I have a silverlight application that works perfectly on my local machine but, when i try to run it from a web server it does not work.
I've been researching a lot and i ended up installing the fiddler web debugger tool which gave me a little better idea of why my application was failing. I think the way i'm connecting to the database is whats causing my issue. This is what i'm using:
string myConnectionString = "Persist Security Info=False;Integrated Security=SSPI;database=Database;server=Server;Connection Timeout = 600";
After a little bit of research i learned that Integrated Security = SSPI means that the current machines credentials will be used to connect to the database which is why the program works on my computer and not the webserver.
I don't know if i'm thinking about this correctly, but i'm pretty sure this is my problem. The error that Fidder reports is: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGIN'.
I also read that I should specify userId and password in the connection string, but i don't know what values to use for these fields (when i connect to sql server 2008 i use Windows Authentication option and i only supply a user name.)
I can post any code that may help to clarify my situation.
Edit: if it helps at all, i am able to visit DatabaseService.svc in the browser without any errors.
What do i have to do to overcome this issue?
Related
I am at the end of my rope and need some help. This will probably turn out to be something simple but I have been debugging the code and reading the same web pages for so long, I probably missed it.
I am working on setting up an environment so we can run .NET Core APIs from a Linux server. These will hit an SQL Server running on Windows for data and use Windows AD for Integrated Security. The outfacing server is Apache with .Net running reverse proxy using the standard Kestrel. So I have:
client browser -> Apache(Linux) -> Kestrel(Linux) -> SQL Server (Windows Server 2016)
Server FDQNs:
Linux - cats6-87.it.my.company
Windows - cats7-47.ad.my.company
I will be referring to these by short names from here on, but please note that all of the actual settings use the FDQN. It should also be noted that these two servers are NOT in the same domain; the Win server is part of the AD while the Linux server is not.
I am able to use Kerberos to authenticate users in Apache. This was done via the "standard" way by creating a special AD account (catadn001), setting an SPN call HTTP/cats6-87.it.my.company, creating a keytab, and setting up apache to use the account and tab. I am also able to pass this login to my .Net application and the data shown in HttpContext.User indicates the user is authenticated.
I am trying to double-hop so the DB can be hit by the authenticated user. I set up the environment according to every piece of documentation I could find:
SPNs of MSSQLSvc/cats7-47:1433, MSSQLSvc/cat7-47:CATS747
catadn001 is set to be able to delegate Kerberos for MSSQLSvc
The SQL Server log indicates the SPNs are set up correctly and running SELECT distinct auth_scheme FROM sys.dm_exec_connections after logging in using Windows Authentication in SSMS from a Windows 10 machine returns KERBEROS.
Back to Linux.
Using kinit I am able to retrieve a ticket for HTTP/cats6-87. klist confirms this.
In my .Net application, I am using Microsoft.Data.SQLClient to try to open an Integrated Security connection in an API endpoint:
new SqlConnection("Data Source=cats7-47;Integrated Security=True")
As I am experimenting here, I run my test application as myself. Before I had even tried to hit my endpoint though, I had a couple of questions:
How would .Net know to use HTTP/cats6-87?
How would the credentials passed in from Apache be passed along to SQL Server?
The SqlClient documentation does not mention it. In any case, from the few pages I found about Integrated Security from Linux to Windows and SQLClient, the above connection string should be enough. So I tried it.
No joy.
The error message presented was Login failed for user HTTP/cats6-87. I checked the SQL Server log and confirmed this. My application is trying to login with the Kerberos delegation account. I tried to search for this and every single page came back about error messages for anonymous login indicating problems with SQL Server and Kerberos. But I had already confirmed that SQL Server was using Kerberos correctly.
So I tried stepping through the SqlClient code by using the github repo of it. I learned a lot, particularly about how the user name is derived on Linux versus Windows (WindowsIdentity is not available) and about how annoying OOP truly is, but nothing to solve the problem and I still don't know the answer to my two questions above.
Can someone help? How do I get my linux application to use the Kerberos delegation to log into SQL Server in Windows?
I know this is an often asked question, but I'm still receiving this error and I have tried:
Using localhost, the IP address and the instance name in the
connection string
Changing the SQL Server Configuration Manager so
Named Pipes and TCP are both enabled Ensured the database is set to
allow remote connections
Opened 1433 & 1434 for UDP & TCP in Windows Firewall, in fact I
tried turning off the firewall for a moment to see if it would
connect
Ensured the browser & the MSSQLSERVER service are both up and
running using NETWORK SERVICE
Now for some oddness. The SQL Server instance and the IIS running the website are on the same machine.
If I open a browser and browse to the website I get the error. If I open a browser on my local machine and browse to the website I get the error. If I change the connection string in my development PC to the IP address of the remote server running SQL server and debug the application it connects and runs without error!
I am totally at a loss now as to what could be the error.
