Professional Web Applications Themes

SQL / IIS Application Pool Identity - ASP.NET

Hi, I've got an ASP.NET web application which uses Windows security with a SQL Server database. I want to use the application pool identity to make the connection to the SQL server database. If I set the authentication tag to None and impersonation to false I get the following: === continued...

  1. #1

    Default SQL / IIS Application Pool Identity

    Hi,

    I've got an ASP.NET web application which uses Windows security with a SQL
    Server database. I want to use the application pool identity to make the
    connection to the SQL server database. If I set the authentication tag to
    None and impersonation to false I get the following:

    ===

    Event Type: Error
    Event Source: ExceptionManagerPublishedException
    Event Category: None
    Event ID: 0
    Date: 10/15/2004
    Time: 5:54:26 PM
    User: N/A
    Computer: IPDDFZ0025ATL2
    Description:

    General Information
    *********************************************
    Additional Info:
    ExceptionManager.MachineName: (removed)
    ExceptionManager.TimeStamp: 10/15/2004 5:54:26 PM
    ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
    Version=1.0.1746.26470, Culture=neutral, PublicKeyToken=null
    ExceptionManager.AppDomainName:
    /LM/W3SVC/1518623831/Root-12-127423650871912556
    ExceptionManager.ThreadIdentity:
    ExceptionManager.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE

    1) Exception Information
    *********************************************
    Exception Type: System.Data.SqlClient.SqlException
    Errors: System.Data.SqlClient.SqlErrorCollection
    Class: 14
    LineNumber: 0
    Message: Login failed for user '(null)'. Reason: Not associated with a
    trusted SQL Server connection.
    Number: 18452
    Procedure:
    Server:
    State: 1
    Source: .Net SqlClient Data Provider
    TargetSite: System.Data.SqlClient.SqlInternalConnection
    GetConnection(Boolean ByRef)
    HelpLink: NULL

    StackTrace Information
    *********************************************
    at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
    isInTransaction)
    at
    System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnectionString
    options, Boolean& isInTransaction)
    at System.Data.SqlClient.SqlConnection.Open()
    at InDIMENSIONS.Web.SmartForm.ContactForm.CreateConta ctRecord(String
    inquiryType, String subject, String message, String name, String
    emailAddress, String ipAddress, String fileName)

    For more information, see Help and Support Center at
    [url]http://go.microsoft.com/fwlink/events.asp[/url].

    ===

    Given that the app is running under the NETWORK SERVICE identity, would it
    not use that to make the connection?

    The application and SQL Server instance are on the same server, Windows
    Server 2003.

    The articles I've read on MSDN so far haven't been very clear about this.
    Can someone provide an example or guidance on what I need to set to get this
    scenario working?

    Thanks!
    Colin


    Colin Bowern Guest

  2. #2

    Default SQL / IIS Application Pool Identity

    is the sql server on the same machine or on a different machine?

    if on the same : grant NT Authority\Network Service access to the db

    if on another machine : either use a domain account for the worker process or grant MACHINENAME$ access to sql



    ---
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]

    nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<#MGkUMwsEHA.2556@tk2msftngp13.phx.gbl>

    Hi,

    I've got an ASP.NET web application which uses Windows security with a SQL
    Server database. I want to use the application pool identity to make the
    connection to the SQL server database. If I set the authentication tag to
    None and impersonation to false I get the following:

    ===

    Event Type: Error
    Event Source: ExceptionManagerPublishedException
    Event Category: None
    Event ID: 0
    Date: 10/15/2004
    Time: 5:54:26 PM
    User: N/A
    Computer: IPDDFZ0025ATL2
    Description:

    General Information
    *********************************************
    Additional Info:
    ExceptionManager.MachineName: (removed)
    ExceptionManager.TimeStamp: 10/15/2004 5:54:26 PM
    ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
    Version=1.0.1746.26470, Culture=neutral, PublicKeyToken=null
    ExceptionManager.AppDomainName:
    /LM/W3SVC/1518623831/Root-12-127423650871912556
    ExceptionManager.ThreadIdentity:
    ExceptionManager.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE

