I'm currently attempting to debug a solution that I've picked up as a side project but I'm not having much luck. The solution depends on data (user IDs, page content, etc) stored on an MSSQL server on my local network, but when I execute the solution in VS2012 debug mode the connection fails. The error I'm getting says that the connection failed, and that the user was rejected.
When I log into the SQL server and check the event logs I can see where the login ID was rejected, but it was rejected because it wasn't the login ID that I specified in the connection string. It seems to be trying to use my windows authentication instead (which in windows 8 is a live ID) which won't work because my windows ID doesn't (and shouldn't) have access to the server.
Some basic connection string info (all data changed to protect the innocent... aka my poor server)
Data Source=myServer; Initial Catalog=myDB; User ID=myUsername; Password=myPassword; Integrated Security=false;
Has anyone run into this issue?
Do a search in the entire solution for myServer. This should shed light on the issue, given the connection string is defined somewhere else and it connects to the same server.
Related
I have created a Google Cloud Project MySQL database to use in conjunction with the Jdbc service provided by Google Apps Script. Everything went as planned with the connection. I am basically connecting as it does in the docs.
var conn = Jdbc.getCloudSqlConnection(dbUrl, user, userPwd);
I shared the file with another account and all of a sudden I am seeing a red error saying:
'Failed to establish a database connection. Check connection string, username and password.'
Nothing changed in the code, but there is an error. When I go back to my original account and run the same bit of code, there is no error. What is happening here? Any ideas?
Jdbc.getConnection works from both: my account and another account:
var conn = Jdbc.getConnection('jdbc:mysql://' + IP + ':3306/' + database_name, user, password)
I'm really confused because the recommended method did not work.
There are two ways of establishing a connection with a Google Cloud
SQL database using Apps Script's JDBC service:
(Recommended) Connecting using Jdbc.getCloudSqlConnection(url)
Connecting using Jdbc.getConnection(url)
Notes:
IP is a Public IP address from the OVERVIEW tab in your database console:
I've allowed any host when created a user:
I am not sure whether this question has been resolved or not, but let me add this answer.
I also faced the same problem but I found the resolution. What I did is:
First, go to the console.
https://console.cloud.google.com
Then, open IAM.
and add the account as a member and add this permission: "Cloud SQL Client".
I think this is a permission issue in your second account. Necessary information are missing in your question. But, the secound account, if run as a another user, won't necessarily have your sqlservice authorization. The permission,
https://www.googleapis.com/auth/sqlservice
Manage the data in your Google SQL Service instances
is required to use Jdbc.getCloudSqlConnection(url), while Jdbc#getConnectionUrl() just requires external link connection permission
https://www.googleapis.com/auth/script.external_request
I believe that you can only connect to sql instances owned by you with getCloudSqlConnection() which doesn't even require external connection permission. This method probably calls your sql instance internally.
References:
Jdbc#getCloudConnection
Jdbc#getConnection
Conclusion
To connect to any external service, you need external_request permission. But, You don't need that permission to connect to your own documents say, Spreadsheets owned by you/have edit access permission - through SpreadsheetApp.openByUrl(). I believe it's the same thing with Jdbc.getCloudSqlConnection(). It calls your Google sql internally - So, even if you grant external request permission, It won't work. What will work for this method is
Installable triggers (which runs as you).
Add the second account also as owner in GCP-IAM (may not work though) See this answer
I'd double-check once again all IP ranges which should be whitelisted. According to your description it worked fine in first account, probably in second account Apps Script uses another IP for connection, which was not whitelisted or whitelisted with some typo. Could you share screenshot how did you exactly whitelist the ranges from this article?
I have a GAS Add-On that uses a Google cloud dB. I initially set this up by:
Whitelisting Google Cloud IP ranges in my SQL instance
Getting the script.external_request scope approved for OAuth Consent screen
This all works great from GAS for the add-on, but I suspect that if this whitelist is not comprehensive and volatile (which I expect it is), I will see intermittent connectivity issues.
I recently added a Firebase web app that needs access to the same dB. I had issues, because Firebase does not conform to those Google IP ranges and does not expose its IP for whitelisting. So I had to create a socket layer connection as if Firebase was an external service.
Which got me thinking, should I put a socket layer in my GAS Add-On? But nothing in the GAS JBDC Class documentation indicates a socket parameter.
Which leads me to a question that was not really answered in this thread:
Does anyone know why Jdbc.getCloudSqlConnection(url) is the "Recommended" approach? The documentation seems to imply that because the IP whitelisting is not required, Jdbc.getCloudSqlConnection(url) is using a socket (or some other secure method) to connect to the dB?
It also seems silly that if that is the case, that I would need two have two sensitive scopes to manage a dB connection. I would rather not go through another OAuth const audit and require my users to accept another scope unless there is a benefit to doing so.
We call DirectoryEntry.Invoke("SetPassword",newpwd) to change the password of a local user, but the new password is not being used immediately when doing Windows Authentication to a remote SQL server. It does get used after a reboot, but that's not really an option for me here. How can I make it take effect without rebooting? I need currently running processes on the client to begin using the new password immediately.
The environment is two Windows 7 Embedded systems, call them 'server' and 'client', and there is no domain, but they are both in the same workgroup. We use the same username on both systems. There are multiple servers out there with different passwords (computed based on various things). When we need to switch to use a different server, we change the password locally. The change itself is successful, but SQL accesses from client to server fail with
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
and
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
But as soon as client reboots it can access server's database successfully.
SQL Express 2008 on both systems, configured to use only Windows Authentication.
