I am trying to deploy a SQLCLR library to SQL Server 2008 R2. In visual studio I have set up the data connection and it works correctly (I can run queries), but when I try to deploy I get the message "Error: Could not obtain information about Windows NT group / user , error code 0x3a."
This is strange because I have set up the data connection to use SQL server authentication on a different user name.
I receive the same error when I run CREATE ASSEMBLY while logged in to the SQL management studio with the different user name.
To add to the mystery, when I deploy using permission set SAFE everything is fine. However my assembly requires EXTERNAL ACCESS.
What could be the problem with deploying my assembly?
This issue wasted so much time I feel compelled to share the solution so that nobody else falls into the same trap.
Issue was resolved by setting the SQL Server Active Directory Helper service to run on Manual, then rebooting the server.
This issue arose in a different environment for me:
Windows 10 box;
The user Windows complained about was an AZUREAD user;
On my Win10 box there was no SQL Server Active Directory
Helper service, so I couldn't try the original solution posted by
ose.
I was able to work round the issue by removing the AZUREAD user as a SQL Server user while I added the assembly.
In my case that user was not essential to have as a SQL Server user, but I dare say it would be possible to re-add the user back later should this be required.
Related
I am running a windows 2016 server, we are running IIs 10 on it and i need to be able to assert if there is an AppPool setup before i deploy a website. If it doesn't exist i need setup the AppPool with a specific user and password.
All of this is done using a release agent through Azure Devops.
The agent is running as a NON-ADMIN, and i all accounts involved are running as NON-ADMIN. I have no intention at all to run any admin accounts, for security reasons i want to give least privildges to all accounts involved.
when i try to set up a AppPool using appcmd.exe i get the error msg:
KeySet does not exist.
When running everything as admin it works (and i have absolutely no intention in running any of this as admin).
What i have tried:
i have added the non-admin account to the IIS_IUSRS group.
Made sure that the user has read permissions to the file: 76944fb33636aeddb9590521c2e8815a_GUID in the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder.
i have tried everything here: Error when you change the identity of an application pool by using IIS Manager from a remote computer
anyone that actually knows the cause of this problem?
UPDATE:
Microsoft clearly recommends that agents should be run using service accounts, which i am doing and i have no interest in giving build agents administrative rights to 1000s of servers when they clearly don't need that kind of powers actually. I want to restrict their powers to only be allowed to do what they need to do. I can't believe that giving everything admin is apparently the norm.
After a lot of googling, and i mean A LOT. I managed to solve this. And let me say, that it baffles me that "least privileged accounts" is not common practice in the Microsoft and windows world.
I found this excellent post by InfoSecMike locking down azure devops pipelines.
And we both have the exact same requirements and opinions on this topic.
You CLEARLY don't need admin rights to update IIs configurations (because that would be insane, right!?). The IIs configuration API does not care what rights you have, what you do need is access to certain files. But this is not documented. Microsoft themselves, just for simplicity, tells you that you need to be admin, and buries all the details really deep in documentation when this should be best practice. Also what amazes me is that no one questions it.
What you need is the following:
full access to C:\Windows\System32\inetsrv\Config
full acccess to C:\inetpub
read access to three keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID (iisConfigurationKey)
d6d986f09a1ee04e24c949879fdb506c_GUID (NetFrameworkConfigurationKey)
76944fb33636aeddb9590521c2e8815a_GUID (iisWasKey)
The 2 first bullet points can be obtained if you make sure your service account is a member of the group IIS_IUSRS.
This group will not give you access to the keys. You need to manually give read permissions to these 3 keys to the agent user.
If you don't give access to these keys you will get the obscure error message
Keyset does not exist ( exception from HRESULT : 0x8009000D)
Which is an incorrect error if you ask me as it should be an IllegalAccessException with proper reason telling you that you don't have access to read the key because the keys are there, they do exist (nice code microsoft, maybe you should open source this so we can fix).
I'll leave with this quote from infosecmike.
The goal was to lock down the permissions of the Azure Pipeline Agent {...}. I started Googling, pretty sure I would find a way to achieve this goal. I didn’t. It’s surprising to not find an answer about this. It seems like the principle of least privilege does not apply anymore in a devops world.
