I am attempting to create a new web api for my company and am running into an issue with permissions.
First, the api is hosted on one server and it needs to access a database on another server. The app pool is using ApplicationPoolIdentity as it's identity.
When I run the api from Visual Studio, it is able to access the database on the other server. Incidently, I made sure that my login doesn't have access to that server. Instead I am forcing the api to use a connection string from the web.config file that contains a username and password. I am able to pull back information just fine.
When I put the api into IIS on my machine, I get the error 'Login failed for user Domain\username' any time I try to get information to return from the API. Is there any reason that Visual Studio would allow this to work, but IIS keeps trying to login to the database server with my machine account instead of using the connection string in the web.config file? I am trying to figure out how to get around this issue.
I found the issue. It seems that my connection string was being modified in three different places in the program. At one point one of my team members had it coded to pull the machine as the user instead of using my connection string. Once I updated and removed redundant code I was able to make the connection between machines without having to use a domain account.
Related
I'm trying to use, for the first time, Windows authentication on my ASP.NET Core 3.1 MVC site to connect to SQL Server using EF Core.
Locally everything is ok (using IIS Express), but on the server, something goes wrong.
My site has "hi,<myDomain/myAccount>!" on the top right of the page, and it is correct, but when I request a page with database query, I get this error:
SqlException: Login failed for user 'MyDomain\MyServerName$'
Why? How do I configure EF Core connection string?
Update:
I can't use form authentication
I don't have a user list table
I can use impersonation (WinAuth? active dir?)
Every user(more can login to site has the access to the sql database
I can change some IIS Server settings
This is the first time i use the winAuth (auto configured by visual studio create project tool => with windows authentication)
"what kind of user is the app pool running under?" i don't know, the default one i think
This is likely an issue having to do with the credentials running the app pool in IIS, and the access rights those particular credentials have. You say you are NOT using impersonation, in which case the request to SQL Server from your app running on IIS needs to be made using a system account that has proper database access. A system account being a singleton account that only exists to run as the "Application Pool Identity" for the app in IIS.
On IIS on your server, what kind of user is the app pool running under? In most cases with Windows Authentication, you want to use a system account of some kind to run the app pool and then give that system account access to the database. If you don't want to use a system account, you would have to use impersonation, and then use an AD Group to give the impersonated users access to the SQL Server Database.
Since you're saying the request to SQL server is coming across as DOMAIN\SERVERNAME, you likely need to change that setting in IIS to set the request to come from a system account, and then give that system account explicit access to the SQL Server database.
You can change this by adjusting your Advanced Settings in IIS and inputting the information (Username/PW) of the account you want to run the app under or "as" in IIS.
Then, add this same DOMAIN\USERNAME account to the Database as a user who can Read/Write/Delete etc. You could also simply add the DOMAIN\SERVERNAME that is being denied in it's request to the database here, if you don't want to use a custom system account.
As for "How to configure EFCore connection string?", this is usually done in the Startup.cs file. There you can input a connection string from your appsettings.json directly with the .UseSqlServer(connectionstring) method.
You access the connection string using Configuration.GetConnectionString("KEY").
Once configured there, you don't need to configure it again (unless perhaps to change from dev/qa/prod environments).
I developing ASP.Net MVC website which uses an ADO.Net Entity Data Model to connect to a MS SQL Server.
To access data it uses WebApis in views called from jquery which use the above datamodel to get data, and it also uses code in the view controller which also uses the same datamodel.
When I run this locally (on the development machine), everything works fine. However, when I deploy it to IIS v10.0 and try to access the website from another machine, it partially works. Calls to the database made using the WebApis fail with a:
HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
Whilst pages that call data access code from the view controller work correctly.
When I look at the error for the WebAPI I see that the following error is produced:
"ExceptionMessage":"Login failed for user 'xxx\yyy-zzz-15$'
I don't know why this login is being used - I would expecting it to be using the 'NT AUTHORITY\IUSR' login, like the data access code from the view controller does.
Any thoughts?
you have two options
in database add that user to NT AUTHORITY\SYSTEM and give it the
permissions to your database.
make new user login in database and give it the
permissions to your database and change the web.config to not be integrated
security and add the user ID and password.
Your problem as it stands is because you are running as a default account - you've then asked that account to access other machines and data. To fix that you need to have it work as an actual account.
To have your webcode run as a user the simplest way is get a functional account from your AD team, and then set the pool for your site to be that AD account, and allow that AD account also the appropriate (eg not sa) to SQL.. As per comment to Mohamed's options above.
Please check the application pool on which your website is running. If the app pool is running on a service account, you need to add same account to your database server and assign proper permissions.
In your connection string, if you don't set the user, it will use the IUSR user.
And the IUSR User will not have enough permission to connect to the database.
I don't recommend to give rights to the IUSR user because this can cause security issues!
Instead, you should define your user id and password in your connection string.
If there is not user that you can use in your server, you can create a new user and give necessary permissions to this user.
here is a simple connection string :
data source=yourServerID;initial catalog=YourDatabaseName;user ID=yourNewUser;password=PasswordOfYourNewUser;
To configure a new user :
https://support.chartio.com/knowledgebase/granting-table-level-permissions-in-sql-server
I've created an application using the ASP.Net Entity Framework 6 Code First approach.