Wireshark shows me the SMB2 NTLMSSP_AUTH packet with what looks like the usual info although I don't know how to decode the security blob. Otherwise it matches the packet from a successful session. In the failure case this packet is followed by an SMB2 response with STATUS_LOGON_FAILURE and a missing security blob. I can only think that the client presents some kind of hash of the password in that security blob and the server is finding that it doesn't match its own password hash - or something like that.
Changing the environment ('Use Active Directory', 'Use Kerberos', etc.) is unfortunately not an option for me here. Also, these are consumer touch-screen kiosks, where no human ever knows the password, and wouldn't have a keyboard to enter it anyway.
ADD: FYI, The changing of the password is done thus:
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("WinNT://localhost/{0}", username));
directoryEntry.Invoke("SetPassword", newPassword);
ADD: Made that parameter new object[] {newPassword}, and called .CommitChanges(), because those look like correct things to do. No change in behavior.
I have a asp.net mvc application that interacts with RabbitMq. Everything works great locally.
However, on our deployment server it cannot connect
DEBUG|MassTransit.RabbitMqTransport.Integration.RabbitMqConnectionCache|Connecting: muyuser#localhost:5672/|
ERROR|MassTransit.RabbitMqTransport.RabbitMqReceiveTransport|RabbitMQ connection failed: Connect failed: muyuser#localhost:5672/|
What I'm able to gather is this
In order to connect to RabbitMq you need a valid .erlang.cookie in (on windows) your User root
As best I can tell, this cookie is created when you install rabbitmq
In development we're using localdb which runs as the developer's user (which has this cookie)
In production the application runs off of IIS which uses the application pool and the built-in ApplicationPoolIdentity account. Which doesn't have a User folder for the .erlang.cookie file to live in.
So the question becomes...what now? How is this intended to work?
Obviously we could create a dedicated user for the web application but our system administrator is understandably very reluctant to do this.
Another clue, is that when I tried to RDP, log in as myself and connect to rabbit I found that I could not. After troubleshooting I discovered that my cookie didn't match up with that of others who could! I replaced it with the one from c:\windows\.erlang.cookie and could then connect from cli. It seems possible like there is a cookie installed somewhere for the applicationpoolidentity but it is an incorrect cookie. What is the location where it would go?
Erlang cookies are used for internode communication, whether it is for clustering RabbitMQ or for contacting RabbitMQ via the command line using rabbitmqctl.
If you have problems with an AMQP connection, then the erlang cookie has nothing to do here.
Take a look at access control https://www.rabbitmq.com/access-control.html to see if your user is properly configured.
At the same time check the server logs to see why the connection is refused.
What configuration change do I need to make?
Hello, recently upgraded my laptop to windows7, I pulled down our site from subversion to make some updates. I always test the changes on localhost before I move them to our beta site. Now, I was able to set up IIS on windows 7 to run our site, but it seems only the non-dynamic asp pages are working. Any page that tries to connect to the DB returns an error message.
Microsoft OLE DB Provider for ODBC
Drivers error '80040e4d'
[Microsoft][SQL Native Client][SQL
Server]Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.
/include/chooseyear.inc, line 15
Here is the Global.asa file
'Added Lock to Session Onstart to
protect Current Year variable ' from
becoming corrupted
If isEmpty(Application("CURRENT_YEAR"))
then
Application.lock Application("CURRENT_YEAR") =
Year(now()) Application.Unlock END
IF 'Doug Chamberlain 'continue to use ODBC connection to access data
Session("DBConnection")= "DSN=WITHHELD;UID=USER_NAME_WITHHELD;PWD=PASSWORD_WITHHELD;DATABASE=master;APP=www"
Session("ConnectionTimeout") = 120
Session("CommandTimeout") = 102 'Doug Chamberlain '09/10/2010
Update:
Here is the line of code that fails. but worked prior to upgrading to windows 7 and IIS7.5
PropConnection.Open Session("SCPAASPConnection")
I did a debug on the website when it failed, and the value of that variable is
"DSN=WITHHELD;UID=USER_NAME_WITHHELD;PWD=PASSWORD_WITHHELD;DATABASE=master;APP=www"
but the error message is the same as below, it seems to just ignore the user/pass in the connection string variable. I did get the site to work slightly better by turning on windows auth & anonymous auth. However, other things break when I do that. Like the link scanner I use.
This isn't anything to do with ASP, as all ASP pages are dynamic (in that they will be parsed through by IIS), from what you're saying (and from the error message), it's only the ones with a database connection in that are failing.
This is because the user account the IIS application pool process runs under by default would not have access on the SQL box. You could add a SQL login for that account, or if it's only a local machine you're running it on then just change the app pool identity to run as NetworkService.
In IIS, select the app pool for the site, click Edit Application Pool > Advanced Settings and change Process Model > Identity from ApplicationPoolIdentity to NetworkService.
i have developed an application and it is working fine but when ever i create a virtual directory for it in IIS and run the application i am getting connection failure exception and named pipes exception.
thanks!
It looks like you having some issue with the database connection from your application. Can you post your code and the exact nature of the error.
Without any code or details of the language it is hard to guess what the issue can be however a common one that occurs with asp.net could be your database connection string. Are you using a SQl Server / Sql Server Express database with your application? You need to check that the connection string.
The problem is the Integrated Security=True setting in your connection string. IIS uses the ASPNET windows login which will be different to the Windows login used when running from VS. You've got a few options:
Grant the ASPNET user the required access rights on your database
Use Sql Server authentication: Set up a user on the database as a sql login and pass this username / password in on the connection string and set Integrated Security=False
Change the identity IIS runs under to one that has access to the DB.
There may be other options also however I think these are most common. Which to choose depends on the architecture you are deploying to, personally I almost always go for Sql Server Authentication using a username and password. The web.config can be encrypted for further security if required.