I'm working through some WCF examples in "Windows Communication Foundation 4 Step By Step". My resulting application runs fine as long as the service is hosted in casini. It fails when I deploy the service to local IIS. When deployed to IIS, I can browse to the svc page in IE. That works.
According to the book, page 41, the app pool account needs to be a member of the db_owner role in my database. The author suggests, after verifying the correct address of the service (already did that), checking the permissions of the app pool account.
How do I verify which account is used by the application pool hosting my WCF service? Currently using the default app pool and IIS APPPOOL\DefaultAppPool is in the db_owner role. IIS APPPOOL\ASP.NET v4.0 is also in the db_owner role.
The exception is...
System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\DefaultAppPool'.
How do I troubleshoot this issue? Thanks!
Solution found here:
Open IIS
double click your PC name under Connections
Click Application Pools
Select your app pool (DefaultAppPool)
Then under actions on the right click Advanced Settings,
Go to Process Model section and
click on Identity.
Now select NetworkService.
I had the same problem. Issue was that I had "IntegratedSecurity=True;" in my connection string but I was using sql authentication and passing in credentials at the same time. I removed the IntegratedSecurity piece and everything worked.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost:
when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication.
Here your web service would not be able to communicate to the SQL server because of access rights issue.
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings.
You need to change IIS Application pool's identity to local System.
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem.
Now open your sql server management studio:
open run-> then type ssms then press ok
in ssms, login using your windows authentication account.
open security tab
expand logins tab
then you will be able to view your account.
Now open properties of your account
go to userMapping
then select the database you want to connect
then check the role membership services you want to use for the selected database
click ok.
add Trusted_Connection=True; property in your connection string.
Save it & deploy the web service.
Restart app pool.
you will be able to connect the database now.
if not exists
(select * from sys.server_principals where name='IIS APPPOOL\DefaultAppPool')
create login [IIS APPPOOL\DefaultAppPool] from windows;
Related
I am trying to web deploy a Asp.Net Core 2 project through plesk.
My plesk version is;
Plesk Onyx
Version 17.8.11 Update #6
IIS 8.5.9600
I have also followed the guide and added web deploy to the server;
Plesk Web Deploy Guide
However, when I go to publish my website i get the following error;
Web deployment task failed. (Connected to 'www.domain.co.uk' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administrator on 'www.domain.co.uk'. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.)
Make sure the site name, user name, and password are correct. If the issue is not resolved, please contact your local or server administrator.
Error details:
Connected to 'domain' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administrator on 'www.domain.co.uk'. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
The remote server returned an error: (401) Unauthorized.
Now I have tried the admin login for the plesk portal and I still get this message?
How and where do I add user privileges (just for this site) to allow the web deploy to work?
UPDATE
I have gone to subscriptions -> selected the subscription -> users, create a new user for this and then added a new administrator user her. But again when I try to run the web deploy through visual studio I am getting the same error (the user is definitely in the admin role).
Double Hop Delegation: Error retrieving for user IIS APPPOOL. The underlying provider failed on Open. Login failed for user 'Domain\WebVM$'.
I'm setting up a IIS VM server to access a separate SQL Server VM, both machines running Windows Server 2016 and running on intranet. We're using windows authentication, and attemping to impersonate users through the machine account on IIS VM server machine. We are building / deploying MVC IIS bits using ASP.NET Core.
I'm hitting the above (machine account login) error after having configured everything I can think of and referred to several postings. I've configured the following main items:
Web Site setup with Windows Authentication, and ASP.NET Impersonation enabled, all other auth types disabled.
Web Site Config Editor set "system.webServer/security/authentication/windowsAuthentication" : useKernelMode to True
App Pool running .NET CLR Version "No Managed Code"
App Pool using Classic Managed Pipeline Mode
App Pool running as ApplicationPoolIdentity
Confirmed HOST SPN registered for IIS VM machine account in AD (with setspn -L IISVMServer)
Confirmed HOST SPN registered for SQL Server VM machine account in AD
Confirmed ServiceClass/Host:Port registered for SQL Server VM in AD
Registered SPN for IIS server machine account "Trust this computer for delegation to any service (Kerberos only)
Plan to lock down to constrained delegation after getting unconstrained delegation working
Tried running with / without web.config : "system.web identity impersonate="true" /system.web"
I previously posted Kerberos Double Hop Delegation with ASP.NET Core (4.5.2) which is indirectly related to this posting.
thanks, dave
I am trying to publish a Light Switch 2012 application as Web Application from Windows 7 PC to Windows 2003 IIS server, .Net Framework 4.0
The publish Summary as follows
Application Name - User Test
Application Version - 1.0.6.0
Application Type : Browser
Application Server : IIS Server
Authentication : Windows Authentication
Database : Do not publish
Error details while publishing with the option "IIS server has lightswitch deployment prerequisites installed".
