I'm trying to connect a web forms application to an SSAS Cube. The app is using web forms authentication and it is using web roles in Azure. The SSAS cube is on a Virtual Machine within Azure. There is no domain installed. The web app is using GrapeCity's Active Analysis control. When running the app i get the error "An existing connection was forcibly closed by the remote host". While profiling on the server I get an "Anonymous Logon" attempt.
How can I set this up?
SSAS uses Windows authentication only, so either:
1) You somehow get your web app's application pool to run under a windows account that can access the cube box (Sounds unlikely).
2) You have your application pool run under a windows account and create a windows account with the same username/password on the cube box, and assign it the permissions (Used to work, I think it still does).
3) You allow Anonymous Logon read permissions to your cube. I know you can do this at the server level (Dev enviroments..), I haven't tried it at the cube role level.
These are the ones I know of, best of luck.
EDIT: Sorry, thought I'd forgotten one, there is basic authentication if you add IIS as an extra layer, you have to set it up to go via the MSDMPump.dll, full explanation here: http://msdn.microsoft.com/en-us/library/gg492140.aspx
Related
Is there a way how to restrict access to SSAS Cube by application?
I would like to have access only from "my application" and restrict all other application, like Excel.
Maybe add some special key in to connection string and then deny all connections without it on windows firewall? (but I can't find if this is possible, its just an idea)
Thank you.
n-tier architecture
Client Apps <== HTTP WS ==> Server Apps <=> SSAS
access to SSAS - only on the local network (from Server Apps).
The client application accesses the Server only through web-services
I have a sharepoint 2010 portal with some dashboards and reports. No I have a permission problem, because I cannot view these reports.
I would like to have a look in Reporting Services Configuration Manager, but I cannot connect to the server where sharepoint and SQL server is installed. I enter the server name and press on find. It gives me the following error:
Unable to connect to the Report Server MYSERVERNAME.
By the way, I try to fix this problem:
AccessDeniedException: The permissions granted to user
'Mydomain\MyUserAccount' are insufficient for performing this
operation.
First off, you probably want to be using SharePoint Central Administration, not RS Configuration Manager. Also, RS Configuration Manager isn't where you'd manage access to report objects.
That said:
Try remoting into the host machine and running the tool locally on the server.
Ensure the proper ports are open for you to be connecting remotely (and that they SHOULD be open - there are very valid security reasons to block them)
Are you 100% certain you're connecting to the right address? Is it possible the SSRS service itself is on a different machine than the Sharepoint service and the SQL server?
Is there any way so IIS could connect to LocalDB without using the NT SERVICE\NETWORK SERVICE user account.
This account has not suitable permissions. I'm looking use some other default account or is there some way that I can use the NETWORK SERVICE account without changing permissions?
You should use Shared Instances feature of LocalDB. These two posts on Using LocalDB with Full IIS should give you more information. Especially the second part seems relevant, but the first one contains some context as well.
(note: the original links are no longer available, using archive.org instead)
Part 1: User Profile
Part 2: Instance Ownership
Original (non-working as of March 2019) links:
Part 1: User Profile
Part 2: Instance Ownership
In case the links disappear again, I am copy-pasting solutions from the article for easier access:
Post 1:
The problem we're facing is that the user profile needs to be loaded. That shouldn't be hard since each IIS Application Pool has an option called Load User Profile that can be found in Advanced Settings section. Unfortunately things got slightly more complicated in Service Pack 1 for Windows 7. As described in KB 2547655 enabling loadUserProfile is not enough to fully load user profile, we also need to enable setProfileEnvironment. This requires editing applicationHost.config file which is usually located in C:\Windows\System32\inetsrv\config. Following the instructions from KB 2547655 we should enable both flags for Application Pool ASP.NET v4.0, like this:
<add name="ASP.NET v4.0" autoStart="true" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated">
<processModel identityType="ApplicationPoolIdentity" loadUserProfile="true" setProfileEnvironment="true" />
</add>
Having completed that we restart the Application Pool to make sure the new settings are applied and run our Web Application again.
Note from my side: Just find "applicationPools" tag in that applicationHost file and update those two variables to true, so it looks like this:
<processModel identityType="ApplicationPoolIdentity" loadUserProfile="true" setProfileEnvironment="true" />
That's it, save the file and restart IIS pool.
Post 2:
The Problem of the Private Instance
As we can see we are facing the following error:
System.Data.SqlClient.SqlException: Cannot open database "OldFashionedDB" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
This time the error is quite clear. LocalDB was started and the Web Application was able to connect to it, but the connection was then terminated due to login failure. The ApplicationPoolIdentity account for the IIS application pool (in this case IIS APPPOOL\ASP.NET v4.0) couldn't login to LocalDB instance because the database specified in the connection string (OldFashionedDB) wasn't found. How odd, since connecting from Visual Studio with the same connection string succeeds!