    1) Exception Information
    *********************************************
    Exception Type: System.Data.SqlClient.SqlException
    Errors: System.Data.SqlClient.SqlErrorCollection
    Class: 14
    LineNumber: 0
    Message: Login failed for user '(null)'. Reason: Not associated with a
    trusted SQL Server connection.
    Number: 18452
    Procedure:
    Server:
    State: 1
    Source: .Net SqlClient Data Provider
    TargetSite: System.Data.SqlClient.SqlInternalConnection
    GetConnection(Boolean ByRef)
    HelpLink: NULL

    StackTrace Information
    *********************************************
    at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
    isInTransaction)
    at
    System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnectionString
    options, Boolean& isInTransaction)
    at System.Data.SqlClient.SqlConnection.Open()
    at InDIMENSIONS.Web.SmartForm.ContactForm.CreateConta ctRecord(String
    inquiryType, String subject, String message, String name, String
    emailAddress, String ipAddress, String fileName)

    For more information, see Help and Support Center at
    [url]http://go.microsoft.com/fwlink/events.asp[/url].

    ===

    Given that the app is running under the NETWORK SERVICE identity, would it
    not use that to make the connection?

    The application and SQL Server instance are on the same server, Windows
    Server 2003.

    The articles I've read on MSDN so far haven't been very clear about this.
    Can someone provide an example or guidance on what I need to set to get this
    scenario working?

    Thanks!
    Colin



    [microsoft.public.dotnet.framework.aspnet.security]
    Dominick Baier Guest

  3. #3

    Default Re: SQL / IIS Application Pool Identity

    Set the authentication tag in web.config to "windows" (this way it actually
    used windows integrated authentication) and turn off (disable) anonymous
    authentication in IIS management console for that virtual directory. This is
    only for authentication though. simply changing to defined application pool
    user (rigfht click on the app pool in IIS manager and select properties and
    go to the Identity tab). You can select a user to use here, and that context
    will be used to authenticate against SQL database. Note: Once you have
    enabled windows intgrated auth above, disable impersonation in the
    web.config, otherwise the user context/credentials will be used to connect
    to sql, which will obviously be different for each user.

    So,
    - enable windows auth as I mentioned above. This is so the user
    authentication is actually taking place.
    - disable impersonation in the web.config
    - change the user in the Identity tab of the properties of the Application
    pool to use a user you would like to connect to the sql database. Ensure
    that this user has correct access to your virtual directory for your web app
    and any temporary and required system file areas.


    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "Colin Bowern" <colinbowern@nospam.indimensions.com> wrote in message
    news:%23MGkUMwsEHA.2556@tk2msftngp13.phx.gbl...
    > Hi,
    >
    > I've got an ASP.NET web application which uses Windows security with a SQL
    > Server database. I want to use the application pool identity to make the
    > connection to the SQL server database. If I set the authentication tag to
    > None and impersonation to false I get the following:
    >
    > ===
    >
    > Event Type: Error
    > Event Source: ExceptionManagerPublishedException
    > Event Category: None
    > Event ID: 0
    > Date: 10/15/2004
    > Time: 5:54:26 PM
    > User: N/A
    > Computer: IPDDFZ0025ATL2
    > Description:
    >
    > General Information
    > *********************************************
    > Additional Info:
    > ExceptionManager.MachineName: (removed)
    > ExceptionManager.TimeStamp: 10/15/2004 5:54:26 PM
    > ExceptionManager.FullName:
    Microsoft.ApplicationBlocks.ExceptionManagement,
    > Version=1.0.1746.26470, Culture=neutral, PublicKeyToken=null
    > ExceptionManager.AppDomainName:
    > /LM/W3SVC/1518623831/Root-12-127423650871912556
    > ExceptionManager.ThreadIdentity:
    > ExceptionManager.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE
    >
    > 1) Exception Information
    > *********************************************
    > Exception Type: System.Data.SqlClient.SqlException
    > Errors: System.Data.SqlClient.SqlErrorCollection
    > Class: 14
    > LineNumber: 0
    > Message: Login failed for user '(null)'. Reason: Not associated with a
    > trusted SQL Server connection.
    > Number: 18452
    > Procedure:
    > Server:
    > State: 1
    > Source: .Net SqlClient Data Provider
    > TargetSite: System.Data.SqlClient.SqlInternalConnection
    > GetConnection(Boolean ByRef)
    > HelpLink: NULL
    >
    > StackTrace Information
    > *********************************************
    > at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
    > isInTransaction)
    > at
    >
    System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnec
    tionString
    > options, Boolean& isInTransaction)
    > at System.Data.SqlClient.SqlConnection.Open()
    > at InDIMENSIONS.Web.SmartForm.ContactForm.CreateConta ctRecord(String
    > inquiryType, String subject, String message, String name, String
    > emailAddress, String ipAddress, String fileName)
    >
    > For more information, see Help and Support Center at
    > [url]http://go.microsoft.com/fwlink/events.asp[/url].
    >
    > ===
    >
    > Given that the app is running under the NETWORK SERVICE identity, would it
    > not use that to make the connection?
    >
    > The application and SQL Server instance are on the same server, Windows
    > Server 2003.
    >
    > The articles I've read on MSDN so far haven't been very clear about this.
    > Can someone provide an example or guidance on what I need to set to get
    this
    > scenario working?
    >
    > Thanks!
    > Colin
    >
    >

