473,657 Members | 2,513 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Login Fails for SQL Server from Web Service

Coy
I've added the ASPNET user to my local SQL Server 2000,
but I still get an unhandled exception: Login failed for
user 'C594891-A\ASPNET'. This is when using a web
service. A similiar ASP.NET application works perfectly
fine, even before I gave any access to the ASPNET account.

I read KB article 316989. In SQL Server 2000, I've added
a login, dbaccess, and granted full rights to the
'C594891-A\ASPNET user. This doesn't make any difference.
The article describes an aspnet_wp "security context" or
account. There is no such account, and SQL Server can't
do anything about any secuity context. Since you can't use
ASPNET to log onto XP, I haven't tested queries in the
database, but I did added the same rights to another account
and when I log on with Windows Integrated security and start
Query Analyzer, that account can do anything in the database.
Anyway, the failure is at login, so I'm guessing web services
need something different to pass the login, than ASPNET
applications require.

The web.config files are the same for the web service, as
for the ASP.NET application. Both are IIS applications.
The application displays data fine, but the web service can't
even log on. Is there a way to trace how IIS is handling the
request.

Below are the non-vanilla portions of the web.config.
<appSettings>
<add key="ConnectStr ing"
value="Server=( local);Database =nes;Trusted_C onnection=Yes"> </add>
</appSettings>
<authenticati on mode="Windows" />

Thanks


Nov 18 '05 #1
8 2363
Don't use Trusted Connection.

Instead use usual SQL connection string used to access SQL
Server :
<add key="ConnectStr ing"
value="Server=( local);Database =nes;user id=C594891-
A\ASPNET;passwo rd='xxx';databa se=xxxx"></add>

Hope this helps :)

Jody Ananda
MCAD.NET,MCSD.N ET
"All programs are poems, it just not all programmers are
poets."

-----Original Message-----
I've added the ASPNET user to my local SQL Server 2000,
but I still get an unhandled exception: Login failed for
user 'C594891-A\ASPNET'. This is when using a web
service. A similiar ASP.NET application works perfectly
fine, even before I gave any access to the ASPNET account.

I read KB article 316989. In SQL Server 2000, I've added
a login, dbaccess, and granted full rights to the
'C594891-A\ASPNET user. This doesn't make any difference.
The article describes an aspnet_wp "security context" or
account. There is no such account, and SQL Server can't
do anything about any secuity context. Since you can't useASPNET to log onto XP, I haven't tested queries in the
database, but I did added the same rights to another accountand when I log on with Windows Integrated security and startQuery Analyzer, that account can do anything in the database.Anyway, the failure is at login, so I'm guessing web servicesneed something different to pass the login, than ASPNET
applications require.

The web.config files are the same for the web service, as
for the ASP.NET application. Both are IIS applications.
The application displays data fine, but the web service can'teven log on. Is there a way to trace how IIS is handling therequest.

Below are the non-vanilla portions of the web.config.
<appSettings >
<add key="ConnectStr ing"
value="Serve r= (local);Databas e=nes;Trusted_ Connection=Yes" ></add></appSettings>
<authenticatio n mode="Windows" />

Thanks


.

Nov 18 '05 #2
Coy,
Try using "Integrated Security=SSPI" rather than "Trusted_Connec tion=Yes".
http://www.able-consulting.com/dotne...anagedProvider

Also, if you really want the calling User's credititals to be used,
rather than the ASP..NET's work processs credititals, then make sure
to add a <identity impersonate="tr ue" /> to your web.config file.

You can run a SQL Profiler (Start | All Programs | Microsoft SQL Server |
Profiler) to see what which user is connecting, and what SQL commands
are being passed in. A very handy debugging tool!
http://msdn.microsoft.com/library/de..._perf_86ib.asp

--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com
Coy wrote:
I've added the ASPNET user to my local SQL Server 2000,
but I still get an unhandled exception: Login failed for
user 'C594891-A\ASPNET'. This is when using a web
service. A similiar ASP.NET application works perfectly
fine, even before I gave any access to the ASPNET account.