This is why i prefer Linux over Windows. This is a simple task there.
I'm trying to do this:
import groovy.sql.Sql
def sql = Sql.newInstance(
url:'jdbc:sqlserver://localhost\\myDB',
user:'server\user', //this I don't think I need because of SSPI
password:'password',
driver:'com.microsoft.sqlserver.jdbc.SQLServerDriver',
SSPI: 'true'
)
The problem I'm having is that this connection is just timing out. I can ping the machine. I can also connect to the database with Managment Studio logged into my SSPI user (or whatever you call it, I start the Management Studio with a different user)
So I've tried that with my SoapUI as well, started the program as a different user, but I still time out when I initiate the connection. So something is very wrong with my connection string and any help would be appreciated.
P.S. Yes, I don't know what's up with the \ backslashes after the URL to the server, I guess it indicates that it's at the root. If I don't use them I get a message that I'm on the incorrect version.
And then we found the answer..... First of all I had the wrong JDBC driver installed. You need to head over to microsoft to get the real deal:
https://www.microsoft.com/en-us/download/details.aspx?id=11774
Then you need to unpack this one, place the 4 or 4.1 version in your bin directory of SoapUI. (You are apparently supposed to use Lib/Ext, but that doesn't work for me)
Then, since we are trying to use SSPI or Windows Authentication, to connect to the SQL server, you need to place the sqljdbc_auth.dll from the driver/enu/auth folder. This is used in one of your path's or in SoapUI Lib folder. Remember to use the 32 bit dll for 32 bit SoapUI!!! I did not since my system is 64.....
After this, I used this string, but now you have the setup correct, so it should work fine as long as you remember to start SoapUI up using the correct windows user. (Shif-right click - start as different user - use the same user you have started the SQL server with)
Again, I wasn't completely aware of this from the start (yes, total newbie here) and it failed.
Finally, when you have done all this, this is the string that works - and probably a lot of derivatives since the failing part here were the driver and dll.
def sql =Sql.newInstance("jdbc:sqlserver://localhost;Database=myDB;integratedSecurity=true","com.microsoft.sqlserver.jdbc.SQLServerDriver")
I'm a bit confused. I built my MVC 3 project which works fine in my development environment and the integrated IIS in Visual Studio 2010.
After deploying it to an IIS 7 it seemed to work, too. Reading does. But when I try to change some database values, it simply does not do anything. It seems to work, but after a reload of the changed values, they aren't changed at all.
Development database is on a local MS SQL Server 2008 and production on a remote Server with SQL Server 2005 (in this case, but the version will differ later on). Is there any difference? The user in the connection string has full rights, since changing works via Management Studio.
The connection string looks like this:
<add name="MyDBEntities"
connectionString="metadata=
res://*/Models.MyDB.csdl|
res://*/Models.MyDB.ssdl|
res://*/Models.MyDB.msl;
provider=System.Data.SqlClient;
provider connection string="
data source=10.90.0.88;
initial catalog=MyDB;
persist security info=True;
user id=foo;
password=bar;
multipleactiveresultsets=True;
App=EntityFramework""
providerName="System.Data.EntityClient" />
Thanks in advance.
PS: I build the project with Entity Framework 4.1 which is installed on the server. Well, reading does work though...
I would suggest ensuring that you have the correct connection details. The easiest way I can think of would be :
Create a new text file ( f.e. connection.txt )
Rename '.txt' to '.udl'
Double-click the created connection.udl file
Provide all the required connection details, hit 'Test connection' button
If it works, hit 'OK' button, open the file with Notepad - connection string will be inside of your connection.udl file. If it doesn't work - you need to find out proper server details ( check instance name, port number, if your user has the correct permissions )
I have a line of code that I can run locally as part of a service that works perfectly fine.
sReportPath = objCrystalUtils.ExportReportToPDF("Report Name", iReportInfoID)
This code is run as a part of a service, and when I unit test it by feeding it data, it ultimately builds the report and prints it.
