Professional Web Applications Themes

ASPNET account and NT Authentication with SQL Server -Account Locked Out - ASP.NET Security

I have an application running on an IIS box that is trying to make a connection to a separate SQL server box. The application is using Windows NT authentication. During development I can access my data just fine. When I view it in the browser I get the message that the database does not exist or I do not have the necessary permission to logon. I have narrowed the problem to one of security rights. It seems that windows is passing the ASPNET account to the SQL server box. So what I did was change the password of the ASPNET ...

  1. #1

    Default ASPNET account and NT Authentication with SQL Server -Account Locked Out

    I have an application running on an IIS box that is trying to make a
    connection to a separate SQL server box. The application is using
    Windows NT authentication. During development I can access my data
    just fine. When I view it in the browser I get the message that the
    database does not exist or I do not have the necessary permission to
    logon. I have narrowed the problem to one of security rights. It
    seems that windows is passing the ASPNET account to the SQL server box.
    So what I did was change the password of the ASPNET account. I then
    created an ASPNET account on the other box and gave it the same
    password. (I tried this with the IUSR_[MachineName] account first, but
    the following is what leads me to believe it is the ASPNET account that
    is causing the trouble:

    When I go to access the web page, the SQL Server account gets locked
    out. I am not sure why! Is it autogenerating a new password to
    overight my change?

    I know I could impersonate someone, but I would rather not setup some
    sort of dummy account like that; there is a lot of bureaucracy to go
    through to do so. I also do not want to deal with SQL authentication
    and store the password in the connection string. It seems that in a
    Windows intranet environment this just should not be that hard! I must
    be missing something.

    Anyhelp would be greatly appreciated. (If it helps, I created the
    connection string I am using via the ASP.Net wizard. It contains the
    directive to use integrated security.)

    Thanks!!!
    Ryan

    ryan.d.rembaum@kp.org Guest

  2. #2

    Default Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

    Can you set up a domain account to run ASP.NET under and use that to access
    SQL? The matching machine accounts thing always struck me as kind of
    hackish.

    Joe K.

    <org> wrote in message
    news:googlegroups.com... 


    Joe Guest

  3. #3

    Default Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

    On 8 Sep 2005 16:07:14 -0700, org wrote:

    I have an application running on an IIS box that is trying to make a
    connection to a separate SQL server box. The application is using
    Windows NT authentication. During development I can access my data
    just fine. When I view it in the browser I get the message that the
    database does not exist or I do not have the necessary permission to
    logon. I have narrowed the problem to one of security rights. It
    seems that windows is passing the ASPNET account to the SQL server box.
    So what I did was change the password of the ASPNET account. I then
    created an ASPNET account on the other box and gave it the same
    password. (I tried this with the IUSR_[MachineName] account first, but
    the following is what leads me to believe it is the ASPNET account that
    is causing the trouble:

    When I go to access the web page, the SQL Server account gets locked
    out. I am not sure why! Is it autogenerating a new password to
    overight my change?

    I know I could impersonate someone, but I would rather not setup some
    sort of dummy account like that; there is a lot of bureaucracy to go
    through to do so. I also do not want to deal with SQL authentication
    and store the password in the connection string. It seems that in a
    Windows intranet environment this just should not be that hard! I must
    be missing something.

    Anyhelp would be greatly appreciated. (If it helps, I created the
    connection string I am using via the ASP.Net wizard. It contains the
    directive to use integrated security.)

    You don't mention the error you are generating from your ASP.NET app but I will assume it's the
    "Login failed for user 'MachineName\ASPNET" message. The following KB article doents the issue:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;316989

    I would agree with Joe. It would probably be much easier to implement a single domain account rather
    than use two local accounts with matching credentials if you are not going to enable impersonation.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Guest

  4. #4

    Default Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out


    Paul Clement wrote: 

    Hello,

    The actual error message is: SQL Server does not exist or access
    denied. I have definitely considered adding an account under the
    domain, but because of our corporate structure there is a lot of red
    tape involved in creating an account without a real corresponding user.
    Is there a reason the synching of two identical account names and
    passwords would not work? It seems when we have applied it here in
    other situations. I also don't understand why it would cause the
    password to be revoked on the SQL box. Is there some service that
    might be changing the password back to some other value after I make my
    changes? I have entered the passwords on both boxes for both accounts
    multiple times to try to make sure I did not mistype between the two.

    Thanks,
    Ryan

    ryan.d.rembaum@kp.org Guest

  5. #5

    Default Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

    On 13 Sep 2005 14:35:16 -0700, org wrote:


    Paul Clement wrote:
    > On 8 Sep 2005 16:07:14 -0700, org wrote:
    >
    > I have an application running on an IIS box that is trying to make a
    > connection to a separate SQL server box. The application is using
    > Windows NT authentication. During development I can access my data
    > just fine. When I view it in the browser I get the message that the
    > database does not exist or I do not have the necessary permission to
    > logon. I have narrowed the problem to one of security rights. It
    > seems that windows is passing the ASPNET account to the SQL server box.
    > So what I did was change the password of the ASPNET account. I then
    > created an ASPNET account on the other box and gave it the same
    > password. (I tried this with the IUSR_[MachineName] account first, but
    > the following is what leads me to believe it is the ASPNET account that
    > is causing the trouble:
    >
    > When I go to access the web page, the SQL Server account gets locked
    > out. I am not sure why! Is it autogenerating a new password to
    > overight my change?
    >
    > I know I could impersonate someone, but I would rather not setup some
    > sort of dummy account like that; there is a lot of bureaucracy to go
    > through to do so. I also do not want to deal with SQL authentication
    > and store the password in the connection string. It seems that in a
    > Windows intranet environment this just should not be that hard! I must
    > be missing something.
    >
    > Anyhelp would be greatly appreciated. (If it helps, I created the
    > connection string I am using via the ASP.Net wizard. It contains the
    > directive to use integrated security.)
    >
    > You don't mention the error you are generating from your ASP.NET app but I will assume it's the
    > "Login failed for user 'MachineName\ASPNET" message. The following KB article doents the issue:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;316989
    >
    > I would agree with Joe. It would probably be much easier to implement a single domain account rather
    > than use two local accounts with matching credentials if you are not going to enable impersonation.
    >
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic)

    Hello,

    The actual error message is: SQL Server does not exist or access
    denied. I have definitely considered adding an account under the
    domain, but because of our corporate structure there is a lot of red
    tape involved in creating an account without a real corresponding user.
    Is there a reason the synching of two identical account names and
    passwords would not work? It seems when we have applied it here in
    other situations. I also don't understand why it would cause the
    password to be revoked on the SQL box. Is there some service that
    might be changing the password back to some other value after I make my
    changes? I have entered the passwords on both boxes for both accounts
    multiple times to try to make sure I did not mistype between the two.

    Is your system configured for Kerberos? I don't believe credential delegation (to the SQL Server
    box) is going to work if you're using Integrated Windows Security w/o Kerberos.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Guest

Similar Threads

  1. Replies: 0
    Last Post: August 31st, 04:57 PM
  2. Replies: 6
    Last Post: March 16th, 05:00 PM
  3. ASPNET Account
    By Rich in forum ASP.NET General
    Replies: 7
    Last Post: January 9th, 02:31 PM
  4. ASPNET Account, Impersonation, SQL Server problem
    By The Tech in forum ASP.NET Security
    Replies: 0
    Last Post: December 6th, 08:01 PM
  5. Replies: 1
    Last Post: October 19th, 06:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139