I am new to ASP.NET MVC and creating a little application in my spare time at work.
This application has windows authentication and connects to one of our remote test databases, and the application does some simple select/update/insert queries with one of the tables on this database.
For one part of my application, when a user clicks 'process', I save that user's username in my model by doing:
job.User = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
And then write that to the database.
Everything run's fine when I run it locally through visual studio, it recognises my domain name/username and saves that to the database.
Once publishing to IIS, I ask one of my team members to connect to my computername/site and when they try to click that same 'Process', they get
"Login failed for user 'OURDOMAINNAME/MYCOMPUTERNAME$'. "
My application is using DefaultAppPool with Identity set as 'ApplicationPoolIdentity'.
My whole team has permissions to access this database and if only my application picked up their correct domain group/username then it would OK but the application is trying to connect as MY computer and not my actual windows logon.
Can anybody please advise?
Since you are using ApplicationPoolIdentity, did you allow that user in your MSSQL database?
User: IIS APPPool\DefaultAppPool
Related
Here is my scenario: I have a web application developped on Razor pages and it's published on a server with IIS connected to the company's network. I use windows identification for the user to log into the application. Each time an user makes a change or uses the application I save windows user into a SQL database. The problem is that sometimes the user is not the current user using the application. It's not frequent that this happens but I'm wondering if an user leaves the app open and another user logs in then the new user is saved? I tried to replicate the error on my local machine but I can't get to the same problem. I use User.Identity.Nameand save the value inside a static variable. Do you know what can cause this problem?
I'm trying to use, for the first time, Windows authentication on my ASP.NET Core 3.1 MVC site to connect to SQL Server using EF Core.
Locally everything is ok (using IIS Express), but on the server, something goes wrong.
My site has "hi,<myDomain/myAccount>!" on the top right of the page, and it is correct, but when I request a page with database query, I get this error:
SqlException: Login failed for user 'MyDomain\MyServerName$'
Why? How do I configure EF Core connection string?
Update:
I can't use form authentication
I don't have a user list table
I can use impersonation (WinAuth? active dir?)
Every user(more can login to site has the access to the sql database
I can change some IIS Server settings
This is the first time i use the winAuth (auto configured by visual studio create project tool => with windows authentication)
"what kind of user is the app pool running under?" i don't know, the default one i think
This is likely an issue having to do with the credentials running the app pool in IIS, and the access rights those particular credentials have. You say you are NOT using impersonation, in which case the request to SQL Server from your app running on IIS needs to be made using a system account that has proper database access. A system account being a singleton account that only exists to run as the "Application Pool Identity" for the app in IIS.
On IIS on your server, what kind of user is the app pool running under? In most cases with Windows Authentication, you want to use a system account of some kind to run the app pool and then give that system account access to the database. If you don't want to use a system account, you would have to use impersonation, and then use an AD Group to give the impersonated users access to the SQL Server Database.
Since you're saying the request to SQL server is coming across as DOMAIN\SERVERNAME, you likely need to change that setting in IIS to set the request to come from a system account, and then give that system account explicit access to the SQL Server database.
You can change this by adjusting your Advanced Settings in IIS and inputting the information (Username/PW) of the account you want to run the app under or "as" in IIS.
Then, add this same DOMAIN\USERNAME account to the Database as a user who can Read/Write/Delete etc. You could also simply add the DOMAIN\SERVERNAME that is being denied in it's request to the database here, if you don't want to use a custom system account.
As for "How to configure EFCore connection string?", this is usually done in the Startup.cs file. There you can input a connection string from your appsettings.json directly with the .UseSqlServer(connectionstring) method.
You access the connection string using Configuration.GetConnectionString("KEY").
Once configured there, you don't need to configure it again (unless perhaps to change from dev/qa/prod environments).
I developing ASP.Net MVC website which uses an ADO.Net Entity Data Model to connect to a MS SQL Server.
To access data it uses WebApis in views called from jquery which use the above datamodel to get data, and it also uses code in the view controller which also uses the same datamodel.