    Paul Glavich [MVP - ASP.NET] Guest

  4. #4

    Default Re: SQL / IIS Application Pool Identity

    Hi Paul,

    So what I've set in the web.config is as follows:
    ---
    <authentication mode="Windows" />
    <identity impersonate="false" />
    <authorization>
    <allow users="*" />
    </authorization>
    ---
    If I set IIS virtual directory security to just Windows Integration
    Authentication enabled I am no longer able to access the application as an
    anonymous user.

    If I enable Anonymous Authentication in addition to Windows Integrated
    Authentication I am back to where I started - the inability to login to the
    database using the application pool identity via SQL Server's Windows
    authentication. The application pool is running under Network Service
    identity which has been granted the rights to the SQL database.

    Thanks,
    Colin


    "Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> wrote in
    message news:eBytxFEtEHA.2956@TK2MSFTNGP12.phx.gbl...
    > Set the authentication tag in web.config to "windows" (this way it
    > actually
    > used windows integrated authentication) and turn off (disable) anonymous
    > authentication in IIS management console for that virtual directory. This
    > is
    > only for authentication though. simply changing to defined application
    > pool
    > user (rigfht click on the app pool in IIS manager and select properties
    > and
    > go to the Identity tab). You can select a user to use here, and that
    > context
    > will be used to authenticate against SQL database. Note: Once you have
    > enabled windows intgrated auth above, disable impersonation in the
    > web.config, otherwise the user context/credentials will be used to connect
    > to sql, which will obviously be different for each user.
    >
    > So,
    > - enable windows auth as I mentioned above. This is so the user
    > authentication is actually taking place.
    > - disable impersonation in the web.config
    > - change the user in the Identity tab of the properties of the Application
    > pool to use a user you would like to connect to the sql database. Ensure
    > that this user has correct access to your virtual directory for your web
    > app
    > and any temporary and required system file areas.
    >
    >
    > --
    > - Paul Glavich
    > Microsoft MVP - ASP.NET
    >
    >
    > "Colin Bowern" <colinbowern@nospam.indimensions.com> wrote in message
    > news:%23MGkUMwsEHA.2556@tk2msftngp13.phx.gbl...
    >> Hi,
    >>
    >> I've got an ASP.NET web application which uses Windows security with a
    >> SQL
    >> Server database. I want to use the application pool identity to make the
    >> connection to the SQL server database. If I set the authentication tag
    >> to
    >> None and impersonation to false I get the following:
    >>
    >> ===
    >>
    >> Event Type: Error
    >> Event Source: ExceptionManagerPublishedException
    >> Event Category: None
    >> Event ID: 0
    >> Date: 10/15/2004
    >> Time: 5:54:26 PM
    >> User: N/A
    >> Computer: IPDDFZ0025ATL2
    >> Description:
    >>
    >> General Information
    >> *********************************************
    >> Additional Info:
    >> ExceptionManager.MachineName: (removed)
    >> ExceptionManager.TimeStamp: 10/15/2004 5:54:26 PM
    >> ExceptionManager.FullName:
    > Microsoft.ApplicationBlocks.ExceptionManagement,
    >> Version=1.0.1746.26470, Culture=neutral, PublicKeyToken=null
    >> ExceptionManager.AppDomainName:
    >> /LM/W3SVC/1518623831/Root-12-127423650871912556
    >> ExceptionManager.ThreadIdentity:
    >> ExceptionManager.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE
    >>
    >> 1) Exception Information
    >> *********************************************
    >> Exception Type: System.Data.SqlClient.SqlException
    >> Errors: System.Data.SqlClient.SqlErrorCollection
    >> Class: 14
    >> LineNumber: 0
    >> Message: Login failed for user '(null)'. Reason: Not associated with a
    >> trusted SQL Server connection.
    >> Number: 18452
    >> Procedure:
    >> Server:
    >> State: 1
    >> Source: .Net SqlClient Data Provider
    >> TargetSite: System.Data.SqlClient.SqlInternalConnection
    >> GetConnection(Boolean ByRef)
    >> HelpLink: NULL
    >>
    >> StackTrace Information
    >> *********************************************
    >> at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
    >> isInTransaction)
    >> at
    >>
    > System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnec
    > tionString
    >> options, Boolean& isInTransaction)
    >> at System.Data.SqlClient.SqlConnection.Open()
    >> at InDIMENSIONS.Web.SmartForm.ContactForm.CreateConta ctRecord(String
    >> inquiryType, String subject, String message, String name, String
    >> emailAddress, String ipAddress, String fileName)
    >>
    >> For more information, see Help and Support Center at
    >> [url]http://go.microsoft.com/fwlink/events.asp[/url].
    >>
    >> ===
    >>
    >> Given that the app is running under the NETWORK SERVICE identity, would
    >> it
    >> not use that to make the connection?
    >>
    >> The application and SQL Server instance are on the same server, Windows
    >> Server 2003.
    >>
    >> The articles I've read on MSDN so far haven't been very clear about this.
    >> Can someone provide an example or guidance on what I need to set to get
    > this
    >> scenario working?
    >>
    >> Thanks!
    >> Colin
    >>
    >>
    >
    >