This is SQL Server 2008 RC2.
I'm on the verge of giving up - I very much appreciate the efforts you guys have made, I have tried all the suggestions here and I am coming to the conclusion that something must have gone awry in the set-up of the server, the website or the database. Just to reiterate if you remote desktop onto the server and connect to the website using http://gdservers you can login and it all works fine, if you use http://gdservers.<domain>.co.uk the login fails. The error in the event log is a membership credentials failure, not blocked by firewall or anything like that. If there's any other suggestions I'd love to hear them, thanks again.
If your web app intends to use SQL Server Authentication with a SQL login/password then make sure that your connection string explicitly states Integrated Security=False. Otherwise your connection may default to Windows Authentication and not behave as expected.
Edit
Also, be sure that the connection string you're tweaking is the one that is actually being used to make the connection. Sometimes things can get confusing when an application has multiple components that may have their own configuration settings. For example, the problem in the thread here turned out to be:
I was updating the connection string on the web.config but, it's a multitier application, the data access component is in a separate .dll and has its own connection string.
Edit
I'm beginning to wonder if the SQL Membership Provider is using Windows Authentication to connect to the SQL Server even if your data connections aren't. Check out the video here and perhaps review your settings (especially the authentication setting in the provider setup steps).
I don't think anyone spotted it and I only spotted it on Wednesday and then realised I'd made another error. If someone has mentioned it above let me know and I'll change the award and give them the points.
The applicationName was missing from the membership provider. I spotted it on Wednesday and added one in, what I didn't realise I'd done is made a spelling mistake when adding the applicationName in, so when I did this, it didn't fix it, so I thought it wasn't the problem.
Yesterday whilst reviewing the code I noticed I spelt the applicationName 'GSServers' instead of 'GDServers' when I changed it, it all started working.
Not a very satisfactory conclusion and I apologise.
Thank you to everyone who tried to solve this problem and sticking with it.
As I said if someone did mention this in an answer or comment somewhere let me know and they can have the points.
Stupid question but, have you checked the credentials of the login? I'm still very much a noob in this area but I found out thru backing up and restoring a database (at least in MS SQL Server) that the restored user login doesn't work.
I've had to delete the user from the database and add it back in, then everything works fine. Could it be you are accessing a different version of the database on the non-working machine?
How are you indicating the Data Source/server name in your connection string? I've encountered situations where there was a hosts file on the server redirecting elsewhere, or the server was indicated by a domain name which resolved to the external IP address of the server, or other similar oddness.
Also, if you have SQL Serve installed on the server, do you also have Management Studio installed there? It's the quickest way to rule out code or permission errors, just trying variations through Management Studio until you find login details that work (or know that none do).
Usually the easiest and most secure way is using integrated security:
<connectionStrings>
<add name="HitCounterContext"
connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=db;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
Make sure you use the correct instance name, which per default is "SQLExpress". I don't know how IDEs work with that, but using this connection string with IIS should at least connect successfully (which is not equal to authentication).
Maybe the authentication fails because your database must have a user for the app pool account. If you disable custom errors in your web.config so you get .net error messages, the error message should tell you that the authentication failed for the app pool user (the message actually tells you which user is used). For instance: If you create a new website called "yoursite.com" using IIS 7, per default it creates a new app pool with the name "yoursite.com". With that you'll have to add a user to the database for IIS APPPOOL/yoursite.com (might not be in the users list) and let it be the db_owner for testing.
Add the user for the app pool using "SQL Server Management Studio" like that (sorry it's german. This actually is the form after the user was added, but it should look the same while adding):
After that, your users list should look like
and the servers login list like
where each app pool has its own login for the server and user for the respective database.
By the way: Connecting from the Management Studio works just the same like from your asp.net app, except that you normally use your current user with SMS:
So, if this works, the connection from your app should do as well. The rest relies on the user for the app pool.
The fact that it's trying to login as sa locally suggests you're not using the connection string in your code; I don't think it's a SQL server problem, but an app problem.
In your app, make sure you're actually using the value of the connection string. Don't use the default constructor. E.g.
using(SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["myconnectionstring"].ConnectionString)){ /* .. code */ }
not
using(SqlConnection conn = new SqlConnection()){ /* .. code .. */ }
If I change the connection string in my development PC to the IP address of the remote server running SQL server and debug the application it connects and runs without error!
It's possible you're dev box has been added an authenticated login, and it's automagically "working".
Comment: Using SSPI with a windows user account is preferable from a security perspective.
Answer:
Port 1433 is used for SSL by the default (unnamed) instance.
