I'm trying to migrate a legacy application we have to Windows Server 2008 x64 and IIS7. It's written in Classic ASP and connects to a SQL Server 2005 database.
However, when the page runs, I receive the error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The connection string I'm using is: Driver=SQL Server; Server=SERVERNAME; Initial Catalog=DBNAME;
I can't see any reason for it to be using the anonymous logon as when it was running on my 32-bit Win2k3 server, it accessed the SQL Server using DOMAINNAME\SERVERNAME$.
I have the following settings.
SQL Server 2005 - running in mixed mode.
IIS7 Application Pool - Allow 32-bit applications set to True.
I've also added the server as a user on the SQL Server.
I've tried a few things now and I'm starting to run out of ideas.
There are some solutions.
use SQL authentication, instead of SSPI. It will work since your database is in mixed mode.
If for any reasons you won't change the authentication.
The NT AUTHORITY\ANONYMOUS LOGON is strange, by the way, just as if the database server and the app servers are not on the same domain. Please check this until proeding further.
1) Create an user in Active Directory
2) Create a application pool on IIS7 and as "Identity" , the user you've created
3) Grant this user the rights and roles you want on the DB
I think I've fixed it. Moving to Win2k8 means that I needed to change the connection string driver to SQL Native Client;.
Set the Anonymous Authentication credentials to be your Application Pool Identity.
(default is Specific User --> IIS User). Then you can use a Trusted Connection in your connection string as it will now use the AppPoolIdentity account.
Well, that failed login attempt is a classic example of code running under the "Local Service" account, rather than (what you had on Win2K3), where it was running under the "Network Service" account. Now you just need to find where that setting is.
For either the OP or future readers, you can:
1) Either use a dedicated service account, as suggested by Johan above, or
2) Use the AppPoolIdentity account and go to "Authentication", then select "Windows Authentication" and enable "ASP .NET Impersonation".
If you still get the same result after #2, you likely have the "double hop" issue cited by Damien - this is where the web server can authenticate you, but it does not allow you to pass those credentials on to the database for security reasons without using Kerberos. You would then need to set the server as "Trusted for Delegation" in AD and set up Kerberos as the authentication provider in IIS. This site helps with that: http://technet.microsoft.com/en-us/library/ee675779.aspx
Related
this is for the purpose of cutting an asp.net web application over from using an sql server authentication connection string to using a windows authentication connection string.
See How to: Access SQL Server Using Windows Integrated Security.
If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.
To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.
As well as the application of this toward an intranet, you can use it for a public website by setting the Application Pool to run as a custom user that has a Windows logon to the SQL Server.
I am doing merge replication between SQL Server CE, 3.5 SP2 and SQL Server 2012 via IIS / Websync. Everything works perfectly when I use DB Authentication to connect with the publisher. If I switch it to NT Authentication, I get the following error in my script:
Initializing SQL Server Reconciler has failed. Try again.
...and the following error is logged on the IIS server sync log:
Command=SYNC Hr=00004818 Login failed for user 'domain\user. 18456
The reason I am trying to change this is because (and correct me if i'm wrong) I don't want to store the credentials in my sync script (powershell). I was hoping that if I was using NT authentication, it would use the credentials this script is running under in task scheduler - or whoever is running it manually. Basically, that is my goal - however it can be achieved - to not store creds in the script.
To use Windows authentication, you must use Basic auth on the IIS Server (maybe protect with SSL), but the client must suply a Windows username and password. You can then set PublisherSecurityMode to NTAuthentication and the Windows account wil then log on to the database server. So you must either store creds in the script or prompt the person running the script for credentials, and then set InternetLogin and InternetPassword properties accordingly.
The only way I got this to work is when I ran the wizard and chose "anonymous" for web access. Only then was I prompted to put in credentials which will be used for NT Auth (stored on the web server). This means that all clients connect anonymously and use the same creds for SQL. They cannot each have their own SQL credentials. They can, however, each have their own IIS credentials.
I'm using IIS 6 in Server 2003 and SQL server 2008 which sits ona seperate box. Now i would like to connect using the Application pool identity of the website to SQL server.
