I've got a new server build running Windows Server 2012 R2, IIS 8.5 (inc. ClassicASP feature) and SQL Server 2014 Express. I want to use Application Pool Identity to connect to the database. The database is set to "Windows Authentication Mode".
My Application Pool Identity is called activbase.net. I've set up a Security Login in SQL Server called IIS AppPool\activbase.net and user mapped it my database with db_datareader and db_datawriter access.
However when I try to access the database from the website, I get:
Cannot open database "ActivbaseLive" requested by the login. The login failed.
I thought this was enough to get the connection working.
The Application Log (Event Viewer) shows:
Login failed for user 'NT AUTHORITY\IUSR'. Reason: Failed to open the explicitly specified database 'ActivbaseLive'. [CLIENT: ]
So I have added NT AUTHORITY\IUSR likewise to the SQL Server>Security>Logins and Databases>[ActivbaseLive]>Security>Users and this fixes the problem.
My questions are as follows:
Should I be needing to add NT AUTHORITY\IUSR login/user in addition to IIS AppPool\activbase.net login/user to my SQL Server Instance and database?
Is there a security issue with doing this? (NOTE: this will be a production environment)
Thanks,
Chris
No. You don't need to add an SQL Server login for the NT AUTHORITY\IUSR identity in addition to the IIS AppPool\activbase.net identity. A login for the IIS AppPool\activbase.net application pool identity alone is adequate for connecting to SQL Server using Windows Authentication.
NT AUTHORITY\IUSR is a built-in Windows account that is the default identity used when Anonymous Authentication is enabled for your application. This page describes the rationale for the account.
To connect to your database with the IIS AppPool\activbase.net identity, you need to change the account set up for anonymous users from NT AUTHORITY\IUSR to your IIS AppPool\activbase.net application pool identity. Proceed as follows to make this change:
Open Internet Information Services (IIS) Manager.
In the Connections panel, locate and click to select the website hosting your application e.g. Default Web Site. (If you want to configure a specific application under your website, you can select the application.)
In the Features View in the center panel, double-click Authentication.
Anonymous Authentication will most likely be enabled in your setup. Right-click Anonymous Authentication, and select Edit.
In the Edit Anonymous Authentication Credentials dialog box, click the Application pool identity option, and then click OK.
The question in the link below (and its answer) addresses the same issue:
Login failed for user NT AUTHORITY\IUSR
With regard to your second question, "Is there a security issue with doing this?", the answer is, "Yes". You preferably don't want the NT AUTHORITY\IUSR built-in account having access to your SQL Server database since it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means those other websites and applications would be able to connect to your database. If they are compromised in an attack, they could potentially be used to access your data. So it's best not to have an SQL Server login for NT AUTHORITY\IUSR. Instead, limit database access to your website's (or application's) application pool identity.
Related
I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.
Things I have tried/checked
Static Content is installed under the Common HTTP Features
The domain account used for the app pool has full access to the directory containing test.html
Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers
Tried "Enable Kernel-mode authentication" checked and unchecked
Tried all settings of "Extended Protection" under Advanced settings for windows authentication.
Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS
The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.
I am supporting a .NET 4.0 (Visual Studio 2010) web application that authenticates to a SQL Server 2008 database which resides on my work intranet. The application authenticates to the database using windows authentication. Thats all fine and dandy if Im developing on my host, but I am developing on a virtual machine that is not on the work domain. Thus when the project build and runs, it throws a SqlClient.SqlException
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
Short of developing on my host and abandoning the VM, what can I do to avoid this error and successfully authenticate to the database so I can build/run the web app? I am willing to store my credentials somewhere locally, though preferably not somewhere that would be under TFS source control (like the web.config) because I couldnt keep the file checked out since there are other developers on the project.
I have tried running Visual Studio as a different user (as the user on my work domain) but I get a "unknown user name or bad password" error.
Note, adding the Virtual Machine to the domain (or connecting to it via VPN) are not options. The VM must remain off the domain. Also note, the virtual machine is running on the computer that is on the domain, and the VM uses a shared connection. So it CAN access the intranet but it can't perform windows authentication to SQL Server.
You can run Visual Studio (or SQL Server Management Studio) as the user on the domain. The trick is, you have to use the “/netonly” option of the “runas” Windows tool, so that you can run as a domain user on a non-domain machine.
Namely, in a command prompt you run this command (filling in your own criteria):
runas /netonly /user:<Domain>\<User_Name> "<Your_Program.exe>"
Alternatively, you can create a shortcut on your desktop, and set this command as the shortcut target. Upon running the shortcut/command, you enter your credentials when prompted and visual studio (or whatever program you like) will run as the domain user.