Ensure that your named instance has an SSL port properly assigned:
http://blogs.msdn.com/b/sqlexpress/archive/2005/05/05/415084.aspx
Try these connect strings (note that they don't use 'localhost' - which is case sensitive, I believe):
'Provider=SQLOLEDB;Data Source=COMPUTERNAME\SQLEXPRESS;Initial Catalog=Test;User ID=COMPUTERNAME\USERNAME; Password=PASSWORD;Integrated Security=False'
'Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;Initial Catalog=Test;User ID=COMPUTERNAME\USERNAME; Password=PASSWORD;Integrated Security=False'
'Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;Initial Catalog=Test;User ID=COMPUTERNAME\USERNAME; Password=PASSWORD;Integrated Security=SSPI'
ADDITIONAL EDIT:
Whenever client is run on same machine as SQL Server, the error occurs. When client is run from dev machine, no error. You may be failing to resolve the machine name because DNS does not support any of the names.
Suggestion: Connect using localhost. Ensure you can ping localhost and/or telnet localhost 1433. Ensure your hosts file (e.g. C:\Windows\System32\drivers\etc\hosts) has entry:
127.0.0.1 localhost
Alternatively, use: (local)\INSTANCENAME
Run SQLCMD –L to list installations (confirming correct browser operation).
Ensure you don't have older versions of the management tools ensured on the same server. E.g. 2008 & 2005 tools cannot coexist - but 2008 tools are backwards compatible, so you can delete both and just cleanly install 2008.
I am working on a C# web service.
I have deployed a web service which is working perfectly on my local system but when I try to run the same service on my virtual dedicated server it is returning an error.
This is my connection string
Data Source = <serverinstance>\\SQLEXPRESS; Initial Catalog = DomainTable; User ID= <serverinstance>\\admin; Password = <Windows_Login_Password>
Before this I was using this connection string
Data Source=<serverinstance>\\SQLEXPRESS; Initial Catalog=DomainTable; Integrated Security=SSPI";
None of them is working for me. please help its really really important
Data Source=serverinstance\SQLEXPRESS;
-----------------------------------------^ only one slash here
Also make sure that the remote server can see whatever you've referenced as <serverinstance>. You may have this as localhost but your web server does not consider your machine to be localhost. It may also not be able to reach it by name, particularly if it is in a different domain.
If you are trying to use Windows Authentication, there is no way on earth you should be using:
User ID = serverinstance\admin; Password = Windows_Login_Password
Wow, never hard-code a Windows password anywhere. If you want to use SQL authentication, then set up . Otherwise you should be using this instead of User ID / Password:
Persist Security Info = true;
And ensuring that the IIS user has been granted access to your SQL Server.
Try just;
"data source=.\\SQLEXPRESS;Integrated Security=SSPI;initial catalog=DomainTable"
I believe the user name / password are generally only required for remote connections, and you must set them up for the specified DB. The above connection string should get you going on the running instance of sqlexpress on the local machine if you have not made login credentials required.
Edit
If you are using IIS to host, here is a chunk from a recent article I did for deploying and setting up App pools to work with SQL Express 2008. Even if you are not using IIS, you will still need to do something like this to get your hosting environment set up correctly with SQL Server.
Step 1 Create a DB Logon for the IIS USER
In the security section in MS SQL SERVER, need to right click users and your IIS APPPOOL(IIS APPPOOL\apppoolname, created in Section one, Step 2).Check out dp.'s answer here for more step by steps - Add IIS 7 AppPool Identities as SQL Server Logons
Step 2 Setting Permissions for the IIS USER on the db
Right click on the database name, and click properties. In permissions section add your APPPOOL user that you just created, be sure to give him the Execute \Select permissions needed .
Note: Website1 needs Execute, Select, Delete, Insert permissions as well. Website2 is also using this app pool which it shouldnt be because we dont not need to alow the user to have that kind of functionality from within the trimdynamics application. We could seperate the app pools so that our trim dynamics IIS USRS is only getting Execute and Select permissions.
If this does not help, it is hard to tell whats really going on without concrete knowledge of your hosting structure, as there are lot's of gotch-ya's when deploying from development to production environment :(
I'm currently developing a web application using asp.net c#. I got a server where I today was
going to publish my website and its database. Its a server that runs Windows Server 2008 R2.
But I have one issue:
My website doesn't seem to get access to the database. If I run the website from another computer on my local network I can access the server's database, BUT I can't when I run the website from the same server where the database is. This is really weird. I hope someone can help.
I just get an error that says, it can't access the database.
The most weird of all is that I'm using the same connection string on both computers, but it still doesn't work. Are there maybe some sort of settings in Windows Server 2008?
Here is my connection string:
<add name="ConnectionString"
connectionString="Data Source=AXELS;Initial Catalog=Sailor;Persist Security Info=True;User ID=sa;Password=saab123"
providerName="System.Data.SqlClient" />
Since the connection works on one machine and not on another, I'd guess you have an issue with a firewall or similar - but it will be hard to tell until we see the actual error message. Until then, there are a few things you might want to do:
If it appears as if the connection has to time out before you get the error, it indicates a connectivity problem. Do you have a firewall between the two servers? Does the database server have a firewall that explicitly lets your machine (or internal) machines get through, but hasn't been setup to let the webserver get through? You have to make sure that port 1433 is open on the server.
