My ASP.NET v3.5 web application is throwing the following exception when it attempts to open a connection to a SQL Server 2008 database:
System.Data.SqlClient.SqlException:
Cannot open database "MyDbName"
requested by the login. The login
failed. Login failed for user 'NT
AUTHORITY\IUSR'.
The thing is, I've added NT AUTHORITY\IUSR to the server's list of logins, and to the database's list of users. For the server, I've granted the user the Public role, and for the database I've granted db_datareader permissions.
I've also granted the same for NT AUTHORITY\NETWORK SERVICE, which is the identity that the application pool is running under.
The web application is hosted by IIS7, if that makes a difference. The problem repros when the DB and IIS are on the same physical machine as well.
The trick here is that NT AUTHORITY\NETWORK SERVICE actually appears to the database as DOMAINNAME\MACHINENAME$ (note the $ sign!). That is, when you cross the machine boundary from your web server to the SQL Server, SQL Server sees the machine account if you use the NETWORK SERVICE or LOCAL SYSTEM accounts. If you use any other non-domain account, SQL Server will not receive your credentials.
I'm a bit puzzled by your error message. Truth be told, I don't think that when the DB is on another box, you'll see anything other than Login Failed for NT AUTHORITY\ANONYMOUS LOGON.
IUSR is used for anonymous websites, and can't pass over the wire to SQL Server. You may find a way for it to work if you're doing everything on the same machine, but I'd never know because I'd never do it that way... ;-)
In case it helps someone, in web.config I added <identity impersonate="false" /> for this error to go away (under <system.web>)
It's important to note that you'll get this error, as I just did, if you don't have IIS configured to allow impersonation, but you do have your web.config attempting to do impersonation.
I just came across this exact error, and all of the following steps are required:
Ensure ASP.NET impersonation is enabled on your IIS web server:
Combine that with configuring your site to use impersonation (web.config):
<system.web>
<identity impersonate="true" userName="your_service_acct" password="***" />
</system.web>
The above steps presume that you have a SQL Login setup on your MSSQL for 'your_service_acct' with permissions
When running on localhost, against a localdb, or even a remote db that you personally have permissions on, the development IIS runs as if it were YOU - and everything just magically works. So, in debug mode, you don't need to create a special web.config..
As soon as you deploy your site onto some kind of server (in my case, our TEST environment) you'll likely need to have done the above steps I just detailed, because IIS will try to connect as the application pool user, which is not usually what you want administratively speaking. So, that's when you want to start using web.config transformations, so Visual Studio will insert the appropriate identity impersonate="true" during your 'Publish...' deployment step.
I would suggest to create a separate (preferably domain) account and specify it in the connection string (usually in web.config)
Then you can limit permissions on the web server what this account can and cannot do.
Then you can grant this account required permissions in SQL server.
I had had the same problem and solved this by changing application pool.
Instead of using Integrated Security=True; in connection string, just use username and password authentication user=sa; pwd=mypassword;
The simple solution is to check your web.config file and make sure one of these is part of the db connection string:
Trusted Connection=false
OR
Integrated Security=True
This problem is shown when you restore a new database on your last database.
To resolve this you must go to sqlserver, then security and then set your apppool again.
this worked for me:
Open the IIS Manager (inetmgr)
In the "Connections" panel, drill down to your site's node and select it
In the right-hand panel, under the "IIS" group, double click the "Authentication" icon.
Right-click on "Anonymous Authentication" and choose "Edit..." from the context menu.
In the popup dialog, select the "Application pool identity" radio button.
Click OK.
Related
On IIS 8.5, the only authentication method I have enabled is Windows Authentication, with Negotiate and NTLM. When I use a connection string in any ASP.NET application, running under an app pool who's identity is a domain account, I'm able to connect fine. In classic asp I get:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
As far as I know the servers aren't configured for delegation, and I didn't explicitly set the SPN. I'm accessing the box via the FQDN which is netbiosname.mydomain.com .
Why is it working in ASP.NET, but failing in classic asp? Am I experiencing the double hop? Is there a way to confirm it is in fact the double hop?
Here's the error I'm getting:
Microsoft OLE DB Provider for SQL Server error '80040e4d'
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I found out how to resolve this issue, I believe the last step was the only one that helped, but here's what I did:
Disabled all authentication methods other than Windows Authentication
In IIS Manager, I used the "Convert to Application" option to mark
the folder containing the classic asp code as an application
Assigned the application to app pool running under AD account with access to SQL server
Enabled 32-Bit application support on the app pool
Set pipeline mode to integrated for app pool
At this point I still was getting the same error
I right clicked on the application and set the Physical Path Credentials to the same domain account that the app pool runs under and everything started to work correctly
I would imagine you need to set the classic asp IIS website to run as the domain account you're using for integrated security.
To get ASP to connect to the database, in IIS 6, Directory Security -> Authentication Methods, Under Enable Anonymous Access, I set the anonymous access account to the AD account with permissions to the database.
i was tearing my hair out for a while. then i tried creating a windows user account, with the proper permissions in SQL Server, and used "Integrated Security=SSPI" in the connection string. it worked like a charm - no AD required:
SQLconnex = "PROVIDER=SQLOLEDB;DATA SOURCE={server};DATABASE={db};UID={uid};PWD={pwd};Integrated Security=SSPI"
hope it helps and saves your hair.
In my case to solve it I set the "anonymous authentication" the use of the "application pool identity".
Sites > Authentication > anonymous authentication > Edit > application pool identity
I am new to IIS and MS SQL Server (coming from a Apache MySQL Environment) so hopefully I will include enough details for you guys to help me!