When I run this locally (on the development machine), everything works fine. However, when I deploy it to IIS v10.0 and try to access the website from another machine, it partially works. Calls to the database made using the WebApis fail with a:
HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
Whilst pages that call data access code from the view controller work correctly.
When I look at the error for the WebAPI I see that the following error is produced:
"ExceptionMessage":"Login failed for user 'xxx\yyy-zzz-15$'
I don't know why this login is being used - I would expecting it to be using the 'NT AUTHORITY\IUSR' login, like the data access code from the view controller does.
Any thoughts?
you have two options
in database add that user to NT AUTHORITY\SYSTEM and give it the
permissions to your database.
make new user login in database and give it the
permissions to your database and change the web.config to not be integrated
security and add the user ID and password.
Your problem as it stands is because you are running as a default account - you've then asked that account to access other machines and data. To fix that you need to have it work as an actual account.
To have your webcode run as a user the simplest way is get a functional account from your AD team, and then set the pool for your site to be that AD account, and allow that AD account also the appropriate (eg not sa) to SQL.. As per comment to Mohamed's options above.
Please check the application pool on which your website is running. If the app pool is running on a service account, you need to add same account to your database server and assign proper permissions.
In your connection string, if you don't set the user, it will use the IUSR user.
And the IUSR User will not have enough permission to connect to the database.
I don't recommend to give rights to the IUSR user because this can cause security issues!
Instead, you should define your user id and password in your connection string.
If there is not user that you can use in your server, you can create a new user and give necessary permissions to this user.
here is a simple connection string :
data source=yourServerID;initial catalog=YourDatabaseName;user ID=yourNewUser;password=PasswordOfYourNewUser;
To configure a new user :
https://support.chartio.com/knowledgebase/granting-table-level-permissions-in-sql-server
I've created an application using the ASP.Net Entity Framework 6 Code First approach.
The app runs fine locally, using a local instance of a SQL Server database.
After creating an azure account and publishing the site to the Azure service, the site home page and login pages load just fine.
If I try to login or access the 'register' page, I get the following exception:
Cannot open server "app.co.za" requested by the login. The login
failed.
app.co.za is not the real domain name, I have replaced the original.
The original domain is only related to the site because I've created my Azure account using my email from that domain.
When specifying the Azure database under the deployment profile in Visual Studio, I entered the connection string provided on the Azure Portal with my Azure portal login details (which is where I think the issue might be).
Since this is a login issue though, I'm not sure if I've entered the correct set of credentials? I've made sure that there are no errors in the password.
How can I know that I have used the correct credentials to log in with?
Thanks!
Azure SQL Databases are firewalled and only allow connections from whitelisted IP addresses. If you haven't already done so, please browse to your Azure SQL DB in the Azure Portal and click on the Overview tab. You'll then see a "Set Server Firewall" menu option on the Overview tab. Add your current IP address to the list.
You can verify that your IP is whitelisted by connecting to your Azure SQL DB via Sql Server Management Studio.
I am attempting to create a new web api for my company and am running into an issue with permissions.
First, the api is hosted on one server and it needs to access a database on another server. The app pool is using ApplicationPoolIdentity as it's identity.
When I run the api from Visual Studio, it is able to access the database on the other server. Incidently, I made sure that my login doesn't have access to that server. Instead I am forcing the api to use a connection string from the web.config file that contains a username and password. I am able to pull back information just fine.
When I put the api into IIS on my machine, I get the error 'Login failed for user Domain\username' any time I try to get information to return from the API. Is there any reason that Visual Studio would allow this to work, but IIS keeps trying to login to the database server with my machine account instead of using the connection string in the web.config file? I am trying to figure out how to get around this issue.
I found the issue. It seems that my connection string was being modified in three different places in the program. At one point one of my team members had it coded to pull the machine as the user instead of using my connection string. Once I updated and removed redundant code I was able to make the connection between machines without having to use a domain account.