Nntp » microsoft.public.dotnet.framework.aspnet.security

ASPNET account and NT Authentication with SQL Server -Account Locked Out

09-08-2005, 16:07 ryan.d.rembaum

I have an application running on an IIS box that is trying to make a
connection to a separate SQL server box. The application is using
Windows NT authentication. During development I can access my data
just fine. When I view it in the browser I get the message that the
database does not exist or I do not have the necessary permission to
logon. I have narrowed the problem to one of security rights. It
seems that windows is passing the ASPNET account to the SQL server box.
So what I did was change the password of the ASPNET account. I then
created an ASPNET account on the other box and gave it the same
password. (I tried this with the IUSR_[MachineName] account first, but
the following is what leads me to believe it is the ASPNET account that
is causing the trouble:

When I go to access the web page, the SQL Server account gets locked
out. I am not sure why! Is it autogenerating a new password to
overight my change?

I know I could impersonate someone, but I would rather not setup some
sort of dummy account like that; there is a lot of bureaucracy to go
through to do so. I also do not want to deal with SQL authentication
and store the password in the connection string. It seems that in a
Windows intranet environment this just should not be that hard! I must
be missing something.

Anyhelp would be greatly appreciated. (If it helps, I created the
connection string I am using via the ASP.Net wizard. It contains the
directive to use integrated security.)

Thanks!!!
Ryan

Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

09-08-2005, 20:19 Joe Kaplan \(MVP - ADSI\)

Can you set up a domain account to run ASP.NET under and use that to access
SQL? The matching machine accounts thing always struck me as kind of
hackish.

Joe K.

wrote in message
news:1126220834.011784.63470@o13g2000cwo.googlegroups.com...
>I have an application running on an IIS box that is trying to make a
> connection to a separate SQL server box. The application is using
> Windows NT authentication. During development I can access my data
> just fine. When I view it in the browser I get the message that the
> database does not exist or I do not have the necessary permission to
> logon. I have narrowed the problem to one of security rights. It
> seems that windows is passing the ASPNET account to the SQL server box.
> So what I did was change the password of the ASPNET account. I then
> created an ASPNET account on the other box and gave it the same
> password. (I tried this with the IUSR_[MachineName] account first, but
> the following is what leads me to believe it is the ASPNET account that
> is causing the trouble:
>
> When I go to access the web page, the SQL Server account gets locked
> out. I am not sure why! Is it autogenerating a new password to
> overight my change?
>
> I know I could impersonate someone, but I would rather not setup some
> sort of dummy account like that; there is a lot of bureaucracy to go
> through to do so. I also do not want to deal with SQL authentication
> and store the password in the connection string. It seems that in a
> Windows intranet environment this just should not be that hard! I must
> be missing something.
>
> Anyhelp would be greatly appreciated. (If it helps, I created the
> connection string I am using via the ASP.Net wizard. It contains the
> directive to use integrated security.)
>
> Thanks!!!
> Ryan
>

Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

09-09-2005, 8:57 Paul Clement

On 8 Sep 2005 16:07:14 -0700, ryan.d.rembaum@kp.org wrote:

I have an application running on an IIS box that is trying to make a
connection to a separate SQL server box. The application is using
Windows NT authentication. During development I can access my data
just fine. When I view it in the browser I get the message that the
database does not exist or I do not have the necessary permission to
logon. I have narrowed the problem to one of security rights. It
seems that windows is passing the ASPNET account to the SQL server box.
So what I did was change the password of the ASPNET account. I then
created an ASPNET account on the other box and gave it the same
password. (I tried this with the IUSR_[MachineName] account first, but
the following is what leads me to believe it is the ASPNET account that
is causing the trouble:

When I go to access the web page, the SQL Server account gets locked
out. I am not sure why! Is it autogenerating a new password to
overight my change?

I know I could impersonate someone, but I would rather not setup some
sort of dummy account like that; there is a lot of bureaucracy to go
through to do so. I also do not want to deal with SQL authentication
and store the password in the connection string. It seems that in a
Windows intranet environment this just should not be that hard! I must
be missing something.

Anyhelp would be greatly appreciated. (If it helps, I created the
connection string I am using via the ASP.Net wizard. It contains the
directive to use integrated security.)

You don't mention the error you are generating from your ASP.NET app but I will assume it's the
"Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;316989

I would agree with Joe. It would probably be much easier to implement a single domain account rather
than use two local accounts with matching credentials if you are not going to enable impersonation.