    Colin Bowern Guest

  5. #5

    Default Re: SQL / IIS Application Pool Identity

    Can you try changing the app pool identity to some specifically created
    user. Call if 'testuser' for example. Give it rights to the virtual
    directory to run the web app, use it as your app pool identity, and also
    create that same user name with exactly the same password as a local user on
    your sql database machine. Also, add that user as a login to your SQL
    database and see how you go using the same web.config settings you have
    defined below.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "Colin Bowern" <colinbowern@nospam.indimensions.com> wrote in message
    news:eikgjDUtEHA.3188@TK2MSFTNGP15.phx.gbl...
    > Hi Paul,
    >
    > So what I've set in the web.config is as follows:
    > ---
    > <authentication mode="Windows" />
    > <identity impersonate="false" />
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > ---
    > If I set IIS virtual directory security to just Windows Integration
    > Authentication enabled I am no longer able to access the application as an
    > anonymous user.
    >
    > If I enable Anonymous Authentication in addition to Windows Integrated
    > Authentication I am back to where I started - the inability to login to
    the
    > database using the application pool identity via SQL Server's Windows
    > authentication. The application pool is running under Network Service
    > identity which has been granted the rights to the SQL database.
    >
    > Thanks,
    > Colin
    >
    >
    > "Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> wrote in
    > message news:eBytxFEtEHA.2956@TK2MSFTNGP12.phx.gbl...
    > > Set the authentication tag in web.config to "windows" (this way it
    > > actually
    > > used windows integrated authentication) and turn off (disable) anonymous
    > > authentication in IIS management console for that virtual directory.
    This
    > > is
    > > only for authentication though. simply changing to defined application
    > > pool
    > > user (rigfht click on the app pool in IIS manager and select properties
    > > and
    > > go to the Identity tab). You can select a user to use here, and that
    > > context
    > > will be used to authenticate against SQL database. Note: Once you have
    > > enabled windows intgrated auth above, disable impersonation in the
    > > web.config, otherwise the user context/credentials will be used to
    connect
    > > to sql, which will obviously be different for each user.
    > >
    > > So,
    > > - enable windows auth as I mentioned above. This is so the user
    > > authentication is actually taking place.
    > > - disable impersonation in the web.config
    > > - change the user in the Identity tab of the properties of the
    Application
    > > pool to use a user you would like to connect to the sql database. Ensure
    > > that this user has correct access to your virtual directory for your web
    > > app
    > > and any temporary and required system file areas.
    > >
    > >
    > > --
    > > - Paul Glavich
    > > Microsoft MVP - ASP.NET
    > >
    > >
    > > "Colin Bowern" <colinbowern@nospam.indimensions.com> wrote in message
    > > news:%23MGkUMwsEHA.2556@tk2msftngp13.phx.gbl...
    > >> Hi,
    > >>
    > >> I've got an ASP.NET web application which uses Windows security with a
    > >> SQL
    > >> Server database. I want to use the application pool identity to make
    the
    > >> connection to the SQL server database. If I set the authentication tag