How is it possible that Visual Studio connects to LocalDB just fine, while the connection from Web Application fails? In both cases the connection string is the following:
Data Source=(localdb)\v11.0;Initial Catalog=OldFashionedDB;Integrated Security=True
The answer is that there are two different LocalDB instances here. Unlike SQL Server Express instances, which are running as Windows services, LocalDB instances are running as user processes. When different Windows users are connecting to LocalDB, they will end up with different LocalDB processes started for each of them. When we connect to (localdb)\v11.0 from Visual Studio, a LocalDB instance is started for us and runs as our Windows account. But when Web Application, running in IIS as ApplicationPoolIdentity, is connecting to LocalDB, another LocalDB instance is started for it and is running as ApplicationPoolIdentity! In effect, even though both Visual Studio and Web Application are using the same LocalDB connection string, they are connecting to different LocalDB instances. Obviously the database created from Visual Studio on our LocalDB instance will not be available in Web Application's LocalDB instance.
A good analogy to this is My Documents folder in Windows. Say we open Visual Studio and create a file in our My Documents folder. Then we login to the same machine as a different user and go to My Documents folder again. We won't find the file there as My Documents of the second user and our My Documents are two different folders. Similarly LocalDB instances (localdb)\v11.0 owned by two different users are two different processes with two different sets of databases.
This is also the reason the Web Application was able to connect to LocalDB from IIS Express. Just like LocalDB, IIS Express is a user process. It is started by Visual Studio and runs as the same Windows account as the Visual Studio process. Two different processes running as the same Windows account (Visual Studio and IIS Express, both running as our Windows account) connecting to (localdb)\v11.0 are connecting to the same LocalDB process, also started as the same Windows account.
Possible Solutions
Understanding the nature of the problem brings multiple approaches to solving it. As different approaches have different tradeoffs, instead of prescribing one solution, below I presented three approaches that seem most viable to me. My hope is to hear from you about the one that worked best for you! Here is the list:
Approach 1: Run IIS as our Windows user
Approach 2: Use LocalDB Shared Instance
Approach 3: Use full SQL Server Express
Let's take a closer look at each of them.
Approach 1: Run IIS as our Windows user
If different user accounts are the problem, why not try to run our Web Application under our Windows account? Web Application would connect to the same LocalDB as Visual Studio and everything should just work.
Making the configuration change is relatively easy, just start IIS Manager and find the right Application Pool:
Open Advanced Settings screen (available in the context menu):
Click the little button in the Identity property to bring up the Application Pool Identity screen:
Starting the Web Application again will confirm that the problem is solved:
What are the drawbacks of this approach? Of course running Web Application under our account brings certain security risks. If someone hijacks our Web Application they will be able to access all system resources our account can. Running the Web Application as ApplicationPoolIdentity provides additional protection since ApplicationPoolIdentity accounts have very limited access to local system resources. Therefore I cannot recommend this approach in general, but when used with care it is a viable option in some cases.
Approach 2: Use LocalDB Shared Instance
We could also use an instance sharing feature of LocalDB. It allows us to share a LocalDB instance with other users on the same machine. The shared instance will be accessible under a public name.
The easiest way of sharing an instance is to use SqlLocalDB.exe utility. Just start an administrative command line prompt, and type the following command:
sqllocaldb share v11.0 IIS_DB
It will share the private LocalDB instance v11.0 under the public name IIS_DB. All users on the machine will be able to connect to this instance, using (localdb).\IIS_DB as a server address. Note the . before the instance name, indicating this is a shared instance name. We should replace the connection string in our Web Application with an updated one:
Data Source=(localdb)\.\IIS_DB;Initial Catalog=OldFashionedDB;Integrated Security=True
Before the shared instance can be used by the Web Application we need to start it and create logins for the ApplicationPoolIdentity. Starting the instance is easy, simply connecting to it from SQL Server Object Explorer will start it and keep it alive. Once we are in the SQL Server Object Explorer we can also create the login for ApplicationPoolIdentity. We could use the following query:
create login [IIS APPPOOL\ASP.NET v4.0] from windows;
exec sp_addsrvrolemember N'IIS APPPOOL\ASP.NET v4.0', sysadmin
This script gives full administrative access to our LocalDB instance to the ApplicationPoolIdentity account. Whenever possible, I would recommend using more limited, database-level or even table-level permissions.
Now we can run our Web Application again. This time it should work just fine:
What are the drawbacks of this approach? The main one is that, before Web Application can connect to the shared instance, we need to make sure the instance is started. For that to happen the Windows account that owns the instance must connect to it and the connection must be kept open, or the LocalDB instance will shut down.