I am converting my web app from using hard coded database credentials (currently SA :/ ) in the Connection String in web.config.
I removed the username and password and put in "Integrated Security=SSPI". The website is configured with a dedicated app pool and that app pool Identity is set to the domain account I want it to use. When I attempt to use the web app I get an error. When I look into the SQL Server logs I see "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.
Any ideas on what I am doing wrong?
Add (or modify) the element below to the system.web section of your web.config.
<identity impersonate="true" />
See http://msdn.microsoft.com/en-us/library/vstudio/134ec8tc(v=vs.100).aspx
I created a MVC4 web application on my laptop using localdb with a mdf. file. I then exported the project to my desktop, and then I copypasted these files over to my webserver on my Win2k12 running IIS.
After copying it I created the tables on the MSSQL Express 2012 server that runs on the same Win2k12 server, and modified web.conf in my project to target the server and not the mdf file.
And here is where it all stops, I get the following error when I try to send data (that should communicate with the sql server, browsing pages is fine as long as it does not try to talk to the sql server):
Cannot open database "mc.foo.net" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\mc.foo.net'.
And I'm guessing the user IIS APPOOL is something inherited from my laptop, I don't have this user on thw Win2k12 server. How can I change that? And to what? I have several users (from Security of the server in SQL Server Manager):
NT AUTHORITY\SYSTEM
NT Service\MSSQLSERVER
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
In addition to my domain administrators. How can I fix this?
You can easily change the application pool identity in IIS Manager.
On the target application pool (under Root/application pools), select Advanced Settings. The is a Category Process Model, where you can specify pool's identity.
Built-in account allow you to use Network Service/Local System/... whereas Custom allow you to specify a domain or local user. That's all !
It's not recommended to give too many privileges on the application pool. This can hurt security of your application and can be sometimes painful to manage. So, I would highly suggest you to use sql authentication for your database and to encrypt connection string.
Your problem seems like the user doesn't have rights on the DB Server.
There are multiple ways to go around this.
If you are connecting through integrated security to the DB... Change that to a local SQL server or a domain username and password.
Give your appPool account dataReader or dataWriter access (Not recommended for production).
I've been given a backup of a production SQL database to begin writing an application against.
I've got it running as a local instance and using Windows Authentication and I can READ the information, however I cannot figure out how to get IIS to use my Windows Authentication to log into the SQL server when running a local ASP.Net website.
I don't have the authority on the DB to add users, and I'm getting an error of System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. when I try to access a page that reads the database.
I don't think I will be able to communicate with the DB admin for a while to get him to fix this up for me. Is there anything I can do here?
Your asp code is using the same identity that IIS runs under - the Network Service account. To get it to use your credentials, you can either hard-code them into a connection string or you can use impersonation (see this link: http://msdn.microsoft.com/en-us/library/aa292118%28VS.71%29.aspx)
The gist of the link:
Put this in your web.config file: <identity impersonate="true" />
-t.
You need to create an account in SQL Server for the Network Service account,ex via SSMS via the "Security" section, right click on "Logins" and select add. You will be adding a Windows Account, you can then lookup and validate the name "NETWORK SERVICE". Then switch to the "User Mapping" section and grant permission to view your database.
reference : http://msdn.microsoft.com/en-us/library/ms998320.aspx#paght000015%5Fsqlserver
2nd Alternative
If "integrated security=sspi" is there in your connection string than you should:
Turn on integrated auth in IIS
Turn on windows auth in asp.net
Turn on imerposation in asp.net
Hopefully it will help.
I am using SQLServer2005 and VS2008. My connection string in web.config is:
add name="library" connectionString="Data source=KMT; Initial Catalog=Library;Integrated Security=SSPI"
Here, KMT is my server name, Library is my database.
When I run my page through VS2008 localhost, it's fine. However, when viewing through IIS it shows an error message like "login failed for user, 'KMT/ASP.NET'". My sqlserver authentication mode is windows and it's ok in web.config. What will be the solution?
Using "Integrated Security" means logging in to the database with the identity of the user running the process. When you run the local VS web server, it runs as your login. But in IIS, the web server worker process runs as a predefined user account. Your worker process identity must have rights to your SQL Server and database.
Check the properties of your App Pool in IIS. If you are running as Network Service for example, go into SQL and create a new user, enter Network Service as the Windows user name, and grant that user rights to your database.
one of my friends helped me to solve this problem as
i executed the SQL to add ASPNET as a login to
my DB and setup DA permissions
exec sp_grantlogin N'MACHINE\ASPNET'
exec sp_defaultdb N'MACHINE\ASPNET', N'Database'
use Database
exec sp_grantdbaccess N'MACHINE\ASPNET', N'ASPNET'
exec sp_addrolemember N'db_owner', N'ASPNET'
here MACHINE is machine name and database is my database name.
but through this the ASPNET user has total
control over that DB.
VS2008 uses your credentials to authorize to the db, IIS is using different account.
Make sure the IIS account has enough permissions.
If you use Integrated Security=SSPI, the credentials of the current user (in VS that would be YOU) are used to connect to SQL Server.
From an IIS app, the user associated with the IIS service is used for log in.
Solutions:
Assign the IIS service a special user that's allowed to connect to SQL
Use SQL Server authentification to access the database, and stored username/password in the connection string
Were you planning to use the ASP.NET system account or the users windows account?
If the latter you need impersonation. That works if SQL and IIS are on the same machine, otherwise it is a double hop and requires a non trivial amount of work to set up delegation.
If the server is windows 2003 you can give the Network Service the permissions to access to SQL Server