Paul
~~~~
Microsoft MVP (Visual Basic)

Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

09-13-2005, 14:35 ryan.d.rembaum

Paul Clement wrote:
> On 8 Sep 2005 16:07:14 -0700, ryan.d.rembaum@kp.org wrote:
>
> =A4 I have an application running on an IIS box that is trying to make a
> =A4 connection to a separate SQL server box. The application is using
> =A4 Windows NT authentication. During development I can access my data
> =A4 just fine. When I view it in the browser I get the message that the
> =A4 database does not exist or I do not have the necessary permission to
> =A4 logon. I have narrowed the problem to one of security rights. It
> =A4 seems that windows is passing the ASPNET account to the SQL server bo=
x=2E
> =A4 So what I did was change the password of the ASPNET account. I then
> =A4 created an ASPNET account on the other box and gave it the same
> =A4 password. (I tried this with the IUSR_[MachineName] account first, b=
ut
> =A4 the following is what leads me to believe it is the ASPNET account th=
at
> =A4 is causing the trouble:
> =A4
> =A4 When I go to access the web page, the SQL Server account gets locked
> =A4 out. I am not sure why! Is it autogenerating a new password to
> =A4 overight my change?
> =A4
> =A4 I know I could impersonate someone, but I would rather not setup some
> =A4 sort of dummy account like that; there is a lot of bureaucracy to go
> =A4 through to do so. I also do not want to deal with SQL authentication
> =A4 and store the password in the connection string. It seems that in a
> =A4 Windows intranet environment this just should not be that hard! I mu=
st
> =A4 be missing something.
> =A4
> =A4 Anyhelp would be greatly appreciated. (If it helps, I created the
> =A4 connection string I am using via the ASP.Net wizard. It contains the
> =A4 directive to use integrated security.)
>
> You don't mention the error you are generating from your ASP.NET app but =
I will assume it's the
> "Login failed for user 'MachineName\ASPNET" message. The following KB art=
icle documents the issue:
>
> http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;316989
>
> I would agree with Joe. It would probably be much easier to implement a s=
ingle domain account rather
> than use two local accounts with matching credentials if you are not goin=
g to enable impersonation.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

Hello,

The actual error message is: SQL Server does not exist or access
denied. I have definitely considered adding an account under the
domain, but because of our corporate structure there is a lot of red
tape involved in creating an account without a real corresponding user.
Is there a reason the synching of two identical account names and
passwords would not work? It seems when we have applied it here in
other situations. I also don't understand why it would cause the
password to be revoked on the SQL box. Is there some service that
might be changing the password back to some other value after I make my
changes? I have entered the passwords on both boxes for both accounts
multiple times to try to make sure I did not mistype between the two.

Thanks,
Ryan

Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out

09-15-2005, 13:51 Paul Clement

On 13 Sep 2005 14:35:16 -0700, ryan.d.rembaum@kp.org wrote:

Paul Clement wrote:
> On 8 Sep 2005 16:07:14 -0700, ryan.d.rembaum@kp.org wrote:
>
> I have an application running on an IIS box that is trying to make a
> connection to a separate SQL server box. The application is using
> Windows NT authentication. During development I can access my data
> just fine. When I view it in the browser I get the message that the
> database does not exist or I do not have the necessary permission to
> logon. I have narrowed the problem to one of security rights. It
> seems that windows is passing the ASPNET account to the SQL server box.
> So what I did was change the password of the ASPNET account. I then
> created an ASPNET account on the other box and gave it the same
> password. (I tried this with the IUSR_[MachineName] account first, but
> the following is what leads me to believe it is the ASPNET account that
> is causing the trouble:
>
> When I go to access the web page, the SQL Server account gets locked
> out. I am not sure why! Is it autogenerating a new password to
> overight my change?
>
> I know I could impersonate someone, but I would rather not setup some
> sort of dummy account like that; there is a lot of bureaucracy to go
> through to do so. I also do not want to deal with SQL authentication
> and store the password in the connection string. It seems that in a
> Windows intranet environment this just should not be that hard! I must
> be missing something.
>
> Anyhelp would be greatly appreciated. (If it helps, I created the
> connection string I am using via the ASP.Net wizard. It contains the
> directive to use integrated security.)
>
> You don't mention the error you are generating from your ASP.NET app but I will assume it's the
> "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;316989
>
> I would agree with Joe. It would probably be much easier to implement a single domain account rather
> than use two local accounts with matching credentials if you are not going to enable impersonation.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

Hello,

The actual error message is: SQL Server does not exist or access
denied. I have definitely considered adding an account under the
domain, but because of our corporate structure there is a lot of red
tape involved in creating an account without a real corresponding user.
Is there a reason the synching of two identical account names and
passwords would not work? It seems when we have applied it here in
other situations. I also don't understand why it would cause the
password to be revoked on the SQL box. Is there some service that
might be changing the password back to some other value after I make my
changes? I have entered the passwords on both boxes for both accounts
multiple times to try to make sure I did not mistype between the two.

Is your system configured for Kerberos? I don't believe credential delegation (to the SQL Server
box) is going to work if you're using Integrated Windows Security w/o Kerberos.

Paul
~~~~
Microsoft MVP (Visual Basic)

Legal Information