Connecting to SQLServer 2000 from ASP.NET

I have an ASP.NET application that connects to a SQL Server database.

The SQL Server resides on a seperate development server from the IIS5.1 on
Windows XP SP2 on development PCs which host the ASP.NET application.

I would like to use Integrated Windows Authentication like
Integrated Security=SSPI;Persist Security Info=False;Initial
Catalog=DBName;Data Source=DevServer1

My problems!
1) ASP.NET would be running on development PCs as
MachineName\IUSR_MachineName and under SQL Server Enterprise Manager on the
Dev PC, I can't think of a way to add this user (which is on a different
machine) as a Windows user
2.1) I managed to add MyDomain\AUser as a SQL user in Enterprise Manager.
2.2) I tried to get my ASP.NET to run as MyDomain\AUser by editing
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONF IG\Machine.config as
follows
<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:05"
requestLimit="Infinite"
requestQueueLimit="5000"
restartQueueLimit="10"
memoryLimit="60"
webGarden="false"
cpuMask="0xffffffff"
userName="MyDomain\AUser"
password="password"
logLevel="Errors"
clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
responseDeadlockInterval="00:03:00"
maxWorkerThreads="20"
maxIoThreads="20"
/>

However, when I launch the ASP.NET application from IE (before it even get
to the stage to connect to SQLServer, I get the error on IE saying
Application Unavailable, and in the Event Viewer, I get

Event Type: Error
Event Source: ASP.NET 1.1.4322.0
Event Category: None
Event ID: 1084
User: N/A
Computer: MachineName
Description:
aspnet_wp.exe could not be started. The error code for the failure is
80004005. This error can be caused when the worker process account has
insufficient rights to read the .NET Framework files. Please ensure that the
.NET Framework is correctly installed and that the ACLs on the installation
directory allow access to the configured account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: ASP.NET 1.1.4322.0
Event Category: None
Event ID: 1007
User: N/A
Computer: MachineName
Description:
aspnet_wp.exe could not be launched because the username and/or password
supplied in the processModel section of the config file are invalid.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

How could I fix this? I am 100% sure I have entered the correct username
and password under machine.config and I did do an iisreset as well!

Hi Patrick,

From your description, you're trying to access a sqlserver database on a
remote serverfrom your asp.net webserver. and since you 're using
integrated windows Authentication mode to connect the sqlserver db, you'd
like the ASP.NET web app to act as a certain domain account( which has the
right permission for conecting the sqlserver db). Also, you've tried change the account in the <processModel> element for the asp.net but found that
even cause the web app unable to startup running, yes?

As for this problem, here are my suggestions:
1. The <processModel> 's account setting is used for the asp.net's
workerprocess's execute account. It need many asp.net specified permissions which make sure that the asp.net web applciation can run properly. So if
you replace it with a domain account, it 'll cause some unexpected
permission issues which lead to the application uable to startup.

2. As for your situaion, I think the impersonate feature of asp.net is what you want. The impersonation of asp.net
can help use a customized account for asp.net when accessing some
serverside resources. It can use
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use
when accessing serverside resources.

Below are some references on ASP.NET impersonation;

#ASP.NET Impersonation
http://msdn.microsoft.com/library/en...etimpersonatio n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation
http://msdn.microsoft.com/library/en...giisauthentica tionwithaspnetimpersonation.asp?frame=true

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Hope helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Unfortunately,
1) My ASP.NET seems to have stopped working completely! Now, even having
reverted my machine.config to
<identity impersonate="false" userName="" password=""/>

<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:05"
requestLimit="Infinite"
requestQueueLimit="5000"
restartQueueLimit="10"
memoryLimit="60"
webGarden="false"
cpuMask="0xffffffff"
userName="machine"
password="AutoGenerate"
logLevel="Errors"
clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
responseDeadlockInterval="00:03:00"
maxWorkerThreads="20"
maxIoThreads="20"
/>

My IIS won't even render a test.aspx which contains:
<%@ Page language="C#" AutoEventWireup="false" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<meta name="GENERATOR" Content="Microsoft Visual Studio 7.0">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">
<META http-equiv="Expires" content="0">
<META http-equiv="Pragma" content="no-cache">
<META http-equiv="Cache-Control" content="no-cache">
</HEAD>

<body>
OK?
</body>
</HTML>

I get the same error "Server Application Unavailable" error, and that is
after I have done IISRESET.

