I have an asp.net application directory, and I want to use anonymous authentication in the Directory Sercurity tab.
If I use the pre-Windows 2000 style DOMAIN\USERNAME for the username, everything is fine.
If I use the AD-style (UPN) usename#domain.local, then I get a 401.1 failed login.
I've tried a number of variations, but can't get it to work. If I select the user from the Browse box, the AD name comes up in the box, but the pre-Windows 2000 name is filled-in. Likewise for SQL Server 2005.
It seems that the UPN isn't 'real', is this right? Given that it's not required and doesn't have to be unique; it seems very odd.
Am I correct, in that this is not supported? Would IIS 7 make any difference?
I wish to do this, because the limit of 20 characters for the pre-Windows 2000 username is insufficient for the role-based security I wish to apply for different webservices (the application directories) coming off this website.
UPN suffixes should work, althouh there is a bug which occurs when there is a service pack difference between the IIS box and the domain controller. There is a patch for it. This link discusses the issue in detail.
Are you sure it's domain.local and not domain.com. If the domain\username is working, then username#domain.com should work.
Update 1:
I have tried it on Windows 2003 sp 2. In the login "directory security" I have checked the enable anonymous access check box ( and only this box ) and put ausername#mydomain.com and the ausername password. The site is plain asp.net without sql backend.
Are you able to login to the server with the usename#domain.local ?
Can you test this on different domain? It may be some wired dns resolution problem.
Update 0:
I tested it on iis 6 and the username#domain.com combination works fine on my machine.
About the "realnes" of the names. No name is "real" the actual account is just a GUID. The names are just for convenience.
Related
I'm just in the process of trying to properly configure asp.net 4.5 on our IIS servers.
I have been able to navigate and launch an ASPX page that contains no data conenctions sucessfully so I know that the application pool authentication to the local directories is working as it should.
Now though I have a seperate SQL server that is connected to the domain and have a connection string stored in the code that connects the ASPX page to the server using a trusted connection. When running in visual studio debug mode, the connection works fine - but at that point I assume it is using my login credentials.
My question is, when a user calls the aspx page via the browser when hosted on the new IIS7 server, which account is used to call the SQL server when using a trusted connection? - Is it the end users or is it a local account from the IIS server?
When I call a page with data connections embedded I get the error: Login failed for user ADMIN\PCNAME$ ... which is an indication that this is the account that it is using. However this account doesn't exist on the domain that I'm aware of. - Or does it ?!
Thanks in advance,
It will use the account that ASP.NET is running under, as you've worked out. What you usually should do is create a Domain Account (with the right privileges) and run your ASP.NET AppPool under that account. Then a Trusted Connection will use that account for connecting to the database, and as long as you've given it access (which as a Domain Account you can do) it should all work.
Added:
After some back and forth on comments, lets go back to the start: set the new AppPool to run with the domain users account, and recycle the AppPoolo. What is it that says the password is wrong? If it's IIS trying to start the AppPool, then it is extremeny likely that the Password you gave the AppPool IS wrong, or else that the password is set to change on first logon.
If its not IIS, but opening a Database connection, are you sure that the database allows this Domain Account access to the database and the tables within it it will need? What roles have you assigned to this account? Also, what SQL statement is it trying to execute (if it's got far enough to try and execute a statement at all)?
I suggest you put any response in you original question - comments get to be a drag if there are too many of them.
I am using ldap for user authentication as mentioned in this link.
http://www-archive.mozilla.org/directory/csdk-docs/writing.htm
Here I am getting "Operations error" while ldap_search_ext_s call. Can anyone tell me what changes I need to do in order to get the user information from Active Directory.
Note : I don't want to enter the dc name and password while binding. Since machines will be running under normal users account (domain users) which do not have admin credentials in domain.Please let me know how to do binding in this case also.
My machine details :
Mac Lion, 64 Bit.
I am trying to connect to Windows Active Directory.
Thanks,
Tausif.
You need to bind with a valid username and password when connecting to a Windows Active Directory server in most cases.
When you're performing your ldap_simple_bind_s(), the two NULL parameters need to be replaced - the first with the DN of the user that is performing the bind, the second with the password for that DN.
There's more link detail in this answer
I am trying to figure out what is going on. Here is our setup:
We have four SQL servers that are in replication with each other.
We add a new user to Windows Active Directory and add them to a group that is in SQL Server that we have been using for ages.
The new user, when trying to authenticate using Windows authenication returns that error in the subject line. But, any users that were previously in Active directory work fine.
At one point I had gotten SQL Server "caught up" becauuse we had a group of users that could not log in because of this error. I did some changes to the SPNs and ended up making it so no one could log in. Then I realized how the SPNs were supposed to look and fixed it. Then I guess some magic happened and those users were able to authenticate. I thought it was fixed, but it is obviously not as we had to add one new user and they cannot authenticate.
