I am trying to get a flask app deployed to a windows server (IIS 7.5) that passes the client NTLM Windows Authentication to the SQL Server connection in SQL Alchemy.
At the moment the connections string looks like this:
"DRIVER={SQL Server Native Client 11.0};Server=%s;Database=%s;TDS_Version=8.0;Trusted_Connection=yes;"
And the Trusted_Connection=yes serves to pass the owner of the web server process to SQL Server. This works great when running the development server because I am invoking the server so my access credentials get passed. BUT when IIS runs the server it inherits the application pool identity and sends a bogus non domain user as the auth credentials.
I have tried to use the WindowsAuth setting in the webconfig but SQLAlchemy keeps passing the app pool identity to the sql server.
I've had similar issues with SQL DB Connections, and the workaround that worked was to create a Windows Network User and have IIS run applications with that identity instead of the App Pool identity. This 'real user' identity is then passed on to any downstream invocations (SQL).
This scales well in an enterprise environment and prevents most security change problems because the user is a 'normal user' and only nominally a 'service account'.
Related
I've got a new server build running Windows Server 2012 R2, IIS 8.5 (inc. ClassicASP feature) and SQL Server 2014 Express. I want to use Application Pool Identity to connect to the database. The database is set to "Windows Authentication Mode".
My Application Pool Identity is called activbase.net. I've set up a Security Login in SQL Server called IIS AppPool\activbase.net and user mapped it my database with db_datareader and db_datawriter access.
However when I try to access the database from the website, I get:
Cannot open database "ActivbaseLive" requested by the login. The login failed.
I thought this was enough to get the connection working.
The Application Log (Event Viewer) shows:
Login failed for user 'NT AUTHORITY\IUSR'. Reason: Failed to open the explicitly specified database 'ActivbaseLive'. [CLIENT: ]
So I have added NT AUTHORITY\IUSR likewise to the SQL Server>Security>Logins and Databases>[ActivbaseLive]>Security>Users and this fixes the problem.
My questions are as follows:
Should I be needing to add NT AUTHORITY\IUSR login/user in addition to IIS AppPool\activbase.net login/user to my SQL Server Instance and database?
Is there a security issue with doing this? (NOTE: this will be a production environment)
Thanks,
Chris
No. You don't need to add an SQL Server login for the NT AUTHORITY\IUSR identity in addition to the IIS AppPool\activbase.net identity. A login for the IIS AppPool\activbase.net application pool identity alone is adequate for connecting to SQL Server using Windows Authentication.
NT AUTHORITY\IUSR is a built-in Windows account that is the default identity used when Anonymous Authentication is enabled for your application. This page describes the rationale for the account.
To connect to your database with the IIS AppPool\activbase.net identity, you need to change the account set up for anonymous users from NT AUTHORITY\IUSR to your IIS AppPool\activbase.net application pool identity. Proceed as follows to make this change:
Open Internet Information Services (IIS) Manager.
In the Connections panel, locate and click to select the website hosting your application e.g. Default Web Site. (If you want to configure a specific application under your website, you can select the application.)
In the Features View in the center panel, double-click Authentication.
Anonymous Authentication will most likely be enabled in your setup. Right-click Anonymous Authentication, and select Edit.
In the Edit Anonymous Authentication Credentials dialog box, click the Application pool identity option, and then click OK.
The question in the link below (and its answer) addresses the same issue:
Login failed for user NT AUTHORITY\IUSR
With regard to your second question, "Is there a security issue with doing this?", the answer is, "Yes". You preferably don't want the NT AUTHORITY\IUSR built-in account having access to your SQL Server database since it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means those other websites and applications would be able to connect to your database. If they are compromised in an attack, they could potentially be used to access your data. So it's best not to have an SQL Server login for NT AUTHORITY\IUSR. Instead, limit database access to your website's (or application's) application pool identity.
I am supporting a .NET 4.0 (Visual Studio 2010) web application that authenticates to a SQL Server 2008 database which resides on my work intranet. The application authenticates to the database using windows authentication. Thats all fine and dandy if Im developing on my host, but I am developing on a virtual machine that is not on the work domain. Thus when the project build and runs, it throws a SqlClient.SqlException
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
Short of developing on my host and abandoning the VM, what can I do to avoid this error and successfully authenticate to the database so I can build/run the web app? I am willing to store my credentials somewhere locally, though preferably not somewhere that would be under TFS source control (like the web.config) because I couldnt keep the file checked out since there are other developers on the project.
I have tried running Visual Studio as a different user (as the user on my work domain) but I get a "unknown user name or bad password" error.
