I'm trying to make a post, from an asp classic server side page, using the user credentials...
I'm using msxml2.ServerXMLHTTP to programatically make the post
I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account...
I made a little asp page that runs whoami to verify what account the iis process i using...
with IIS 5.1, using integrated security the process uses:
my_machine\IWAM_my_machine
I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?)
to test the user I do the following
private function whoami()
dim shell, cmd
set shell = createObject("wscript.shell")
set cmd = shell.exec( server.mapPath( "whoami.exe" ) )
whoami = cmd.stdOut.readAll()
set shell = nothing: set cmd = nothing
end function
is it because I'm issuing a shell command?
I'd like to make http post calls, to another site that works with integrated security...
So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account...
I thought that just setting the site to work with integrated security would be enough...
How can I achieve such a thing?
ps: with IIS6,happens the same
but if I change the pool canfiguration I get the following info from whoami
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
if I set a domain account, I get a "service unavailable" message...
edit: found this
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true
it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing?
edit:
well the whoami thing is obviously fooling me, I tried with the following function
private function whoami_db( serverName, dbName )
dim conn, data
set conn = server.createObject("adodb.connection")
conn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _
"Initial Catalog=" & dbName & ";Data Source=" & serverName
set data = conn.execute( "select suser_sname() as user_name" )
whoami_db = data("user_name")
data.close: conn.close
set data = nothing: set conn = nothing
end function
and everything seemed to be working fine...
but how can I make msxml2.ServerXMLHTTP work with the user credentials???
You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.
However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.
As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.
Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-
Dim oWinHTTP
Dim oDOM
Const AutoLogonPolicy_Always = 0
Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always
oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send
If oWinHTTP.Status = 200 Then
Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
oDOM.async = false
oDOM.Load oWinHTTP.ResponseStream
End If
Set oWinHTTP = Nothing
That should work for http, for https it gets real messy.
Related
I have written a VB.NET application and created a setup file to install the same on the target machine. An ODBC connection is used to connect to SQL Server instance through a DSN.
My development computer used Integrated Security whereas the target computer uses SQL Authentication which requires me to hard code the credentials in the connection string while building the setup file.
I have previously looked up for solutions, but they require one to define the credentials every time the application is run. I have seen an application that requests the credentials the first time it is run or if the connection is unsuccessful, but unfortunately could not retrieve the source code for the same.
Any guidance on similar lines would be helpful.
Add application settings of string type with user scope for the user name and password, lets say username & userpass. Let the User save these values the first time they run your app. Then just incorporate the My.Settings.username and My.Settings.userpass into your connection string.
To save the settings:
My.Settings.username = txt_user.text
My.Settings.Save()
This way the user can change the username & password if required without you having to update your code.
This question already has answers here:
Windows authentication trusted connection not working
(3 answers)
Closed 6 years ago.
I wrote an SQL query which has to run on the server. To call that query I am using a VBScript which is stored on the server. When I run that script from the server, the script runs fine. But, when I run the VBScript from my local machine, I get an error stating that access was denied for the SQL script it is calling. I can't seem to figure it out. The following is the VBScript I am using:
dim dbconn, connect, ObjFSO
connect = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=DBName;Server=ServerName;Database=DBName;ID=USERID;Password=PASSWORD"
Set ObjFSO = CreateObject("Scripting.FileSystemObject")
Set dbconn = CreateObject("ADODB.Connection")
dbconn.Open connect
dbconn.execute ObjFSO.OpenTextFile("\\ServerName\FolderPath\FileName.sql").ReadAll,128
Set dbconn = Nothing
The error I get is:
Note: I do not get the error message seen in the image above, when I run the same VBScript from the server.
Is there a way to get this program to only run from the server where it is stored?
Am I just missing something really simple?
Perhaps you are logging into the server with one set of Windows credentials and logged into your desktop under a different username that doesn't have SQL access?
In any event, since the connection string you're using indicates SSPI security, it's going to try and use your Windows credentials to authenticate you, and completely ignore the username and password provided in the connection string.
Try something like this instead (see www.connectionstrings.com):
Provider=sqloledb;Data Source=myServerAddress;Initial Catalog=myDataBase;
User Id=myUsername;Password=myPassword;
The issue was with the user ID I was attempting to use. I made a new user ID which does not use a windows authentication to access the DB and boom, it works!
My webpages are on secured server (https), and I am trying to connect the SQL Server 2008 Database, which is normal server.