Approach 3: Use full SQL Server Express
Since full IIS runs as a service, maybe using traditional, service-based SQL Server Express is the right approach? We could just install SQL Server 2012 Express RC0 and create the OldFashionedDB database in it. We can even use our brand new SQL Server Data Tools to do it, as it works with any SQL Server version and edition. Our connection string would have to change to:
Data Source=.\SQLEXPRESS;Initial Catalog=OldFashionedDB;Integrated Security=True
Of course, just as in the previous case, we would need to make sure the ApplicationPoolIdentity account has access to our SQL Server Express instance. We can use the same script as previously:
create login [IIS APPPOOL\ASP.NET v4.0] from windows;
exec sp_addsrvrolemember N'IIS APPPOOL\ASP.NET v4.0', sysadmin
After that, running our Web Application brings the happy picture again:
What are the drawbacks of this approach? Obviously we lose the benefits of using LocalDB. Installing SQL Server Express may take more time than LocalDB, and there may be some machine cleanup necessary for it to succeed. SQL Server Express Setup can be blocked by problems like corrupt WMI database, polluted registry or components left by SQL Server or Visual Studio CTPs and Betas. And SQL Server Express will continue running in the background even when not needed, as services do.
Other options
There are other approaches of using LocalDB under full IIS that are not covered here. We could embrace the Web Application's private LocalDB instance and communicate with it through the Web Application by executing T-SQL scripts from ASP.NET code. We could also use AttachDbFileName option of ADO.NET connection strings and use a database file (.mdf) that would be attached to both our LocalDB during development and Web Application's LocalDB for debugging. I tried both I found them too cumbersome to discuss further.
Based on the answer from #KrzysztofKozielczyk.
I originally posted an answer here:
https://stackoverflow.com/a/62810876/3850405
After following this I verified that Load User Profile was set to true for my Application Pool and then set setProfileEnvironment to true in applicationHost.config. I did the last part by editing applicationHost.config located at:
C:\Windows\System32\inetsrv\config\applicationHost.config
I'm working through some WCF examples in "Windows Communication Foundation 4 Step By Step". My resulting application runs fine as long as the service is hosted in casini. It fails when I deploy the service to local IIS. When deployed to IIS, I can browse to the svc page in IE. That works.
According to the book, page 41, the app pool account needs to be a member of the db_owner role in my database. The author suggests, after verifying the correct address of the service (already did that), checking the permissions of the app pool account.
How do I verify which account is used by the application pool hosting my WCF service? Currently using the default app pool and IIS APPPOOL\DefaultAppPool is in the db_owner role. IIS APPPOOL\ASP.NET v4.0 is also in the db_owner role.
The exception is...
System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\DefaultAppPool'.
How do I troubleshoot this issue? Thanks!
Solution found here:
Open IIS
double click your PC name under Connections
Click Application Pools
Select your app pool (DefaultAppPool)
Then under actions on the right click Advanced Settings,
Go to Process Model section and
click on Identity.
Now select NetworkService.
I had the same problem. Issue was that I had "IntegratedSecurity=True;" in my connection string but I was using sql authentication and passing in credentials at the same time. I removed the IntegratedSecurity piece and everything worked.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost:
when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication.
Here your web service would not be able to communicate to the SQL server because of access rights issue.
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings.
You need to change IIS Application pool's identity to local System.
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem.
Now open your sql server management studio:
open run-> then type ssms then press ok
in ssms, login using your windows authentication account.
open security tab
expand logins tab
then you will be able to view your account.
Now open properties of your account
go to userMapping
then select the database you want to connect
then check the role membership services you want to use for the selected database
click ok.
add Trusted_Connection=True; property in your connection string.
Save it & deploy the web service.
Restart app pool.
you will be able to connect the database now.
if not exists
(select * from sys.server_principals where name='IIS APPPOOL\DefaultAppPool')
create login [IIS APPPOOL\DefaultAppPool] from windows;
So I am new to working on web projects in general. I am working on an MVC application in Visual Studio 2008. I have generated an SQL database within VS, and I have deployed my application on IIS. However when I try to do anything in the application which will spark an SQL query, I get the following error:
"Failed to generate a user instance of SQL Server due to failure in retrieving the user's local application data path. Please make sure the user has a local user profile on the computer. The connection will be closed."
I have hit google on this problem, and people have suggested a number of solutions but I am unsure how many of them are relevant to me doing this when I'm doing this in VS2008,. I have tried a few simple things suggested like setting the trust level to full, and setting the Load User Profile to true in IIS, but no luck yet.
What edition of SQL are you running where you deployed the application to? If it is not SQL Express, you will need to remove "User Instance=True" from the connection string.