Before this, I have tried running processModel as a DomainUser that is a
member of the local "Administrators" and "Debugger Users" group with rights to logon as a batch job, etc.

SOS!

"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:ji**************@cpmsftngxa10.phx.gbl...

Hi Patrick,

From your description, you're trying to access a sqlserver database on a
remote serverfrom your asp.net webserver. and since you 're using
integrated windows Authentication mode to connect the sqlserver db, you'd like the ASP.NET web app to act as a certain domain account( which has the right permission for conecting the sqlserver db). Also, you've tried

change

the account in the <processModel> element for the asp.net but found that
even cause the web app unable to startup running, yes?

As for this problem, here are my suggestions:
1. The <processModel> 's account setting is used for the asp.net's
workerprocess's execute account. It need many asp.net specified

permissions

which make sure that the asp.net web applciation can run properly. So if
you replace it with a domain account, it 'll cause some unexpected
permission issues which lead to the application uable to startup.

2. As for your situaion, I think the impersonate feature of asp.net is

what

you want. The impersonation of asp.net
can help use a customized account for asp.net when accessing some
serverside resources. It can use
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use when accessing serverside resources.

Below are some references on ASP.NET impersonation;

#ASP.NET Impersonation

n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation

tionwithaspnetimpersonation.asp?frame=true

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Hope helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Note seeting processModel userName="SYSTEM" does not help either even after an IISRESET !

"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...

Unfortunately,
1) My ASP.NET seems to have stopped working completely! Now, even having

reverted my machine.config to
<identity impersonate="false" userName="" password=""/>

<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:05"
requestLimit="Infinite"
requestQueueLimit="5000"
restartQueueLimit="10"
memoryLimit="60"
webGarden="false"
cpuMask="0xffffffff"
userName="machine"
password="AutoGenerate"
logLevel="Errors"
clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
responseDeadlockInterval="00:03:00"
maxWorkerThreads="20"
maxIoThreads="20"
/>

My IIS won't even render a test.aspx which contains:
<%@ Page language="C#" AutoEventWireup="false" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<meta name="GENERATOR" Content="Microsoft Visual Studio 7.0">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">
<META http-equiv="Expires" content="0">
<META http-equiv="Pragma" content="no-cache">
<META http-equiv="Cache-Control" content="no-cache">
</HEAD>

<body>
OK?
</body>
</HTML>

I get the same error "Server Application Unavailable" error, and that is
after I have done IISRESET.

Before this, I have tried running processModel as a DomainUser that is a
member of the local "Administrators" and "Debugger Users" group with

rights

to logon as a batch job, etc.

SOS!

"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:ji**************@cpmsftngxa10.phx.gbl...

Hi Patrick,

From your description, you're trying to access a sqlserver database on a remote serverfrom your asp.net webserver. and since you 're using
integrated windows Authentication mode to connect the sqlserver db,

you'd like the ASP.NET web app to act as a certain domain account( which has the right permission for conecting the sqlserver db). Also, you've tried

change

the account in the <processModel> element for the asp.net but found that even cause the web app unable to startup running, yes?

As for this problem, here are my suggestions:
1. The <processModel> 's account setting is used for the asp.net's
workerprocess's execute account. It need many asp.net specified

permissions

which make sure that the asp.net web applciation can run properly. So if you replace it with a domain account, it 'll cause some unexpected
permission issues which lead to the application uable to startup.

2. As for your situaion, I think the impersonate feature of asp.net is

what

you want. The impersonation of asp.net
can help use a customized account for asp.net when accessing some
serverside resources. It can use
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use when accessing serverside resources.

Below are some references on ASP.NET impersonation;

#ASP.NET Impersonation

n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation

tionwithaspnetimpersonation.asp?frame=true

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Hope helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Hi Patrick,

From your description, you're trying to access a sqlserver database on a
remote serverfrom your asp.net webserver. and since you 're using
integrated windows Authentication mode to connect the sqlserver db, you'd
like the ASP.NET web app to act as a certain domain account( which has the
right permission for conecting the sqlserver db). Also, you've tried change the account in the <processModel> element for the asp.net but found that
even cause the web app unable to startup running, yes?

