web application under your credentials
IIS in this case has to present who you say you are to the SQL Server
IIS says, "Why hello SQL Server, I'm passing on Tony's kerberos creds, they are legit"
SQL Server says, "Hmmm, IIS I'm not sure I trust you, I need proof that you are trusted to present these credentials to me".
Thus once you enable delegation as mentioned by Remus, your SQL Server will trust the credentials your IIS server is presenting on your behalf.
In terms of security, under delegation, it would be wise to choose:
Trust this computer for delegation for specified services only | Use Kerberos only | and then underneath the "Services to which this account can present delegated credentials" make sure you explicitly set only the server/port you need.
You also need to enable constrained delegation:
Enabling Constrained Delegation
How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
Windows Server 2003 Constrained Delegation (IIS 6.0)
Are your ISS server and SQL Server running on the same machine?
If not, Active Directory has to be configured to allow your IIS server to impersonate your accout towards the SQL Server. See How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
Long story short: IIS server should have "trusted for delegation" checkbox checked in Active Directory.
You need to set you credentials in Application Pool.
- Open IIS
- Select Application Pools
- Enter the name, select .Net framework version and click OK
- Select the new added application pool and click on Advanced Settings..
- In the Process Model section click on Identity - choose custom account and enter the AD username, password, confirm password and click OK
- Select your application and in the Basic settings choose your application pool just created.
Hope this helps
Related
BACKGROUND:
IIS is on One Server (7)
SQL is on another server
Active Directory is on another server (this may or may not make a difference but from what I have read it may)
We have a brand new MVC site that is using AD Permissions to grant access to the site and then to run the SP's within SQL
The site access is working correctly, but I am getting the error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' which I believe means I have fallen fowl to the double hop issue.
Within IIS I have an App Pool of V4.0 Integrated and Application Pool Identity
within my Application I have settings of ASP.net Impersonation Enabled and Windows Authentication Enabled all else is Disabled
And within the Delegation settings of the SQL Server and the IIS Server I have set 'Trust this computer for delegation to any service (Kerberos only)'
also if I run the following statement within SQL
SELECT auth_scheme
FROM sys.dm_exec_connections
WHERE session_id = ##SPID;
I get KERBEROS.
What am I missing? or doing wrong? Thanks
There are number of things you may want to check, do you have SPN setup on the SQL Box, these can be added via the following command:
setspn -a "<SQL_SERVER_Server_Name>:1433" "<SQL_SERVER_Service_Account>"
You may want to add both the FQDN as well as the short name. Once this is complete you will need to restart the SQL Server, not just the service.
If this does not work, can you run the following commands:
setspn -l "<AppPool Account Name>"
and
setspn -l "<SQL Server Account Name>"
I'm trying to use SMO in a ASP.NET web project to get a list of the server's Databases. The method I'm using seems to work fine on a Windows 7 machine, but the second I install it on an XP machine, I get a ConnectionFailureException. The code I'm using to establish the connection is:
ServerConnection connection = new ServerConnection(serverName);
Server serverConnection = new Server(connection);
string[] databases;
try
{
databases = new string[serverConnection.Databases.Count];
}
catch { databases = new string[0]; }
On the Windows 7 machine, I get an empty array of length however many databases there are, which I then add the database names to in a foreach loop, but in Windows XP, it fails in the try block, and I get:
ConnectionFailureException: Failed to connect to server localhost.
-> Login failed for user 'ComputerName\\ASPNET'.
I'm guessing this is some kind of permissions problem with the ASPNET user, but I can't seem to find anything that's solved the problem. In IIS, I unselected Anonymous Access and selected Integrated Windows Authentication, and set
<authentication mode="Windows" />
in the web.config.
Anyone have any suggestions/sage-like advice to share?
Do you want web application to impersonate a user to connect to SQL?
When you use SQL Management Studio you are connecting to SQL directly; when you are doing it from web application then you are calling it and IIS calls yours SQL. Now the question is which login IIS uses when accessing SQL - whether it impersonates you under W7 and does not doing it under XP?
For sure XP does not impersonates you and uses 'ComputerName\ASPNET' as you shown in the error message. IIS6 ASPNET impersonation setting are described here and IIS7 here. By default in both IISes impersonation is turned off but I am not sure what is your current configuration on W7. Maybe you should turn it on under IIS6?
This is my first time to deploy an asp.net web site. Everything is working fine on my local computer but when i published the web site on a remote computer i get the error "Failed to generate a user instance of SQL Server due to failure in retrieving the user's local application data path. Please make sure the user has a local user profile on the computer. The connection will be closed"
(only in pages that try to access the database)
Help pleaseee
In IIS under Vista/Windows 7/Server 2008 OS,
Select the application pool and then "advanced settings." Under "process model" find "Load User Profile" and set it to true.
SQL should now load under the default app pool account.
Try the following:
Start IIS
Open Application Pools by clicking on it
Right click on DefaultAppPool and select “Select Application Pool
Defaults”
Change “Identity” property to “NetworkService”
Save and exit IIS
You have to adjust your connection string according to your hosting server.
Modify the below section of web.config according to SQL server user name and password
<connectionStrings>
<add name="DBName" providerName="System.Data.SqlClient"
connectionString="uid=; pwd=; database=; server=;"/>
</connectionStrings>
I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.
I'm trying to hit my intranet website and get it to run a simple sql query as the windows user I'm logged in as.
When I debug through Visual Studio, everything works great. When I hit the webserver though, I get an error from sqlconnection saying, "ERROR:Login failed for user 'YOUR_DOMAIN\YOUR_WEBSERVER_NAME'."
Request.ServerVariables[AUTH_USER]: YOUR_DOMAIN\UserBob
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
Page.User.Identity.Name: YOUR_DOMAIN\UserBob
System.Threading.Thread.CurrentPrincipal.Identity.Name: YOUR_DOMAIN\UserBob
So how do I get the SQL query to execute under UserBob?
Here's my setup:
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<authentication mode="Windows"/>
<identity impersonate="true"/>
<customErrors mode="Off"/>
</system.web>
Webserver is a Win 2008 server with IIS7, Windows Authentication on, Anon Auth off.
Code is simply:
Response.Write("Request.ServerVariables[AUTH_USER]: " + Request.ServerVariables ["AUTH_USER"].ToString());
Response.Write("<br>System.Security.Principal.WindowsIdentity.GetCurrent().Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
Response.Write("<br>Page.User.Identity.Name: " + Page.User.Identity.Name);
Response.Write("<br>System.Threading.Thread.CurrentPrincipal.Identity.Name: " + System.Threading.Thread.CurrentPrincipal.Identity.Name);
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["CarbonDB"].ConnectionString);
conn.Open();
SqlCommand sqlcom = new SqlCommand("dbo.runsomething", conn);
sqlcom.CommandType = CommandType.StoredProcedure;
SqlDataReader sqlDataReader = sqlcom.ExecuteReader();
conn.Close();
Is the SQL Server on a different machine than the web server?
If so, the issue you are running into is related to Kerberos Delegation. Basically, your web server doesn't have the permission/ability to impersonate the end user to another server.
Try this link for more information on delegation.
Be aware that this isn't trivial, and requires assistance from a network admin, as it involves making changes to your Active Directory environment.
If possible, use a service account (such as Network Service) to access the SQL Server.
Erick
Is the site using Integrated or Classic pipeline mode. In IIS7, check the Basic Settings of the website, click Connect As... and make sure that Application user (pass-through authentication) is checked.