============================================================================
102 Web deployment task failed. (15/04/2014 16:24:51) An error occurred when the request was processed on the remote computer.)
(15/04/2014 16:24:51) An error occurred when the request was processed on the remote computer. The entry type 'unknown' was not expected at this time. The serialization stream may be corrupted.
When published without the option "IIS server has lightswitch deployment prerequisites installed".
the applications publishes successfully, But when the application is accessed from Browser it says authentication error.
I have searched a number of blogs with the same issue, but none have answered.
Any help will be highly appreciated.
From the errors you can conclude :
Your server does not have lightswitch deployment prerequisites installed.
There is a problem with authentication.
You must further investigate what authentication problem occurs. As the question is now, there is no way to guess what the problem is.
I would suggest the following steps to workaround the authentication error.
Keep the option in the publish wizard i.e "IIS server has lightswitch deployment prerequisites installed". and
1.In publish wizard choose the option "Yes,Create an application
Administrator" and mention your login credentials.
2.Make sure you have rights on the database that you supplied while deploying
the application. for example I use "sa" account to deploy the
database.
3.In webconfig file, makesure you are the admin to the app.
/* !-- If no admin user exists, create an admin user with this user name->
add key="Microsoft.LightSwitch.Admin.UserName" value="DOMAIN\EMPID" />
*/
4. Assuming If you are able to deploy the application with no errors and still get the get authentication info or load error, check the table called [dbo].[aspnet_Applications] in the deployed database and makesure
your app name mentioned in the table data.If not the issue is with
database permissions.
5.Makesure your UserID shown up in the table [dbo].[aspnet_Users]
Hope this information helpful :)
I'm trying to connect a web forms application to an SSAS Cube. The app is using web forms authentication and it is using web roles in Azure. The SSAS cube is on a Virtual Machine within Azure. There is no domain installed. The web app is using GrapeCity's Active Analysis control. When running the app i get the error "An existing connection was forcibly closed by the remote host". While profiling on the server I get an "Anonymous Logon" attempt.
How can I set this up?
SSAS uses Windows authentication only, so either:
1) You somehow get your web app's application pool to run under a windows account that can access the cube box (Sounds unlikely).
2) You have your application pool run under a windows account and create a windows account with the same username/password on the cube box, and assign it the permissions (Used to work, I think it still does).
3) You allow Anonymous Logon read permissions to your cube. I know you can do this at the server level (Dev enviroments..), I haven't tried it at the cube role level.
These are the ones I know of, best of luck.
EDIT: Sorry, thought I'd forgotten one, there is basic authentication if you add IIS as an extra layer, you have to set it up to go via the MSDMPump.dll, full explanation here: http://msdn.microsoft.com/en-us/library/gg492140.aspx
I'm using IIS 6 in Server 2003 and SQL server 2008 which sits ona seperate box. Now i would like to connect using the Application pool identity of the website to SQL server.
But somehow whenever i display the identity in page_load method it always displays the windows account using which site was browsed. I have given the details below
Server : Windows Server 2003
Database : SQL server 2008 . Web server and DB sit on different machines.
WebSite : Uses a custom app pool that runs using a custom domain account. Website has anonymous disabled and windows authentication enabled. Impersonation is not enabled in web.config.
I'm displaying the credentials using the below code :
Response.Write(HttpContext.Current.User.Identity.Name.ToString());
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write(id.Name);
Now i need a way of using the identity of app pool to connect to database. Please let me know how to do this. If i set the website anonymous account as the app pool identity everything works fine but i dont want to do that. Now authentication just flows as anonymous to the SQL server and it throws exception.
I'm not sure about IIS6, but in IIS8... In the advanced settings for the application pool in questions, there is an identity section. Set this to the windows credentials you want to use. Also set 'Load application profile' to true.
Then in your application, you just need to setup your connections string to use a trusted_connection instead of an SQL server username and password.
Just remember to set the windows account to have a password which never expires, unless you'll remember to update the app-pool when it does change (or the pool will stop.)
Dave
This sounds like you have Windows Authentication enabled and are using IE to connect to the site? In this case the Windows Identity is passed through to IIS.