this is for the purpose of cutting an asp.net web application over from using an sql server authentication connection string to using a windows authentication connection string.
See How to: Access SQL Server Using Windows Integrated Security.
If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.
To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.
As well as the application of this toward an intranet, you can use it for a public website by setting the Application Pool to run as a custom user that has a Windows logon to the SQL Server.
Related
How can I install Sitecore 7.1 using SQL Server windows credentials? It's asking for SQL Server Authentication but I have Windows Authentication.
There are 3 things you need to set to allow Sitecore using Windows Authentication while connection to MSSQL Server database:
Allow chosen user account on the SQL Server
Set Application Pool for your Web Application to use your chosen user account as Identity
Set Integrated Security=True in your ConnectionStrings.config file
You can not use Windows Domain Credentials with the Sitecore Installer unfortunately. It will only accept SQL Credentials. You have two ways around this limitation.
1) Use the Sitecore Installation program with a temporary SQL credential. Once the install is complete manually update the Application Pool Credentials to a Domain user and then update your ConnectionStrings.config file to remove the username and password fields and setting Integrated Security=True or Trusted_Connection=true in your connection string.
2) Manually install Sitecore with the ZIP of the site root (available on SDN) following the Sitecore Installation Guide found here -> http://sdn.sitecore.net/Reference/Sitecore%207/Installation%20Guide.aspx
Try Sitecore Instance Manager. When entering your SQL credentials, just uncheck the box labeled Use SQL Server Login.
I have the following scenario:
A web application deployed over an NLB and a SQL Cluster.
In the database each table has a trigger to track activities done by users.currently the triggers are saving HostName (which is not useful in case of such web deployment).
Connection to the db is impersonated with the account "SA", Is there a possible way to obtain the
connected user or the workstation sending the request inside SQL or I need to pass User Info into the db from withing the applications Code.
The DBMS is SQL and the web application is based on .NET framework
You need to pass in the user id from the code unless you set up Kerberos pass through to use Windows Authentication. That is out of scope for this answer.
More importantly, why are you running a web app using "sa" on the SQL cluster. This is idiocy. Use a "least privilege" windows service account to run your IIS App Pool and use this to connect to SQL Server.
I'm using IIS 6 in Server 2003 and SQL server 2008 which sits ona seperate box. Now i would like to connect using the Application pool identity of the website to SQL server.
But somehow whenever i display the identity in page_load method it always displays the windows account using which site was browsed. I have given the details below
Server : Windows Server 2003
Database : SQL server 2008 . Web server and DB sit on different machines.
WebSite : Uses a custom app pool that runs using a custom domain account. Website has anonymous disabled and windows authentication enabled. Impersonation is not enabled in web.config.
I'm displaying the credentials using the below code :
Response.Write(HttpContext.Current.User.Identity.Name.ToString());
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write(id.Name);
Now i need a way of using the identity of app pool to connect to database. Please let me know how to do this. If i set the website anonymous account as the app pool identity everything works fine but i dont want to do that. Now authentication just flows as anonymous to the SQL server and it throws exception.
I'm not sure about IIS6, but in IIS8... In the advanced settings for the application pool in questions, there is an identity section. Set this to the windows credentials you want to use. Also set 'Load application profile' to true.
Then in your application, you just need to setup your connections string to use a trusted_connection instead of an SQL server username and password.
Just remember to set the windows account to have a password which never expires, unless you'll remember to update the app-pool when it does change (or the pool will stop.)
Dave
This sounds like you have Windows Authentication enabled and are using IE to connect to the site? In this case the Windows Identity is passed through to IIS.
I'm trying to migrate a legacy application we have to Windows Server 2008 x64 and IIS7. It's written in Classic ASP and connects to a SQL Server 2005 database.
However, when the page runs, I receive the error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The connection string I'm using is: Driver=SQL Server; Server=SERVERNAME; Initial Catalog=DBNAME;
I can't see any reason for it to be using the anonymous logon as when it was running on my 32-bit Win2k3 server, it accessed the SQL Server using DOMAINNAME\SERVERNAME$.
I have the following settings.
SQL Server 2005 - running in mixed mode.
IIS7 Application Pool - Allow 32-bit applications set to True.
I've also added the server as a user on the SQL Server.
I've tried a few things now and I'm starting to run out of ideas.
There are some solutions.
use SQL authentication, instead of SSPI. It will work since your database is in mixed mode.
If for any reasons you won't change the authentication.
The NT AUTHORITY\ANONYMOUS LOGON is strange, by the way, just as if the database server and the app servers are not on the same domain. Please check this until proeding further.
1) Create an user in Active Directory
2) Create a application pool on IIS7 and as "Identity" , the user you've created
3) Grant this user the rights and roles you want on the DB
I think I've fixed it. Moving to Win2k8 means that I needed to change the connection string driver to SQL Native Client;.
Set the Anonymous Authentication credentials to be your Application Pool Identity.
(default is Specific User --> IIS User). Then you can use a Trusted Connection in your connection string as it will now use the AppPoolIdentity account.
Well, that failed login attempt is a classic example of code running under the "Local Service" account, rather than (what you had on Win2K3), where it was running under the "Network Service" account. Now you just need to find where that setting is.
For either the OP or future readers, you can:
1) Either use a dedicated service account, as suggested by Johan above, or
2) Use the AppPoolIdentity account and go to "Authentication", then select "Windows Authentication" and enable "ASP .NET Impersonation".
If you still get the same result after #2, you likely have the "double hop" issue cited by Damien - this is where the web server can authenticate you, but it does not allow you to pass those credentials on to the database for security reasons without using Kerberos. You would then need to set the server as "Trusted for Delegation" in AD and set up Kerberos as the authentication provider in IIS. This site helps with that: http://technet.microsoft.com/en-us/library/ee675779.aspx
I am using IIS 6.0 on Windows 2003 in a workgroup, and have created a web which runs in its own pool to connect to a Sqlserver 2005 Analysis Services database using msmdpump.dll. I have set the pool up with its own identity, but when I look on the Analysis Services server using Sqlserver Profiler, I can see that the requests are being made, but not with the Pool identity. They are using the identity of the user signed into the web server.
If you have impersonation turned on in the web app the app will work as the impersonated user not as the app pool identity. Here's a bit about this.