I read KB article 316989. In SQL Server 2000, I've added
a login, dbaccess, and granted full rights to the
'C594891-A\ASPNET user. This doesn't make any difference.
The article describes an aspnet_wp "security context" or
account. There is no such account, and SQL Server can't
do anything about any secuity context. Since you can't use
ASPNET to log onto XP, I haven't tested queries in the
database, but I did added the same rights to another account
and when I log on with Windows Integrated security and start
Query Analyzer, that account can do anything in the database.
Anyway, the failure is at login, so I'm guessing web services
need something different to pass the login, than ASPNET
applications require.

The web.config files are the same for the web service, as
for the ASP.NET application. Both are IIS applications.
The application displays data fine, but the web service can't
even log on. Is there a way to trace how IIS is handling the
request.

Below are the non-vanilla portions of the web.config.
<appSettings>
<add key="ConnectStr ing"
value="Server=( local);Database =nes;Trusted_C onnection=Yes"> </add>
</appSettings>
<authenticati on mode="Windows" />


Nov 18 '05 #3
Coy
Okay,
with <identity impersonate="tr ue" /> I see my data. However,
I find that it is impersonating me, not the ASPNET account.
This implementation is a Windows Forms application reaching
out to a Web Service. I want all incoming requests to impersonate
the same Windows NT account. I thought ASPNET was going to
be that account, but I thought wrong. Anyway, I don't want the
name and password of such an account to be in the web.config
as that seems sloppy and old fashioned. I guess I need to find out
how the ASP.NET role based security works and try to set that up.
Thanks for your help.
"Carl Prothman [MVP]" <ca****@spamcop .net> wrote in message
news:er******** ******@TK2MSFTN GP12.phx.gbl...
Coy,
Try using "Integrated Security=SSPI" rather than "Trusted_Connec tion=Yes".
http://www.able-consulting.com/dotne...m#SQLClientMan
agedProvider
Also, if you really want the calling User's credititals to be used,
rather than the ASP..NET's work processs credititals, then make sure
to add a <identity impersonate="tr ue" /> to your web.config file.

You can run a SQL Profiler (Start | All Programs | Microsoft SQL Server |
Profiler) to see what which user is connecting, and what SQL commands
are being passed in. A very handy debugging tool!
http://msdn.microsoft.com/library/de...us/adminsql/ad
_mon_perf_86ib. asp
--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com
Coy wrote:
I've added the ASPNET user to my local SQL Server 2000,
but I still get an unhandled exception: Login failed for
user 'C594891-A\ASPNET'. This is when using a web
service. A similiar ASP.NET application works perfectly
fine, even before I gave any access to the ASPNET account.

I read KB article 316989. In SQL Server 2000, I've added
a login, dbaccess, and granted full rights to the
'C594891-A\ASPNET user. This doesn't make any difference.
The article describes an aspnet_wp "security context" or
account. There is no such account, and SQL Server can't
do anything about any secuity context. Since you can't use
ASPNET to log onto XP, I haven't tested queries in the
database, but I did added the same rights to another account
and when I log on with Windows Integrated security and start
Query Analyzer, that account can do anything in the database.
Anyway, the failure is at login, so I'm guessing web services
need something different to pass the login, than ASPNET
applications require.

The web.config files are the same for the web service, as
for the ASP.NET application. Both are IIS applications.
The application displays data fine, but the web service can't
even log on. Is there a way to trace how IIS is handling the
request.

Below are the non-vanilla portions of the web.config.
<appSettings>
<add key="ConnectStr ing"
value="Server=( local);Database =nes;Trusted_C onnection=Yes"> </add>
</appSettings>
<authenticati on mode="Windows" />


Nov 18 '05 #4
Coy wrote:
Okay,
with <identity impersonate="tr ue" /> I see my data. However,
I find that it is impersonating me, not the ASPNET account.

That is what impersonate="tr ue" means... ;-)
This implementation is a Windows Forms application reaching
out to a Web Service.
I want all incoming requests to impersonate

the same Windows NT account. I thought ASPNET was going to
be that account, but I thought wrong. Anyway, I don't want the
name and password of such an account to be in the web.config
as that seems sloppy and old fashioned.