The app runs fine locally, using a local instance of a SQL Server database.
After creating an azure account and publishing the site to the Azure service, the site home page and login pages load just fine.
If I try to login or access the 'register' page, I get the following exception:
Cannot open server "app.co.za" requested by the login. The login
failed.
app.co.za is not the real domain name, I have replaced the original.
The original domain is only related to the site because I've created my Azure account using my email from that domain.
When specifying the Azure database under the deployment profile in Visual Studio, I entered the connection string provided on the Azure Portal with my Azure portal login details (which is where I think the issue might be).
Since this is a login issue though, I'm not sure if I've entered the correct set of credentials? I've made sure that there are no errors in the password.
How can I know that I have used the correct credentials to log in with?
Thanks!
Azure SQL Databases are firewalled and only allow connections from whitelisted IP addresses. If you haven't already done so, please browse to your Azure SQL DB in the Azure Portal and click on the Overview tab. You'll then see a "Set Server Firewall" menu option on the Overview tab. Add your current IP address to the list.
You can verify that your IP is whitelisted by connecting to your Azure SQL DB via Sql Server Management Studio.
A brief background:
I am creating a web application and need this to pull data from SCOM 2012 DB(SQL Server 2012), this DB is set to Windows Authentication only, this will not be changed in the foreseeable future as the company are unwilling to do this.
Problem:
I have looked around extensively on this issue however I am unable to find a solution.
I need to create a connection to the DB running as a specific windows user to pull back to data. To make this clear I do not want to impersonate the end user using the web app. I have the credentials for the account I would like to use for this however I need some assistance in doing this if its possible!
The connection has to be made in the context of the windows user that has login access to the database. You cannot do it through the connection string.
You can do this by setting the app pool identity to this specific user (which is fairly standard practice). Or you can have a method that impersonates the user for the call to the database, though that is a little more involved. See How do you do Impersonation in .NET? for examples.
If the company is inside a domain, and the user running the iis has permisions on the SQL Server, all you have to do is use windows authentication and that's it.
Check out:
http://msdn.microsoft.com/en-us/library/2xzyzb0f(v=vs.100).aspx
You could set up a web service between your web app and your database, and run your web service under the account that has access to the database by putting
<system.web>
<identity impersonate="true" userName="domain\login" password="pwd" />
...
</system.web>
into the web service's web.config.
Then your web app could call the web service to get/save the data.
I know this works because I an working with an app that does this. Perhaps you could just put the impersonate into your web app's config file and access the database directly, but I don't have any experience with that.
I am connecting to a SQL Server database via LINQ in my ASP.NET application (returning results to a web service). The problem is that it only returns results when I'm running it in debug/test mode - When I publish the service I get an error telling me
"Login failed for user 'NT AUTHORITY\NETWORK SERVICE' "
So how do I set / provide the credentials I want the site to use to log into SQL Server?
Thanks in advance for any help
You have to set the credentials in the connection string.
It's possible that the connection string to use on the server will be different than the credentials to use during Development. Ask your DBA which credentials you should use.
You are likely not passing a connection string into your DataContext constructor, causing your program to use the connection string in the constructor, which you have been using for development.
So instead of using something like this:
using (var dc = new MyDataContext()) {
...
}
use
using (var dc = new MyDataContext(MyConnectionString)){
...
}
... and take MyConnectionString from your config file...
A few questions first
Is the SQL server on the same machine?
If it's on a different machine is it in a domain?
Are you using a full SQL installation, or SQL Express?
I'm going to assume you're using a full version of SQL, because if you're using SQL Express user instances will not give you this problem.
If it's on the same machine then you need to add Network Service to the list of allowed users in SQL. To do this start SQL Management studio, expand the security folder, then right click on Logins and choose New Login. Click search on the "Login - New" dialog, making sure Windows Authentication is selected then enter Network Service in the object name box and click Ok. Choose the database you want it to access from the drop down list in the Login - new page and click ok. Finally expand out the databases folder and for each database you wish to grant access to expand out security, right click on users, then select the network service login name, give it a name in the dialog of Network Service and grant it the right access by checking the role in the Database role membership list. If you're messing around db_owner will be fine, you will want to lock this down later.
If the SQL server is on a different box and you are in a domain you can run the application pool as a domain user and grant that access on the SQL box. How to do this varies on the version of IIS.
Finally you can use SQL logins and passwords if the SQL server is configured to do this. Create a SQL user and then add them to the connection string like so
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
In your question, it is unclear if you are using a different database between development and production. Typically, you would have (at least) two copies of the database and would set the connection string to point to the correct environment when you deploy typically by changing the value in the web config. Alternatively, you could set the connection string at runtime using the technique Dave mentions.
In your case, I suspect that you are using integrated authentication and getting cought off-guard by SQL security permissions. When you are testing this in your local environment by debugging it in Visual Studio, it runs under your security credential. Most likely, your user account is an administrator (db owner) in the database and thus you have full permission against the database.
When you deploy this, IIS is running under the NetworkService credential. When you try to access the database, the request fails because NetworkService has not been given rights in the database on each of the tables/views/sprocs/etc.
If you have mixed mode set on your server, you can set the permissions on each database object to a SQL user and set the SQL user and password in your web.config. Alternatively, you can change the user account that the IIS process works under and configure the database to work with that user.