What is interesting is that the user can authenticate with three out of the four SQL Servers. It is only this one server that is working incorrectly. I set up two SPNs for the SQl Service on this sql server.
They look like -
MSSQLSvc/[servername].[domain].local:1433
MSSQLSvc/[servername]:1433
These are actually registered to the Service account that we use for the SQL Servers. What is interesting is that I can't find the SPNs for the servers that are working anywhere.
Any help would be appreciated!
Edit: Also, another point to note is that if I try to add the user directly as a login into SQL server. I right click Logins and click Add Login then click search. I then type in [Domain]\[Username] and click check names. It validates the name as being correct. Then I click OK. And then OK again, and it gives the Error Windows NT user or group '[Domain]\[Username]' not found. Check the name Again.
I thought it was fixed, but it is obviously not as we had to add one
new user and they cannot authenticate.
The user has to relogin in order to pick up the new group. Otherwise, it's kerberos ticket is still using the old group membership information in its PAC
These are actually registered to the Service account that we use for
the SQL Servers. What is interesting is that I can't find the SPNs for
the servers that are working anywhere.
I think what happen is that you have one SQL Server with SPN setup properly while the other three SQL Servers with no SPN setup at all. So, you are going to use Kerberos on this particular server while NTLM on the other three.
As mentioned before, when you are using Kerberos, you have to either purge the ticket using some tools or you have to relogin in order to pick up the new group membership. You can also try to lock the screen and then unlock it. If I remember correctly, this should also refresh the ticket.
Unlike Kerberos, NTLM doesn't carry the group memberhsip data. After SQL Server authenticated the user using NTLM, it will find the authenticated user's group membership, including the new group you just added.
Whenever I try to access SSRS 2008 R2 through a URL (i.e. after being published on the net), it always shows a login prompt when accessing the report. The problem does not appear in the development environment.
How do I prevent this login prompt from showing whenever I try to access a report? For the time being, we are solving this problem by providing a username and password in <appSettings> in the web.config. Once this change is made, the login prompt does not appear.
Is there a better solution to this? Am I doing this the wrong way?
I am assuming the prompt is for the username / password for the domain. Internally you are likely getting through the AD authentication check in your application as you will have permissions to deliver the report (you can test that premise with Firefox or other browser that doesnt handle AD authentication like IE does/
I think you may have setup for basic authorisation to view the report RSReportServer.config rather than web.config is that what you have done? (see this to see example http://msdn.microsoft.com/en-us/library/cc281309.aspx.)
If you are trying to get full anonymous access then you are in for some fun; luckily one of the RS team blogged a way to achieve it; I wouldn't advocate doing it straight onto a production box though.
http://blogs.msdn.com/b/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx
I'd start with using Internet Explorer, on a domain.. which will pass your credentials (if that is how you have this configured).
It IS possible to configure firefox to pass Windows Authentication / Token.. I don't remember how I had done this previously.
The BEST platform for using SSRS is Apple / Safari.. because when you hit the checkbox that says 'remember password' it actually remembers the password. It blows my mind that Chrome, Firefox, IE give you a prompt that says 'remember password' - but from my experience, remembering passwords only work as I expect when I am using Safari.
I'm not sure from you're question is the login box a prompt to get you access to the report server or is it a prompt on the reports datasource.
It sounds a bit like permissions to access the report server, I guess you could try giving the app pool user permissions to access the report server and run the report or use an impersonation account to access the report.
I was running into this problem for a different reason than the accepted answer. While SSRS was installed, it wasn't properly configured. Being new to installing SSRS, I had assumed some tabs in the Reporting Services Configuration Manager were set to defaults. They weren't. Once I went back and actually set them, everything worked fine.
Disable loopback
http://thetazblog.taznetworks.com/2006/03/crm-30-sbe-sql-reporting-error.html
............................
I am currently setting up a dev environment which is an exact copy of our prod environment. The problem is when I try to authenticate a user by using CFLDAP tag in the dev environment, it won't let me authenticate the user without prefixing the username with the domain name while in the prod environment we don't have to prefix the username with the domain name. See example code below:
Details:
Windows 2000 Web Server
ColdFusion 5
Authenticating to a Windows 2003 Active Directory environment
Any help is greatly appreciated.
I have found when using CFLDAP, that using NT style logins for the username will inevitably cause problems and inconsistencies. You are really much better off using the distinguishedName attribute (DN) for a given user:
CN=User,OU=Users,DC=domain,DC=com
Of course your DN will likely be different - but hopefully that illustrates the point.