Join the domain using vpn connection if possible. Vpn can connect you with specific domain credentials. Alternative would be connecting using SQL Server Authentication if SQL Server is configured with mixed authentication.
From what I understand, you have several options:
You could add a user account to the SQL db to allow password authentication
Have the VM join the domain
Create an SSH tunnel to the host SQL server port
I am doing a website after publishing the website it becomes NT AUTHORITY\SYSTEM account.
In my website I am accessing the database. Since my published network became NT AUTHORITY\SYSTEM account, it can't access my sql server 2008 R2. How do I make it connect to my sql server?
I deployed the website using IIS7.
"System" is local account, you can't give it access on other machine (assuming IIS and MSSQL are on different boxes).
The restriction you are hitting is that Windows permissions can't travel more than one box ("double-hop authentication" briefly discussed in Double-hop authentication: Why NTLM fails ).
Easiest solution is to use SQL authentication, but it requires password information in connection string. Impersonating special account (or reverting to process acount that runs under particular account) is much more secure apporach.
I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net impersonation. The worker process owner is set to NETWORK SERVICE.
The web service invokes sqlplus.exe impersonated with his/her domain account on the server. I can see that through the task manager. However, when sqlplus is started, oracle says the username/password is wrong.
sqlplus.exe is started like this: sqlplu.exe / . This works great if I manually log on the server with the user account and type the statement above, everything works great
I believe you're running into the "double hop" issue here.
Your first hop is using impersonation from the client's computer to the web server. The second hop is from the web server to your database server, where you're attempting to pass those same credentials along to the database.
When you manually log on and run the sqlplus statement, it's only a single hop from the web server to the database server.
The following is quoted from MSDN. Notice the recommendation to use basic authentication from the client to the web server.
The double-hop issue occurs when the
ASPX page attempts to use resources
located on a server that is different
from the IIS server. In our case, the
first "hop" is from the web browser
client to the IIS ASPX page; the
second hop is to Active Directory.
Active Directory requires a primary
token. Therefore, the IIS server must
know the password for the client to
pass a primary token to Active
Directory. If the IIS server has a
secondary token, the
NTAUTHORITY\ANONYMOUS account
credentials are used. This account is
not a domain account and has very
limited access to Active Directory.
The double-hop using a secondary token
occurs, for example, when the browser
client is authenticated to the IIS
ASPX page by using NTLM
authentication. In this example, the
IIS server has a hashed version of the
password as a result of using NTLM. If
IIS turns around and passes the
credentials to Active Directory, IIS
is passing a hashed password. Active
Directory cannot verify the password
so it uses NTAUTHORITY\ANONYMOUS LOGON
for authentication.
If your browser client uses Basic
authentication to authenticate to the
IIS ASPX page, the IIS server has the
client password and can make a primary
token to pass to Active Directory.
Active Directory can verify the
password and authenticate the domain
user.
http://msdn.microsoft.com/en-us/library/ms817871.aspx
I have just installed Windows Server 2003 Standard Edition and therefore IIS6 (comes as standard). I have also install the windows component that enable the administration of IIS from the browser (https://server:8098/). The problem I have is that I have to log-in to this tool but the Server Administrator u/name and p/word does not let me in.
The Windows documentation on this tool (http://support.microsoft.com/kb/324282) says "You are prompted for a user name and password that exist on the Web Server" but none of the standard user acounts on the server let me in.
Thanks,
Here are a couple ideas:
Take a look at the security log on the server for clues.
Look at the "Directory Security" tab on the properties of the admin site and ensure "Enable anonymous access" is unchecked. You will need to use "Integrated Windows authentication" or "Basic authentication". If you use Basic auth then the password is sent across then network base64 encoded - you will want to use SSL to encrypt it.
Is there a specific requirement to use the web tools? You can download Internet Information Services (IIS) 6.0 Manager for Windows XP from Microsoft and run it from a client.
I'm not so sure now, haven't set up a Win 2003 box in a while but as far as I remember you have to activate remote desktop first and then you can use a RDP client to access the server. I recommend that over the ActiveX RDP client.
Is the server part of a domain? It may be defaulting to a domain username/password combo rather than a local username/password.
Try "server.domain.local\administrator" or "administrator#server.domain.local".
I would check the permissions on that site in IIS - make sure you are using an account that is a member of a group specifically assigned permissions. I understand that the builtin admin account is not working but its possible the site permissions have changed removing that account or group. - hope that makes some sort of sense
This might be unlikely, but are you trying to use a username that has a blank password? Windows restricts remote access when using those accounts.
If that's the case, you can check the Group Policy (gpedit.msc for local computer, or the one for domains if it's in a domain.):
Computer Configuration
Windows Settings
Security Settings
Local Policies
Accounts: Limit local account use of blank passwords to console logon only