With Anonymous Authentication enabled for a Web Service web site,
and authentication mode set to Windows with impersonate set to false
in the web.config file, I was able to have the ASPNET account
(on Windows XP) and NT AUTHORITY\NETWO RK SERVICE (on
Windows Server 2003) be able to select data from the Northwind database
after adding the corresponding account as SQL Server users and giving
the account read rights to the Northwind database.

Are you sure you the ASPNET user account is being used? Try adding the
following code to your web service, then step through and see which account
is being used.
Dim username As String = WindowsIdentity .GetCurrent().N ame

--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com
Nov 18 '05 #5
Carl Prothman [MVP] wrote:
Are you sure the ASPNET user account is being used? Try adding
the following code to your web service, then step through and see
which account is being used.
Dim username As String = WindowsIdentity .GetCurrent().N ame


Also, exactly how did you add the account as a SQL Server user with
permissions to the database?

--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com
Nov 18 '05 #6
> Coy wrote:
Carl Prothman [MVP] wrote:
Also, exactly how did you add the account as a SQL Server user with
permissions to the database?
Adding the required access to use a SQL server database
requires 3 steps:


Did you add the user account to SQL Server first?
e.g. sp_addlogin
use Tunes
exec sp_grantlogin 'C594891-A\ASPNET

Also call "sp_default db" and "sp_defaultlang uage"
e.g.
exec sp_defaultdb N'CARL20\ASPNET ', N'Northwind'
exec sp_defaultlangu age N'CARL20\ASPNET ', N'us_english'

Make sure NOT to give the user account access to the "master"
database (for the default database).
use Tunes
exec sp_grantdbacces s 'C594891-A\ASPNET'

Isn't that
EXEC sp_grantdbacces s N'CARL20\ASPNET ', N'ASPNET'
use Tunes
Grant select, insert, delete on Tunes to 'C594891-A\ASPNET'

Typically you grant execute permissions on stored procedures
and not on tables.
I no longer think it is a good idea to grant any database
access specifically to ASPNET, since ASPNET is
effectively the anonymous account. This means I've
actually invited all anonymous users into my database.

I agree, but if you only give exec permissions to selected
Stored Procedures, it should be fine.
Also, I shouldn't be using Windows authentication for
Internet users, since they obviously don't have domain
accounts. I think I can either use basic authentication
over SSL

Basic Auth still validates against a Domain acccount.
or possibly Passport - whatever I can do
when I don't control or provide the client interface
that is contacting my web service. No much change
here since the days of ASP?

Next I need to see if it is a good idea to impersonate
some domain account for the database access. I would
need to log on previously authenticated users as that
domain account. I'd set up database access for that account
instead of ASPNET. However, I'm also not sure how to
log on a user programmaticall y from inside a web service
in order to use that strategy.


If you truly need Anonymous Authentication (which it sounds like you do),
then I would keep Anonymous Authentication enabled on on the Web Service
web site and use either:

1) Use a trusted connection string and impersonate a user account which has access
to the database and it's username/password is stored in the system registery for
secuirty reasons:
e.g.
<configuratio n>
<system.web>
<identity>
userName="regis try:HKLM\Softwa re\AspNetIdenti ty,Name"
password="regis try:HKLM\Softwa re\AspNetIdenti ty,Pwd"
</identity>
</system.web>
</configuration>
http://msdn.microsoft.com/library/en...itysection.asp

2) Or use a standard SQL Server username / connection string. You can encrypt
the SQL Server username and password if you like.
http://msdn.microsoft.com/library/en.../html/daag.asp
- See section "Storing Connection Strings"

--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com
Nov 18 '05 #7
Coy
We never use sp_addlogin these days, its for SQL Server
authentication only. That's a high maintenance login since
you have to create and maintain it on every server every
time a password needs to change.
http://msdn.microsoft.com/library/de...us/tsqlref/ts_
sp_adda_0q7i.as p

Therefore you can see that while you're using
<authenticati on mode="Windows" />
such a login is never interrogated.

Anyway, you can do:
exec sp_helplogins on any machine around you and see that
the domain ASPNET account has already been installed by
the Visual Studio setup. Master is its default database. So
you don't have to add any login for it, at least on development
machines.