But somehow whenever i display the identity in page_load method it always displays the windows account using which site was browsed. I have given the details below
Server : Windows Server 2003
Database : SQL server 2008 . Web server and DB sit on different machines.
WebSite : Uses a custom app pool that runs using a custom domain account. Website has anonymous disabled and windows authentication enabled. Impersonation is not enabled in web.config.
I'm displaying the credentials using the below code :
Response.Write(HttpContext.Current.User.Identity.Name.ToString());
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write(id.Name);
Now i need a way of using the identity of app pool to connect to database. Please let me know how to do this. If i set the website anonymous account as the app pool identity everything works fine but i dont want to do that. Now authentication just flows as anonymous to the SQL server and it throws exception.
I'm not sure about IIS6, but in IIS8... In the advanced settings for the application pool in questions, there is an identity section. Set this to the windows credentials you want to use. Also set 'Load application profile' to true.
Then in your application, you just need to setup your connections string to use a trusted_connection instead of an SQL server username and password.
Just remember to set the windows account to have a password which never expires, unless you'll remember to update the app-pool when it does change (or the pool will stop.)
Dave
This sounds like you have Windows Authentication enabled and are using IE to connect to the site? In this case the Windows Identity is passed through to IIS.
I have a timeclock database setup on a Windows 2008 server, SQL Server. It has been working for MONTHS. Today, all of a sudden, it seems like some peoples' logins are working and some peoples' logins are not working.
SQL authentication works fine, however the Windows authentication is not working. I checked the log files and it seems like SQL Server 2008 is just not liking the passwords!
Does anyone know what could be going on here?
Windows auth relies on the SIDs contained in the login token generated when folk log in to Windows: not the actual windows password or even username
If it's failing, then you have issues witg Active Directory or some underpinnings such as Kerberos.
Saying that, there are some common issue I've seen over time:_
password changes: invalidate the login token in some circumstances. If you have a policy for password changes then simply sking folk to lock/unlcok their PCs will cause a "re-login" against AD
use FQDN + port: If you use named instance, the client must query port 1434 to get the actual port of the instance. If you have a lot of firewalls or remote clients then sometimes this handshake fails. IIRC something to do with Kerberos. We found using server.domain.tld\instance, port fixed all our issues (I'm talking USA or Hong Kong to Europe based server)
You may solve this problem by assigning user rights to the user: "NT AUTHORITY\SYSTEM".
Follow these steps:
Open "SQL Server Management Studio".
Open "Security, and then Logins".
Rightclick on user: "NT AUTHORITY\SYSTEM >> Properties".
Select "Server Roles" tab, and check the "sysadmin" server role.
You are done.
u can also try right click on the user u wanna grant the privilegies and click on all of them in server roles
I just created a new database in "Microsoft SQL Server Management Studio Express" and now I'm in "ColdFusion Administrator" and I'm trying to add my database as a Data Source. How do I do that? I believe the servername is .\SQLEXPRESS but I'm not sure what the default username and password are. I've tried creating a new login through Management Studio with an actual username and password, but those aren't working either. The error I'm getting is:
Connection verification failed for data source: xxx
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The requested instance is either invalid or not running.
The root cause was that: java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The requested instance is either invalid or not running.
I can see that the service is running, and I can connect to it through management studio. I've tried following a couple tutorials online, but they don't seem to be working for me. Ideas?
Server name can be any resolvable hostname or domain name, in case of having SQL Server and CF server on same box localhost should work for you.
Also make sure that user you created has access to the particular database and needed operations. Look into the database permissions for this. This check is not required when using master account (often login is sa), but this is not recommended practice because of the security reasons.
Also make sure SQL Server and Windows Authentication mode is checked. I had an issue with permissions as well when I only had Windows Authentication enabled under:
right click on server (localhost) -> security
Then restart SQL Server Services to save changes. After that I was able to connect my ColdFusion datasource to SQL Server.
For testings sake use the same credentials that you are connected with in Management Studio, likely the "sa" user and password. Once you have it working with "sa" then go back into Management Studio and create an application level user for your CF app and then update the data source to use your new user / password.