I am using IIS 6.0 on Windows 2003 in a workgroup, and have created a web which runs in its own pool to connect to a Sqlserver 2005 Analysis Services database using msmdpump.dll. I have set the pool up with its own identity, but when I look on the Analysis Services server using Sqlserver Profiler, I can see that the requests are being made, but not with the Pool identity. They are using the identity of the user signed into the web server.
If you have impersonation turned on in the web app the app will work as the impersonated user not as the app pool identity. Here's a bit about this.
Related
Double Hop Delegation: Error retrieving for user IIS APPPOOL. The underlying provider failed on Open. Login failed for user 'Domain\WebVM$'.
I'm setting up a IIS VM server to access a separate SQL Server VM, both machines running Windows Server 2016 and running on intranet. We're using windows authentication, and attemping to impersonate users through the machine account on IIS VM server machine. We are building / deploying MVC IIS bits using ASP.NET Core.
I'm hitting the above (machine account login) error after having configured everything I can think of and referred to several postings. I've configured the following main items:
Web Site setup with Windows Authentication, and ASP.NET Impersonation enabled, all other auth types disabled.
Web Site Config Editor set "system.webServer/security/authentication/windowsAuthentication" : useKernelMode to True
App Pool running .NET CLR Version "No Managed Code"
App Pool using Classic Managed Pipeline Mode
App Pool running as ApplicationPoolIdentity
Confirmed HOST SPN registered for IIS VM machine account in AD (with setspn -L IISVMServer)
Confirmed HOST SPN registered for SQL Server VM machine account in AD
Confirmed ServiceClass/Host:Port registered for SQL Server VM in AD
Registered SPN for IIS server machine account "Trust this computer for delegation to any service (Kerberos only)
Plan to lock down to constrained delegation after getting unconstrained delegation working
Tried running with / without web.config : "system.web identity impersonate="true" /system.web"
I previously posted Kerberos Double Hop Delegation with ASP.NET Core (4.5.2) which is indirectly related to this posting.
thanks, dave
this is for the purpose of cutting an asp.net web application over from using an sql server authentication connection string to using a windows authentication connection string.
See How to: Access SQL Server Using Windows Integrated Security.
If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.
To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.
As well as the application of this toward an intranet, you can use it for a public website by setting the Application Pool to run as a custom user that has a Windows logon to the SQL Server.
Dot net 4.0
IIS7
WCF app
SQL 2005 standard
App is hosted on server1 , db is hosted on server2.
Application pool using .4.0 integrated as opposed to classic.
When browsing to site i see NT AUTHORITY\ANONYMOUS LOGON.
Sorry, just figured it out.
Removed
Integrated Security=true
From web.config.
Appears the application pool identity was being passed to SQL server.
I'm working through some WCF examples in "Windows Communication Foundation 4 Step By Step". My resulting application runs fine as long as the service is hosted in casini. It fails when I deploy the service to local IIS. When deployed to IIS, I can browse to the svc page in IE. That works.
According to the book, page 41, the app pool account needs to be a member of the db_owner role in my database. The author suggests, after verifying the correct address of the service (already did that), checking the permissions of the app pool account.
How do I verify which account is used by the application pool hosting my WCF service? Currently using the default app pool and IIS APPPOOL\DefaultAppPool is in the db_owner role. IIS APPPOOL\ASP.NET v4.0 is also in the db_owner role.
The exception is...
System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\DefaultAppPool'.
How do I troubleshoot this issue? Thanks!
Solution found here:
Open IIS
double click your PC name under Connections
Click Application Pools
Select your app pool (DefaultAppPool)
Then under actions on the right click Advanced Settings,
Go to Process Model section and
click on Identity.
Now select NetworkService.
I had the same problem. Issue was that I had "IntegratedSecurity=True;" in my connection string but I was using sql authentication and passing in credentials at the same time. I removed the IntegratedSecurity piece and everything worked.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost:
when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication.
Here your web service would not be able to communicate to the SQL server because of access rights issue.
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings.
You need to change IIS Application pool's identity to local System.
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem.
Now open your sql server management studio:
open run-> then type ssms then press ok
in ssms, login using your windows authentication account.
open security tab
expand logins tab
then you will be able to view your account.
Now open properties of your account
go to userMapping
then select the database you want to connect
then check the role membership services you want to use for the selected database
click ok.
add Trusted_Connection=True; property in your connection string.
Save it & deploy the web service.
Restart app pool.
you will be able to connect the database now.
if not exists
(select * from sys.server_principals where name='IIS APPPOOL\DefaultAppPool')
create login [IIS APPPOOL\DefaultAppPool] from windows;
I'm using IIS 6 in Server 2003 and SQL server 2008 which sits ona seperate box. Now i would like to connect using the Application pool identity of the website to SQL server.
But somehow whenever i display the identity in page_load method it always displays the windows account using which site was browsed. I have given the details below
Server : Windows Server 2003
Database : SQL server 2008 . Web server and DB sit on different machines.
WebSite : Uses a custom app pool that runs using a custom domain account. Website has anonymous disabled and windows authentication enabled. Impersonation is not enabled in web.config.
I'm displaying the credentials using the below code :
Response.Write(HttpContext.Current.User.Identity.Name.ToString());
WindowsIdentity id = WindowsIdentity.GetCurrent();
Response.Write(id.Name);
Now i need a way of using the identity of app pool to connect to database. Please let me know how to do this. If i set the website anonymous account as the app pool identity everything works fine but i dont want to do that. Now authentication just flows as anonymous to the SQL server and it throws exception.
I'm not sure about IIS6, but in IIS8... In the advanced settings for the application pool in questions, there is an identity section. Set this to the windows credentials you want to use. Also set 'Load application profile' to true.
Then in your application, you just need to setup your connections string to use a trusted_connection instead of an SQL server username and password.
Just remember to set the windows account to have a password which never expires, unless you'll remember to update the app-pool when it does change (or the pool will stop.)
Dave
This sounds like you have Windows Authentication enabled and are using IE to connect to the site? In this case the Windows Identity is passed through to IIS.