I am writing connectionstring on page itself, not in web.config file. And I am getting following error:-
System.Data.SqlClient.SqlException: Login failed.
The login is from an untrusted domain and cannot be used with Windows authentication.
Please help, how can I connect it, does I have to make some webservices for it.
my code is as below:
public void FillCity()
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "integrated security=SSPI;data source=dev-fcb; user id=sa;password=password;"
+"persist security info=False;database=mediapro";
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = new SqlCommand("select * from StateCityMaster where IsActive='1' order by CityName", con);
DataSet ds = new DataSet();
da.Fill(ds);
string CityName = string.Empty;
if (ds.Tables[0].Rows.Count > 0)
{
CityName = ds.Tables[0].Rows[0]["CityName"].ToString();
}
DataSet dset = new DataSet();
da.Fill(dset);
if (dset.Tables[0].Rows.Count > 0)
{
drpCity.DataSource = dset;
drpCity.DataTextField = "CityName";
drpCity.DataValueField = "CityName";
drpCity.DataBind();
}
drpCity.Items.Insert(0, new ListItem("--Select--", "0"));
con.Close();
}
Your connection string is telling it to use integrated security SSPI, which will use the Windows credentials.
Set Integrated Security to false if you are going to be providing the username and password.
Also, consider putting your connection string inside of the web.config file - it is more secure and reusable.
From http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=VS.100).aspx:
When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
If User ID and Password are specified and Integrated Security is set to true, the User ID and Password will be ignored and Integrated Security will be used.
I created a new Asp.Net Core MVC site and I had this same error. I was attempting to connect to my company's database while connected to the network via VPN. Here's what worked for me:
Instead of
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=SSPI;Trusted_Connection=True;"
I used
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=False;Trusted_Connection=False;"
The key change was to make sure that Trusted_Connection=False, which is consistent with the error message. Generally I would not use an untrusted connection. In this case I was connecting to a dev/test database so it's fine.
For future googlers:
If you do need Integrated Security and are getting this error it might be you're using a local account instead of a domain account.
I came across this running Visual Studio locally and trying to connect to a database on another machine. A workaround was to run Visual Studio as a different user, the prompt didn't work but running the command below did (make sure to replace DOMAIN\USER and you will be asked to provide credentials):
runas /netonly /user:DOMAIN\USER "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe"
(This is for VS2019, your path may vary).
Old question, and my symptoms are slightly different, but same error. My connection string was correct (Integrated security, and I don't provide user and pwd) with data source set to 127.0.0.1. It worked fine for years.
But recently I added a line in the static host file for testing purposes (C:\Windows\System32\drivers\etc\hosts)
127.0.0.1 www.blablatestsite.com
Removing this line and the error is gone.
I got a clue from this article (https://support.microsoft.com/en-gb/kb/896861) which talks about hostnames and loopback.
Other possible fix (if you need to keep that line in the hosts file) is to use the hostname (like MYSERVER01) instead of 127.0.0.1 in the data source of the connection string.
I had this same issue while accessing this through work where we use Azure authentication - I'd changed my password through the Azure password reset service but this only pushed through after I manually updated the password on the schema settings in my RDBMS (in my case, DataGrip).
I have a page to create new users in our active directory using VB.NET
I’m using the following code
Dim rootEntry As New DirectoryEntry
With rootEntry
.Path = "LDAP://" & strServer & "/" & strLDAP
.AuthenticationType = AuthenticationTypes.Secure
.Username = strServerUsername
.Password = strServerPassword
End With
Dim newUser As DirectoryEntry = rootEntry.Children.Add("CN=" & strCN, "user")
With newUser
.CommitChanges()
.Properties("userPrincipalName").Value = TextPN.Text
.Properties("sAMAccountName").Value = TextAlias.Text
.Properties("givenname").Value = TextGivenname.Text
.Properties("sn").Value = TextSurname.Text
……
.CommitChanges()
.Invoke("setPassword", New Object() {strDefaultPassword})
.CommitChanges()
.Properties("userAccountControl").Value = &H0001
.CommitChanges()
End With
This code worked fine in the past.
Now we’ve migrated our webserver to Windows Server 2008 R2 and IIS 7.5, and suddenly the code is not working anymore. (.net framework is 2.0 and cannot be changed)
The user is still created in our active directory, but the account is automatically disabled and the password is not set.