Since you're not doing any authentication and ASPNET has
sufficient access permissions you haven't done anything we
all haven't done. For a web service, obviously the database
login will be deliberate, and the granted permissions strict.
IIS won't be set to anonymous for me. I'm flipping through
MSDN magazine to see which authentication implementations
have the Redmond seal of approval. I'll make my points
here later in the week.

I'm saving all your other points on the database setup:
Also call "sp_default db" and "sp_defaultlang uage"
e.g.
exec sp_defaultdb N'CARL20\ASPNET ', N'Northwind'
exec sp_defaultlangu age N'CARL20\ASPNET ', N'us_english'

Make sure NOT to give the user account access to the "master"
database (for the default database).

Typically you grant execute permissions on stored procedures
and not on tables.
I don't get use any N's in Query Analyser. I guess that's essential for
enforcing wide character strings under .NET when programmaticall y
building strings for queries.
I no longer think it is a good idea to grant any database
access specifically to ASPNET, since ASPNET is
effectively the anonymous account. This means I've
actually invited all anonymous users into my database. I agree, but if you only give exec permissions to selected
Stored Procedures, it should be fine. I like the idea of using sp_addrole and sp_addrolemembe r
to manage permissions for a set of role members.
Also, I shouldn't be using Windows authentication for
Internet users, since they obviously don't have domain
accounts. I think I can either use basic authentication
over SSL Basic Auth still validates against a Domain acccount. Yes, I overlooked this. However, the username and
password can also be validated by other means.
If you truly need Anonymous Authentication (which it sounds like you do),
then I would keep Anonymous Authentication enabled on on the Web Service
web site and use either: No I don't want Anonymous, I will present a login screen as
soon as necessary.
1) Use a trusted connection string and impersonate a user account which has access to the database and it's username/password is stored in the system registery for secuirty reasons:
e.g.
<configuratio n>
<system.web>
<identity>
userName="regis try:HKLM\Softwa re\AspNetIdenti ty,Name"
password="regis try:HKLM\Softwa re\AspNetIdenti ty,Pwd"
</identity>
</system.web>
</configuration>
http://msdn.microsoft.com/library/en...ntitysection.a
sp
2) Or use a standard SQL Server username / connection string. You can encrypt the SQL Server username and password if you like.
http://msdn.microsoft.com/library/en.../html/daag.asp
- See section "Storing Connection Strings"

I'll go read about this and similar topics.

Thanks
Nov 18 '05 #8
Coy
How could the error message text from the
database driver be wrong?

I added that code anyway. However I don't know
how to break in the web service when I start from
a windows forms client on the same machine. Therefore
I don't get to see the assignment. I suppose I should
just trace it instead of breaking, but I haven't done
so as yet. Anyway, I need to set IIS away from
anonymous before that code runs. I'll try Passport,
Basic and other authentication. Right now, when
I debug the web service directly, the principal is
me, but of course that is a bogus test.

Thanks

"Carl Prothman [MVP]" <ca****@spamcop .net> wrote in message
news:O7******** ******@TK2MSFTN GP09.phx.gbl...
Coy wrote:
Okay,
with <identity impersonate="tr ue" /> I see my data. However,
I find that it is impersonating me, not the ASPNET account.

That is what impersonate="tr ue" means... ;-)
This implementation is a Windows Forms application reaching
out to a Web Service.
I want all incoming requests to impersonate

the same Windows NT account. I thought ASPNET was going to
be that account, but I thought wrong. Anyway, I don't want the
name and password of such an account to be in the web.config
as that seems sloppy and old fashioned.


With Anonymous Authentication enabled for a Web Service web site,
and authentication mode set to Windows with impersonate set to false
in the web.config file, I was able to have the ASPNET account
(on Windows XP) and NT AUTHORITY\NETWO RK SERVICE (on
Windows Server 2003) be able to select data from the Northwind database
after adding the corresponding account as SQL Server users and giving
the account read rights to the Northwind database.