Are there other sites on the webserver that can connect to the database?
If you have console access to the server, try to set up an ODBC from the server to the database - usually in Control Panel -> Data Sources (ODBC). If you set up a connection with the same DB Server, username and password and test the connection, you might get some pointers to what is wrong.
If the above doesn't provide you with an answer, I'd try to go through the steps described here:
http://blog.sqlauthority.com/2009/05/21/sql-server-fix-error-provider-named-pipes-provider-error-40-could-not-open-a-connection-to-sql-server-microsoft-sql-server-error/
And if that fails, take a look at this - which is apparently only valid when you get SQL Network Interfaces, error: 26
http://blogs.msdn.com/b/sql_protocols/archive/2007/05/13/sql-network-interfaces-error-26-error-locating-server-instance-specified.aspx
This is probably a permission problem.
You need to show us your connection string so we can see how exactly you try to connect to your database.
For example, if you are using Windows authentication, maybe your app runs under different accounts on both machines - and the account on the other computers has permission to access the database, but the account on the database server has not.
Have you checked the if the protocols you are using are enabled on the SQL Server e.g.
C:\Windows\System32\cliconfg.exe -- 64 bit version
C:\Windows\SysWOW64\cliconfg.exe -- 32 bit version
or check SQL Server Configuration Manager 'SQL Server Native Client *' tabs.
This is only applicable if you do not use Windows Authentication, else read the post about priviliges from Christian Specht - in this case I agree.
The fact that you can connect from another PC on the network means that all you database settings, user accounts and permissions are probably set up correct.
It seems there might be a issue with the way the server resolves localhost, as it will try to resolve the Data Source to localhost because AXELS = localhost on that machine.
Have a look at your hosts file and see if there's any funny pointers except for the default.
Located in C:\Windows\System32\drivers\etc
There should be an entry: 127.0.0.1 localhost
I've just finished my c# application with sql database built in 2008 r2 version
I wanted to share this database over LAN and my connection string is :
ConnectionString = #"Data Source=192.168.0.1,1433\SQLEXPRESS;user id=Rula; password=marojo;AttachDbFilename=\\192.168.0.1\Release\WEPA.mdf;Connection Timeout=30;Integrated Security=SSPI;user instance=true";
where 192.168.0.1 is the IP of the computer hosting the sqlexpress instance
when I connect to database locally from the hosting computer I get no errors, but when I try to connect to the database from the shared application I get the following error:
User doesn't have permission to perform this action.
while I mapped the GUEST user to my database on the hosting machine since I knew that if a computer try to connect to database remotly, it connect as guest.
notice: I have my application and database shared over network in the same folder, and again locally everything is ok
Please what can I do to solve this problem ????
thanks in advance =-)
If the 2 machines are not on the same domain this will fail. You might want to use sql logins
The guest account would not be used in an trusted connection. The integrated connection uses the user account attached to the process using the connection string.
http://forums.asp.net/t/822604.aspx/1
If you wanted to use integrated security, the web server would need to be configured to digest logins and then you would need to grant access to all (potential) authenticated users access to the database. This is typically not done due to the unnecessary complexity you are adding to the process. Just use sql links like Ali stated and be done with it.
Okay, I see a couple things that are wrong in your connection string.
Namely, you have defined a user id and password... then you go on to set the Integrated Security flag. These are mutually exclusive. Either it connects as the same user that the app is executing under (most likely the app pool user account) OR it connects as the user defined in your connection string.
The reason you see a difference between 7 and XP is simply that one is defaulting to using the user id / password, the other is defaulting to using integrated security.
I suggest that you visit http://www.connectionstrings.com/ in order to build a proper connection string.
Update:
Other things I see. First, AttachDbFilename can only work with integrated security. Obviously that isn't a possibility, so you need to get rid of that parameter and configure sqlexpress directly on the server to target that database file.
Second, User Instance is for desktop deployments.. not servers. Get rid of it as well because it's going to be a huge memory hog.
Third, read this: http://msdn.microsoft.com/en-us/library/ms247257(v=VS.100).aspx
There are quite a few reasons this could be happening:
SQL Browser service not turned on
Connection string using a trusted connection and you are not set up as that user (check what user your code is using by getting User from the current context)
You do not have the same protocols set up on the client (less likely)
Since it is a permissions issue, you will most likely have to set up your windows domain account in the database to use it. If that is not an option for the application users, then you may desire to move to a sql account rather than windows accounts.
problem solved !!
there was just attaching problem when the database is attached to sql server management studio it's attached as an old name or related to the computer it's copied from
Thank you everyone for your effort : )