How can I install Sitecore 7.1 using SQL Server windows credentials? It's asking for SQL Server Authentication but I have Windows Authentication.
There are 3 things you need to set to allow Sitecore using Windows Authentication while connection to MSSQL Server database:
Allow chosen user account on the SQL Server
Set Application Pool for your Web Application to use your chosen user account as Identity
Set Integrated Security=True in your ConnectionStrings.config file
You can not use Windows Domain Credentials with the Sitecore Installer unfortunately. It will only accept SQL Credentials. You have two ways around this limitation.
1) Use the Sitecore Installation program with a temporary SQL credential. Once the install is complete manually update the Application Pool Credentials to a Domain user and then update your ConnectionStrings.config file to remove the username and password fields and setting Integrated Security=True or Trusted_Connection=true in your connection string.
2) Manually install Sitecore with the ZIP of the site root (available on SDN) following the Sitecore Installation Guide found here -> http://sdn.sitecore.net/Reference/Sitecore%207/Installation%20Guide.aspx
Try Sitecore Instance Manager. When entering your SQL credentials, just uncheck the box labeled Use SQL Server Login.
Related
this is for the purpose of cutting an asp.net web application over from using an sql server authentication connection string to using a windows authentication connection string.
See How to: Access SQL Server Using Windows Integrated Security.
If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.
To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.
As well as the application of this toward an intranet, you can use it for a public website by setting the Application Pool to run as a custom user that has a Windows logon to the SQL Server.
I am doing merge replication between SQL Server CE, 3.5 SP2 and SQL Server 2012 via IIS / Websync. Everything works perfectly when I use DB Authentication to connect with the publisher. If I switch it to NT Authentication, I get the following error in my script:
Initializing SQL Server Reconciler has failed. Try again.
...and the following error is logged on the IIS server sync log:
Command=SYNC Hr=00004818 Login failed for user 'domain\user. 18456
The reason I am trying to change this is because (and correct me if i'm wrong) I don't want to store the credentials in my sync script (powershell). I was hoping that if I was using NT authentication, it would use the credentials this script is running under in task scheduler - or whoever is running it manually. Basically, that is my goal - however it can be achieved - to not store creds in the script.
To use Windows authentication, you must use Basic auth on the IIS Server (maybe protect with SSL), but the client must suply a Windows username and password. You can then set PublisherSecurityMode to NTAuthentication and the Windows account wil then log on to the database server. So you must either store creds in the script or prompt the person running the script for credentials, and then set InternetLogin and InternetPassword properties accordingly.
The only way I got this to work is when I ran the wizard and chose "anonymous" for web access. Only then was I prompted to put in credentials which will be used for NT Auth (stored on the web server). This means that all clients connect anonymously and use the same creds for SQL. They cannot each have their own SQL credentials. They can, however, each have their own IIS credentials.
I'm using IIS 6 in Server 2003 and SQL server 2008 which sits ona seperate box. Now i would like to connect using the Application pool identity of the website to SQL server.
But somehow whenever i display the identity in page_load method it always displays the windows account using which site was browsed. I have given the details below
Server : Windows Server 2003
Database : SQL server 2008 . Web server and DB sit on different machines.
WebSite : Uses a custom app pool that runs using a custom domain account. Website has anonymous disabled and windows authentication enabled. Impersonation is not enabled in web.config.
I'm displaying the credentials using the below code :
Response.Write(HttpContext.Current.User.Identity.Name.ToString());
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write(id.Name);
Now i need a way of using the identity of app pool to connect to database. Please let me know how to do this. If i set the website anonymous account as the app pool identity everything works fine but i dont want to do that. Now authentication just flows as anonymous to the SQL server and it throws exception.
I'm not sure about IIS6, but in IIS8... In the advanced settings for the application pool in questions, there is an identity section. Set this to the windows credentials you want to use. Also set 'Load application profile' to true.
Then in your application, you just need to setup your connections string to use a trusted_connection instead of an SQL server username and password.
Just remember to set the windows account to have a password which never expires, unless you'll remember to update the app-pool when it does change (or the pool will stop.)