Are you sure you the ASPNET user account is being used? Try adding the
following code to your web service, then step through and see which

account is being used.
Dim username As String = WindowsIdentity .GetCurrent().N ame

--

Thanks,
Carl Prothman
Microsoft ASP.NET MVP

Hire top-notch developers at
http://www.able-consulting.com

Nov 18 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
2123
Error : "Cannot open database 'wizou.mdf' requested by login."
by: Mr.KisS | last post by:
Hello. I'm under Windows XP PRO SP1, IIS 5.1 ans SQL SERVER 2005 Express. When i try to open a connexion with : <connectionStrings> <add name="AppCnxStr" connectionString="Server=KLEO\SQLEXPRESS;Integrated Security=True;Database=C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\wizou.mdf" providerName="System.Data.SqlClient" />
ASP.NET
2
10642
Error : "Cannot open database XXX requested by login."
by: Mr.KisS | last post by:
Hello. I'm under Windows XP PRO SP1, IIS 5.1 ans SQL SERVER 2005 Express. When i try to open a connexion with : <connectionStrings> <add name="AppCnxStr" connectionString="Server=KLEO\SQLEXPRESS;Integrated Security=True;Database=C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\wizou.mdf" providerName="System.Data.SqlClient" />
ASP.NET
2
2065
Intermittent SQL Server login problem
by: pvl | last post by:
Hi We have the following scenario: 1. SQL server 2000 on Windows 2003 Server 2. Web server 1, running web service 1 on Windows 2003 Server 3. Web server 2, running web service 2 on Windows 2000 Server 4. Client application. 1, 2 & 3 are all on the same Windows 2003 domain.
ASP.NET
3
3493
Windows Service Login Failed when accessing SQL.
by: Evan Camilleri | last post by:
I have a problem for a Windows Service to login on an SQL server (different machine) - neither Windows Authentication nor SQL Authentication worked. LOGIN FAILED FOR USER sa (for example). If SQL Server is on the same PC of the Windows Service the connection works OK. The same code works in a Windows Form using same user and authentication methods to the SQL Server on a different machine.
Visual Basic .NET
1
2114
pass login to application
by: beachboy | last post by:
how can pass the login (security info) to secondary application? ASP.NET 1.1 user login to application 1(app1.myapp.com) with their username and password, then they have a link to application 2 (app2.myapp.com) and I want to pass the authentication of application 2 with backend process. Also, security issue is first priority. Thanks in advanced.
.NET Framework
0
1082
Database login failure
by: sh | last post by:
I have a web service that logs into a database and retrieves information. Everything works fine if the login is successful. However if the login is unsuccessful, I can't get the web service to let go of the error and get a good login again. The scenario is as follows: The user sends a request to the web service. The web service tries to log in, fails and returns an error to the user.
.NET Framework
0
1282
question about login at server level in sql server express
by: Jean | last post by:
Hi, I have a question about logins and sql server express and an ASP.NET aplication. I put this question in sql server newsgroup, but without real answer sofar. I created a login 'Network service' at server level in Management Studio express. I use windows authentification. Then i defined an user for my database which is associated to login 'Network
ASP.NET
2
3200
Cannot open database requested in login 'HumanResources'. Login failed for user 'companyDomain\BOSIIS$'.
by: Homer | last post by:
Hi, I have an ASP.NET 2.0 Intranet app that works fine on a test server running on Win2003 Server with IIS 6.0. However, it fails when I port it over to the production server running on the same OS. I compared all the configurations and everything matches. I then re-run the aspnet_regiis; I even granted "NT AUTHORITY\NETWORK SERVICE" full access to aspnet_Membership and aspnet_Roles. I don't know why the app uses a local user...
ASP.NET
4
3780
Login failed for user '(null)'
by: Brett | last post by:
I have an ASP.NET 2.0 application that uses Forms Authentication. The startup page contains just a login control, and the site works well on an IIS 6 web server. I am now setting the site up on the production web server, which runs Windows 2008 Server and IIS 7. The login page comes up, but when I try to log in, I get the error, "Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection." For debugging...
ASP.NET
0
8413
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8324
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8617
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7352
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6176
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
4173
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4330
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
1970
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
2
1733
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us