Note, adding the Virtual Machine to the domain (or connecting to it via VPN) are not options. The VM must remain off the domain. Also note, the virtual machine is running on the computer that is on the domain, and the VM uses a shared connection. So it CAN access the intranet but it can't perform windows authentication to SQL Server.
You can run Visual Studio (or SQL Server Management Studio) as the user on the domain. The trick is, you have to use the “/netonly” option of the “runas” Windows tool, so that you can run as a domain user on a non-domain machine.
Namely, in a command prompt you run this command (filling in your own criteria):
runas /netonly /user:<Domain>\<User_Name> "<Your_Program.exe>"
Alternatively, you can create a shortcut on your desktop, and set this command as the shortcut target. Upon running the shortcut/command, you enter your credentials when prompted and visual studio (or whatever program you like) will run as the domain user.
Join the domain using vpn connection if possible. Vpn can connect you with specific domain credentials. Alternative would be connecting using SQL Server Authentication if SQL Server is configured with mixed authentication.
From what I understand, you have several options:
You could add a user account to the SQL db to allow password authentication
Have the VM join the domain
Create an SSH tunnel to the host SQL server port
Actually I was expecting a SqlExcpetion like Login Failed for user IIS AppPool\My AppPool Name exception instead of Domain\MachineName$.
I've created an Application Pool that is using
Manged Pipeline Mode : Integrated
Identity : ApplicationPoolIdentity
This AppPool is assigned to the Web Application (MVC3) in question. But somehow it seems that the WebApp is using somehow the NetworkService for the connection to SqlServer.
Any Idea why or what I should change?
Turns out that I forgot to change the connection string to SqlServer.
So they where pointing to another machine in the Network, as IIS AppPool\My AppPool Name is only valid on the local Server, IIS takes automatically the Network Service to access stuff in the Network, that's why it was showing Domain\MachineName$.
I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net impersonation. The worker process owner is set to NETWORK SERVICE.
The web service invokes sqlplus.exe impersonated with his/her domain account on the server. I can see that through the task manager. However, when sqlplus is started, oracle says the username/password is wrong.
sqlplus.exe is started like this: sqlplu.exe / . This works great if I manually log on the server with the user account and type the statement above, everything works great
I believe you're running into the "double hop" issue here.
Your first hop is using impersonation from the client's computer to the web server. The second hop is from the web server to your database server, where you're attempting to pass those same credentials along to the database.
When you manually log on and run the sqlplus statement, it's only a single hop from the web server to the database server.
The following is quoted from MSDN. Notice the recommendation to use basic authentication from the client to the web server.
The double-hop issue occurs when the
ASPX page attempts to use resources
located on a server that is different
from the IIS server. In our case, the
first "hop" is from the web browser
client to the IIS ASPX page; the
second hop is to Active Directory.
Active Directory requires a primary
token. Therefore, the IIS server must
know the password for the client to
pass a primary token to Active
Directory. If the IIS server has a
secondary token, the
NTAUTHORITY\ANONYMOUS account
credentials are used. This account is
not a domain account and has very
limited access to Active Directory.
The double-hop using a secondary token
occurs, for example, when the browser
client is authenticated to the IIS
ASPX page by using NTLM
authentication. In this example, the
IIS server has a hashed version of the
password as a result of using NTLM. If
IIS turns around and passes the
credentials to Active Directory, IIS
is passing a hashed password. Active
Directory cannot verify the password
so it uses NTAUTHORITY\ANONYMOUS LOGON
for authentication.
If your browser client uses Basic
authentication to authenticate to the
IIS ASPX page, the IIS server has the
client password and can make a primary
token to pass to Active Directory.
Active Directory can verify the
password and authenticate the domain
user.
http://msdn.microsoft.com/en-us/library/ms817871.aspx
i have developed an application and it is working fine but when ever i create a virtual directory for it in IIS and run the application i am getting connection failure exception and named pipes exception.
thanks!
It looks like you having some issue with the database connection from your application. Can you post your code and the exact nature of the error.
Without any code or details of the language it is hard to guess what the issue can be however a common one that occurs with asp.net could be your database connection string. Are you using a SQl Server / Sql Server Express database with your application? You need to check that the connection string.
The problem is the Integrated Security=True setting in your connection string. IIS uses the ASPNET windows login which will be different to the Windows login used when running from VS. You've got a few options:
Grant the ASPNET user the required access rights on your database
Use Sql Server authentication: Set up a user on the database as a sql login and pass this username / password in on the connection string and set Integrated Security=False
Change the identity IIS runs under to one that has access to the DB.
There may be other options also however I think these are most common. Which to choose depends on the architecture you are deploying to, personally I almost always go for Sql Server Authentication using a username and password. The web.config can be encrypted for further security if required.