Dave
This sounds like you have Windows Authentication enabled and are using IE to connect to the site? In this case the Windows Identity is passed through to IIS.
We currently use SQL 2008 with Windows Authentication disabled, we only allow SQL Mixed for accessing SQL.
We are wanting to switch our version control software to Team Foundation Server, which requires Windows Authentication.
Which ended up being a bit of a problem, I've talked to our DBA and Windows Authentication is not an option, nor is putting SQL on the server where TFS will reside.
Issue is, from what he is telling me, you are unable to just enable Windows Authentication just for a single user, its either on or off for all users.
Is this correct? What other options are there?
You need to have another talk with the DBA.
There are 2 options for authenticating to SQL Server:
Windows Authentication (only)
Both Windows Authentication and SQL Server Authentication
Yes it is true that if you turn on the latter option also known as Mixed Mode, and it applies to the server (which will now accept Windows Auth) - it does not mean that suddenly all valid Windows users will get access to SQL Server!
The Windows logins still have to be added as SQL users (SQL login != SQL user[principal]) and they can then belong to roles etc, so you would only need to add the users for TFS.
In fact, you cannot possibly disable Windows Auth - so I don't see why the DBA should be complaining about "turning on" Windows Auth.
This is probably what you need to do:
Add a new domain group "sqltfs"
Create a SQL user out of the Windows security Group "domain\sqltfs"
Grant all the access required to the new user (or indirectly through a role)
add all the TFS users into the domain group "sqltfs"
This way you can all continue to use SQL logins where it matter (existing code), while still gaining access via TFS -> SQL Server through the domain group membership
This probably belongs on superuser, but I'll take a stab at it. From my SQL 2008 R2 management console, the DB server can run in either pure Windows Auth mode, or mixed Windows auth + SQL auth. It can't run in SQL auth only.
Since you say you're in mixed mode, I can't see why he can't add another user to the DB that uses a windows domain account, rather than a local SQL server account. Mixed mode allows both.
I'm trying to migrate a legacy application we have to Windows Server 2008 x64 and IIS7. It's written in Classic ASP and connects to a SQL Server 2005 database.
However, when the page runs, I receive the error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The connection string I'm using is: Driver=SQL Server; Server=SERVERNAME; Initial Catalog=DBNAME;
I can't see any reason for it to be using the anonymous logon as when it was running on my 32-bit Win2k3 server, it accessed the SQL Server using DOMAINNAME\SERVERNAME$.
I have the following settings.
SQL Server 2005 - running in mixed mode.
IIS7 Application Pool - Allow 32-bit applications set to True.
I've also added the server as a user on the SQL Server.
I've tried a few things now and I'm starting to run out of ideas.
There are some solutions.
use SQL authentication, instead of SSPI. It will work since your database is in mixed mode.
If for any reasons you won't change the authentication.
The NT AUTHORITY\ANONYMOUS LOGON is strange, by the way, just as if the database server and the app servers are not on the same domain. Please check this until proeding further.
1) Create an user in Active Directory
2) Create a application pool on IIS7 and as "Identity" , the user you've created
3) Grant this user the rights and roles you want on the DB
I think I've fixed it. Moving to Win2k8 means that I needed to change the connection string driver to SQL Native Client;.
Set the Anonymous Authentication credentials to be your Application Pool Identity.
(default is Specific User --> IIS User). Then you can use a Trusted Connection in your connection string as it will now use the AppPoolIdentity account.
Well, that failed login attempt is a classic example of code running under the "Local Service" account, rather than (what you had on Win2K3), where it was running under the "Network Service" account. Now you just need to find where that setting is.
For either the OP or future readers, you can:
1) Either use a dedicated service account, as suggested by Johan above, or
2) Use the AppPoolIdentity account and go to "Authentication", then select "Windows Authentication" and enable "ASP .NET Impersonation".
If you still get the same result after #2, you likely have the "double hop" issue cited by Damien - this is where the web server can authenticate you, but it does not allow you to pass those credentials on to the database for security reasons without using Kerberos. You would then need to set the server as "Trusted for Delegation" in AD and set up Kerberos as the authentication provider in IIS. This site helps with that: http://technet.microsoft.com/en-us/library/ee675779.aspx