471,595 Members | 1,766 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,595 software developers and data experts.

Windows authentication/impersonation.. login failed for user null?

Hey,

We have an sql server 2000 machine and IIS 6 machine running seperately
but on the same domain. I can connect fine to the database without using
impersonation, but when it's enabled I get the error:
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection."

When I check System.Security.Principal.WindowsIdentity.GetCurre nt().Name I
get the valid domain user that I would expect, why isn't this user being
checked against the sql server?

cheers for any help,
Chris
Dec 19 '06 #1
6 12649
You must make sure that domain user account or the domain security group
(that domain user account is in) ia mapped to a SQL server login/Sql Server
database user. That is, not all domain user account is automatically allowed
to access SQL Server, you need to explicitly create SQL Server login that
maps to a domain group/user, and then make specific SQL Server login as
given database's user/owner...
"Not Me" <No****@nada.nope.hk.zawrote in message
news:11***************@ucsnew2.ncl.ac.uk...
Hey,

We have an sql server 2000 machine and IIS 6 machine running seperately
but on the same domain. I can connect fine to the database without using
impersonation, but when it's enabled I get the error:
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection."

When I check System.Security.Principal.WindowsIdentity.GetCurre nt().Name I
get the valid domain user that I would expect, why isn't this user being
checked against the sql server?

cheers for any help,
Chris

Dec 19 '06 #2
You must make sure that domain user account or the domain security group
(that domain user account is in) ia mapped to a SQL server login/Sql Server
database user. That is, not all domain user account is automatically allowed
to access SQL Server, you need to explicitly create SQL Server login that
maps to a domain group/user, and then make specific SQL Server login as
given database's user/owner...
"Not Me" <No****@nada.nope.hk.zawrote in message
news:11***************@ucsnew2.ncl.ac.uk...
Hey,

We have an sql server 2000 machine and IIS 6 machine running seperately
but on the same domain. I can connect fine to the database without using
impersonation, but when it's enabled I get the error:
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection."

When I check System.Security.Principal.WindowsIdentity.GetCurre nt().Name I
get the valid domain user that I would expect, why isn't this user being
checked against the sql server?

cheers for any help,
Chris

Dec 19 '06 #3
SAL
Chris, I just, agonizingly, went through this same scenario. Here was my
problem.

In IIS, I opened the properties of my web application and I had to change
the default user (on the Directory Security Tab) that was entered there to
my domain account (or some other user's domain account that could log on to
the machine that SQL Server was residing on). Then I had to uncheck the Let
IIS manage the password checkbox and enter in my own password. I had to
leave Integrated Windows Authentication checked.
In my web.config, I had to have this tag:

<identity impersonate="true" />

When publishing, I believe I had to uncheck the Integrated Windows
Authentication to make it work on machines other than my dev box.

HTH
S

"Not Me" <No****@nada.nope.hk.zawrote in message
news:11***************@ucsnew2.ncl.ac.uk...
Hey,

We have an sql server 2000 machine and IIS 6 machine running seperately
but on the same domain. I can connect fine to the database without using
impersonation, but when it's enabled I get the error:
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection."

When I check System.Security.Principal.WindowsIdentity.GetCurre nt().Name I
get the valid domain user that I would expect, why isn't this user being
checked against the sql server?

cheers for any help,
Chris

Dec 19 '06 #4
"Norman Yuan" <No*****@NotReal.notwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
You must make sure that domain user account or the domain security group
(that domain user account is in) ia mapped to a SQL server login/Sql
Server database user. That is, not all domain user account is
automatically allowed to access SQL Server, you need to explicitly create
SQL Server login that maps to a domain group/user, and then make specific
SQL Server login as given database's user/owner...
Thanks for the help Norman.. I'm still a bit confused though (I need to
explain this to the admins for them to make the changes).

I have an account made up on the sql server, for the security group that I
expect the users to reside in. This isn't an sql server login though, does
it need to be?

If I turn off impersonation, and have the username set up in IIS directly..
it works, it's just when I want to pass the credentials of whoever is logged
into the machine, via IIS/ASP to the SQL server, that it breaks.

cheers,
Chris
Dec 20 '06 #5
"SAL" <SA**@NoNo.comwrote in message
news:Oh**************@TK2MSFTNGP02.phx.gbl...
Chris, I just, agonizingly, went through this same scenario. Here was my
problem.

In IIS, I opened the properties of my web application and I had to change
the default user (on the Directory Security Tab) that was entered there to
my domain account (or some other user's domain account that could log on
to the machine that SQL Server was residing on). Then I had to uncheck the
Let IIS manage the password checkbox and enter in my own password. I had
to leave Integrated Windows Authentication checked.
In my web.config, I had to have this tag:

<identity impersonate="true" />

When publishing, I believe I had to uncheck the Integrated Windows
Authentication to make it work on machines other than my dev box.
Thanks SAL, I'll also pass this to the admins to see if we can work it out.

cheers,
Chris

Dec 20 '06 #6
You need to know which user account on the IIS computer is used to run you
ASP.NET APP (you should know that, as ASP.NET app developer, so you can make
sure your ASPP.NET app runs within the security scope you expected).

Since ASP.NET runs on top of IIS, both IIS configuration and ASP.NET
configuration take place here.

Assume you use Windows Authentication in your ASP.NET (by default). If you
set "impersonate" to true, then the user account running your asp.net app
is determined by if your IIS/App virtue directory allows anonymous access.
If yes, the user account would be the default IIS running account
(IUser_MNachineName, by default, or the account you entered directly into
the IIS, as you described); if not, the ASP.NET app will "impersonate" to
the user who requests the ASP.NET. If you do not use "impersonate", the
APS.NET running account would be ASPNET or Network Service .

So, you really need to

1. As app developer, have clear idea which user account is designed/expected
to run your asp.net app. You need to consider do the configarations in both
IIS and your ASP.NET's web.config, so that the user account used is safe to
the server/network.

2. Once you know which user account (it can be a local account in the IIS
server, or a domain user account), you can configure the SQL Server to give
that account appropriate access.

"Not Me" <No****@nada.nope.hk.zawrote in message
news:11***************@ucsnew2.ncl.ac.uk...
"Norman Yuan" <No*****@NotReal.notwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
>You must make sure that domain user account or the domain security group
(that domain user account is in) ia mapped to a SQL server login/Sql
Server database user. That is, not all domain user account is
automatically allowed to access SQL Server, you need to explicitly create
SQL Server login that maps to a domain group/user, and then make specific
SQL Server login as given database's user/owner...

Thanks for the help Norman.. I'm still a bit confused though (I need to
explain this to the admins for them to make the changes).

I have an account made up on the sql server, for the security group that I
expect the users to reside in. This isn't an sql server login though,
does it need to be?

If I turn off impersonation, and have the username set up in IIS
directly.. it works, it's just when I want to pass the credentials of
whoever is logged into the machine, via IIS/ASP to the SQL server, that it
breaks.

cheers,
Chris


Dec 20 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Thomas Scheiderich | last post: by
8 posts views Thread by Nils Magnus Englund | last post: by
11 posts views Thread by Eric | last post: by
8 posts views Thread by Keith H | last post: by
1 post views Thread by =?Utf-8?B?c3VidGlsZQ==?= | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.