When I run the exact same piece of code inside an .ashx from an ajax call. The reports are generated (I can see the pdf files being created on disk) but the printing is not happening.
oRpt.PrintToPrinter(objReport.DefaultAutoPrint, True, 0, 0)
In both scenarios the same code is used to print the report. (objReport.DefaultAutoPrint = 0 in both cases)
My only thought is that the location of the code that is calling this method is in a different spot relative to the location of the bills themselves.
The printer that I'm trying to print to is a network printer intalled on my machine, and I'm running Windows 7 IIS 6.1
Any thoughts?
Edit:
Here is a thought... if I'm running one as a unit test locally and im running the other through a web app that is running via IIS, is there a difference in user id and user access to the default printer?
Edit:
So I added my local ASP, IUSR and SYSTEM users to the printer security and allowed them to print... no dice. So I checked the EVERYONE user and it is set to access and NO users are denied... so I think that kinda kills that line of reasoning.
Edit:
I changed the name of this post since I no longer think that the issue is ajax related since If I try to do the same process in code bebehind from a post back instead of running it from an ajax call i still get the same problem.
Patrick, for me it is a known issue of crystal reports, printing a certain report from a running application via IIS.
I got the same issue before, and upon our search for that issue, we got the following;
Report to be generated, exported, and then to be downloaded to client machine,
so user can print it locally (say, report will be exported as PDf file,
user can use print option of PDF reader).
It's not Crystal Reports or other third party app's problem. It's usually the IIS_IUSER's permission problem because it has no access to any network printers. A possible solution is in Process.Start doesn't work in IIS
Background:
I am using the deployment tools in Visual Studio 2010.
I right clicked my project and selected Package/Publish settings. Put all my settings in there ...
I am then using "web deploy" to tranfer the files to my remote server running a remote agent service and this is working fine. The transforms i have on my Web.Release.config do their thing and the server can access the database I created manually.
Problem:
My next step was to get the Database Deployment working too.
I went into the Package / Publish SQL tab and entered my Connection string for the destination database.
(Data Source=MyDBServer;Initial Catalog=Database2;User ID=User;Password=pass)
This database is empty ready to accept the import.
I also enter in the connection string for the source database. This lives on the same server.
(Data Source=MyDBServer;Initial Catalog=Database;User ID=User;Password=pass)
Database Scripting options are set to Schema and Data (changing this makes no difference) and the database scripts are set to [Auto Generated Schema and Data]
When i deploy this now, i get the error:
Error 4 Web deployment task
failed.((09/06/2010 16:41:51) An error
occurred when the request was
processed on the remote computer.)
(09/06/2010 16:41:51) An error
occurred when the request was
processed on the remote computer. The
entry type 'Unknown' was not expected
at this time. The serialization stream
may be corrupted.
Additional Info:
I can successfully create a package with no problems. I looked at the contents in the zip and can see the SQL is generated fine (so no problems connecting to the database). I can then copy this SQL and run it as a new query on the new database and the tables and data are created fine.
I can not seem to work out where this is going wrong, i googled the error and there are no entries on the whole internet. Anyone have any ideas?
Addendum:
To get some further idea of what might be going on, i sent the package across to the server and imported it using IIS. It told me i needed SQL Server Management Objects. So I installed that.
Next attempt it told me my user did not have permission to create the database, I thought excellent this must be the problem. :Granted access - Re-run. Passed!
So i deleted all the tables and went back to VS2010 clicked publish and i get the same error. :(
Sorted it!
Thank goodness, i was totally out of ideas when i went back to a video by hanselman. He mentioned that the Web Deployment Agent can have permissions. I went in had a look and there was a tab in it's properties called log on.
I entered the detials of an account with a decent level of access and clicked okay.
I then restarted the service as requested to enable the changes.
I then went back to VS 2010 and clicked Publish Web.
Music to my eyes, i see the words "Publish succeeded", I check the database and the tables are there. Excellent!
I think i scared the office by getting a little over excited, if you get this problem and this solution fixes it for you, try to hold in the temptation to shout out "YES!, yes, get in!" while laughing maniacally or people will think you're weird like me.