Investigating this issue shows that an exception is thrown at the line
.Invoke("setPassword", New Object() {strDefaultPassword})
Exception
The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
The user account which is used to connect to the AD is still the same and had domain admin rights.
Since nothing has changed to the code, I think there must be another reason why this is not working anymore? Firewall settings, IIS configuration,..?
Any ideas??
I know there is a similar case here Trying to create a new Active Directory user, Invoke("SetPassword",pwd) throws "The RPC server is unavailable"
, but this doesn’t help me out.
Check TCP/UDP 445 port is opened on your firewall.
To connect to an AD server from outside a domain, you need the following ports to be opened :
. TCP/UDP 389 (LDAP)
. TCP 3268 (GC)
. TCP/UDP 445 (SMB over IP)
DirectoryEntry.Invoke() requires AuthenticationType.Secure. What this means is that it needs to be able to authenticate the request via Kerberos or NTLM.
It attempts to use LDAPS (TCP 636) first, then falls back to CiFS (TCP445) if/when it times out or fails because of a missing or invalid certificate. If neither of these ports are open, it will fail with an "RPC Server unavailable" exception.
My webpages are on secured server (https), and I am trying to connect the SQL Server 2008 Database, which is normal server.
I am writing connectionstring on page itself, not in web.config file. And I am getting following error:-
System.Data.SqlClient.SqlException: Login failed.
The login is from an untrusted domain and cannot be used with Windows authentication.
Please help, how can I connect it, does I have to make some webservices for it.
my code is as below:
public void FillCity()
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "integrated security=SSPI;data source=dev-fcb; user id=sa;password=password;"
+"persist security info=False;database=mediapro";
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = new SqlCommand("select * from StateCityMaster where IsActive='1' order by CityName", con);
DataSet ds = new DataSet();
da.Fill(ds);
string CityName = string.Empty;
if (ds.Tables[0].Rows.Count > 0)
{
CityName = ds.Tables[0].Rows[0]["CityName"].ToString();
}
DataSet dset = new DataSet();
da.Fill(dset);
if (dset.Tables[0].Rows.Count > 0)
{
drpCity.DataSource = dset;
drpCity.DataTextField = "CityName";
drpCity.DataValueField = "CityName";
drpCity.DataBind();
}
drpCity.Items.Insert(0, new ListItem("--Select--", "0"));
con.Close();
}
Your connection string is telling it to use integrated security SSPI, which will use the Windows credentials.
Set Integrated Security to false if you are going to be providing the username and password.
Also, consider putting your connection string inside of the web.config file - it is more secure and reusable.
From http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=VS.100).aspx:
When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
If User ID and Password are specified and Integrated Security is set to true, the User ID and Password will be ignored and Integrated Security will be used.
I created a new Asp.Net Core MVC site and I had this same error. I was attempting to connect to my company's database while connected to the network via VPN. Here's what worked for me:
Instead of
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=SSPI;Trusted_Connection=True;"
I used
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=False;Trusted_Connection=False;"
The key change was to make sure that Trusted_Connection=False, which is consistent with the error message. Generally I would not use an untrusted connection. In this case I was connecting to a dev/test database so it's fine.
For future googlers:
If you do need Integrated Security and are getting this error it might be you're using a local account instead of a domain account.
I came across this running Visual Studio locally and trying to connect to a database on another machine. A workaround was to run Visual Studio as a different user, the prompt didn't work but running the command below did (make sure to replace DOMAIN\USER and you will be asked to provide credentials):
runas /netonly /user:DOMAIN\USER "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe"
(This is for VS2019, your path may vary).
Old question, and my symptoms are slightly different, but same error. My connection string was correct (Integrated security, and I don't provide user and pwd) with data source set to 127.0.0.1. It worked fine for years.
But recently I added a line in the static host file for testing purposes (C:\Windows\System32\drivers\etc\hosts)
127.0.0.1 www.blablatestsite.com
Removing this line and the error is gone.
I got a clue from this article (https://support.microsoft.com/en-gb/kb/896861) which talks about hostnames and loopback.
Other possible fix (if you need to keep that line in the hosts file) is to use the hostname (like MYSERVER01) instead of 127.0.0.1 in the data source of the connection string.
I had this same issue while accessing this through work where we use Azure authentication - I'd changed my password through the Azure password reset service but this only pushed through after I manually updated the password on the schema settings in my RDBMS (in my case, DataGrip).