    > >> to
    > >> None and impersonation to false I get the following:
    > >>
    > >> ===
    > >>
    > >> Event Type: Error
    > >> Event Source: ExceptionManagerPublishedException
    > >> Event Category: None
    > >> Event ID: 0
    > >> Date: 10/15/2004
    > >> Time: 5:54:26 PM
    > >> User: N/A
    > >> Computer: IPDDFZ0025ATL2
    > >> Description:
    > >>
    > >> General Information
    > >> *********************************************
    > >> Additional Info:
    > >> ExceptionManager.MachineName: (removed)
    > >> ExceptionManager.TimeStamp: 10/15/2004 5:54:26 PM
    > >> ExceptionManager.FullName:
    > > Microsoft.ApplicationBlocks.ExceptionManagement,
    > >> Version=1.0.1746.26470, Culture=neutral, PublicKeyToken=null
    > >> ExceptionManager.AppDomainName:
    > >> /LM/W3SVC/1518623831/Root-12-127423650871912556
    > >> ExceptionManager.ThreadIdentity:
    > >> ExceptionManager.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE
    > >>
    > >> 1) Exception Information
    > >> *********************************************
    > >> Exception Type: System.Data.SqlClient.SqlException
    > >> Errors: System.Data.SqlClient.SqlErrorCollection
    > >> Class: 14
    > >> LineNumber: 0
    > >> Message: Login failed for user '(null)'. Reason: Not associated with a
    > >> trusted SQL Server connection.
    > >> Number: 18452
    > >> Procedure:
    > >> Server:
    > >> State: 1
    > >> Source: .Net SqlClient Data Provider
    > >> TargetSite: System.Data.SqlClient.SqlInternalConnection
    > >> GetConnection(Boolean ByRef)
    > >> HelpLink: NULL
    > >>
    > >> StackTrace Information
    > >> *********************************************
    > >> at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
    > >> isInTransaction)
    > >> at
    > >>
    > >
    System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnec
    > > tionString
    > >> options, Boolean& isInTransaction)
    > >> at System.Data.SqlClient.SqlConnection.Open()
    > >> at InDIMENSIONS.Web.SmartForm.ContactForm.CreateConta ctRecord(String
    > >> inquiryType, String subject, String message, String name, String
    > >> emailAddress, String ipAddress, String fileName)
    > >>
    > >> For more information, see Help and Support Center at
    > >> [url]http://go.microsoft.com/fwlink/events.asp[/url].
    > >>
    > >> ===
    > >>
    > >> Given that the app is running under the NETWORK SERVICE identity, would
    > >> it
    > >> not use that to make the connection?
    > >>
    > >> The application and SQL Server instance are on the same server, Windows
    > >> Server 2003.
    > >>
    > >> The articles I've read on MSDN so far haven't been very clear about
    this.
    > >> Can someone provide an example or guidance on what I need to set to get
    > > this
    > >> scenario working?
    > >>
    > >> Thanks!
    > >> Colin
    > >>
    > >>
    > >
    > >
    >
    >

    Paul Glavich [MVP - ASP.NET] Guest

Similar Threads

  1. Replies: 3
    Last Post: September 9th, 05:37 PM
  2. Impersonate IIS Application Pool Identity
    By Troy Zirk in forum ASP.NET Security
    Replies: 1
    Last Post: July 7th, 12:40 PM
  3. Replies: 1
    Last Post: February 25th, 01:16 PM
  4. Obtaining Application Pool Identity in Inpersonation Mode
    By Adam Roe in forum ASP.NET Security
    Replies: 4
    Last Post: January 22nd, 06:41 PM
  5. Replies: 2
    Last Post: July 8th, 12:08 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139