As for this problem, here are my suggestions:
1. The <processModel> 's account setting is used for the asp.net's
workerprocess's execute account. It need many asp.net specified permissions which make sure that the asp.net web applciation can run properly. So if
you replace it with a domain account, it 'll cause some unexpected
permission issues which lead to the application uable to startup.

2. As for your situaion, I think the impersonate feature of asp.net is what you want. The impersonation of asp.net
can help use a customized account for asp.net when accessing some
serverside resources. It can use
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use
when accessing serverside resources.

Below are some references on ASP.NET impersonation;

#ASP.NET Impersonation
http://msdn.microsoft.com/library/en...etimpersonatio n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation
http://msdn.microsoft.com/library/en...giisauthentica tionwithaspnetimpersonation.asp?frame=true

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Hope helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Hi Patrick,

First, glad that your critical problem has been resolved. As for the
connecting to sqlserver problem,
have you ever tried the suggestions in my last reply? As I've mentioned,
when you want to provide some powerful permisssions(a powerful account )
when accessing some serverside resource, you can just use impersonate
rather than changing anything in the machine.config.

You can both
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use
when accessing serverside resources.
<identity impersonate="true" userName="MyDomain\aspUser1"
password="password"/>

#note in your web.config, not machine.config, machine.config is the setting for all the web applicatoin on the machine, and can be override in each web app' web.config file.

when we set <identity impersonate="true" ...> if we specify a user account
after it, then the asp.net will use this account to access serverside
resources . If not specified, it will use the account passed from IIS(the
client account)

3) Also, we can use code to programmatically impersnate the current
thread's security context. I strongly recommend that you have a look at the following tech article which may provide some clues.

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Also, the following refrences will help you understand the impersonating
and the ASP.NET's authentication mechnism.

#ASP.NET Impersonation
http://msdn.microsoft.com/library/en...etimpersonatio n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation
http://msdn.microsoft.com/library/en...giisauthentica tionwithaspnetimpersonation.asp?frame=true

Good Luck. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Hi Patrick,

First, glad that your critical problem has been resolved. As for the
connecting to sqlserver problem,
have you ever tried the suggestions in my last reply? As I've mentioned,
when you want to provide some powerful permisssions(a powerful account )
when accessing some serverside resource, you can just use impersonate
rather than changing anything in the machine.config.

You can both
1) the user account from the client(passed by iis)
2) specified a fix accoun in the <identity ..> element for asp.net to use
when accessing serverside resources.
<identity impersonate="true" userName="MyDomain\aspUser1"
password="password"/>

#note in your web.config, not machine.config, machine.config is the setting for all the web applicatoin on the machine, and can be override in each web app' web.config file.

when we set <identity impersonate="true" ...> if we specify a user account
after it, then the asp.net will use this account to access serverside
resources . If not specified, it will use the account passed from IIS(the
client account)

3) Also, we can use code to programmatically impersnate the current
thread's security context. I strongly recommend that you have a look at the following tech article which may provide some clues.

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Also, the following refrences will help you understand the impersonating
and the ASP.NET's authentication mechnism.

#ASP.NET Impersonation
http://msdn.microsoft.com/library/en...etimpersonatio n.asp?frame=true

#Using IIS Authentication With ASP.NET Impersonation
http://msdn.microsoft.com/library/en...giisauthentica tionwithaspnetimpersonation.asp?frame=true

Good Luck. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

This is weird...

I have deployed the code on the Development Server, which is running ASP.NET and SQL Server against which the ASP.NET is trying to connect.

It's getting the following exception:
System.Data.SqlClient.SqlException: Login failed for user 'NT
AUTHORITY\NETWORK SERVICE'.
at System.Data.SqlClient.ConnectionPool.GetConnection (Boolean&
isInTransaction)
at
System.Data.SqlClient.SqlConnectionPoolManager.Get PooledConnection(SqlConnec tionString options, Boolean& isInTransaction)
at System.Data.SqlClient.SqlConnection.Open()
at Website.Templates.Subscription.Submit_Click(Object sender, EventArgs
e) in c:\inetpub\wwwroot\website\templates\subscription. aspx.cs:line 173.

The connection string used is "Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=SubscriptionsDB;Data Source=DevServer"

This is running on a Windows 2003 Server, though. Would this makes a
difference?