Previous Next

• 08-18-2008, 5:37 PM

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7

  Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact I am trying to access a remote SQL server (not on IIS server) from an ASP page.  The application is for an intranet and we Windows Active Directory.  I enabled Windows Authentication in IIS and my Windows account has access to the SQL server.  The error that is returned is Login failed for user 'PEREGRINECAP\SV-IIS$'. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'PEREGRINECAP\SV-IIS$'. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.   I used a script to identify what ID is being used and it appears the IIS NT\Network Service is being used, not Windows ID.  I can find a lot of information about IIS 6 and SQL server, but not much about IIS 7 and remote SQL servers.  Any help or white papers related to this subject would be much appreciated.

  Tags: windows authenticationremote sql serversv-iis

• 08-20-2008, 2:12 PM

  In reply to

  Zhao Ji Ma - MSFT Joined on 01-05-2007, 12:36 AM Posts 765

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Hi, According to the error message, the user account used for SQL Server login should be 'PEREGRINECAP\SV-IIS$'. Network Service account seems to be the identity of the IIS worker process, guess you need to provide more details about the script. The user name is specified in connection string in Classic ASP or it can use Windows Authentication, you can see the example here.    Zhao Ji Ma Sincerely, Microsoft Online Community Support “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 08-20-2008, 3:44 PM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact I understand that IIS uses the process account, Network Service acount in my case,  to access resources.  However, Network Service account doesn't have access to the SQL database I'm trying to access.  I would like to use the client identify to access SQL server, but I'm not sure how to pass this from IE, to IIS and then to SQL Server.  Thanks.

• 08-21-2008, 2:18 AM

  In reply to

  Zhao Ji Ma - MSFT Joined on 01-05-2007, 12:36 AM Posts 765

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Hi, "Using impersonation, ASP.NET applications can optionally execute the processing thread using the identity of the client on whose behalf they are operating." See this: http://msdn.microsoft.com/en-us/library/aa292118.aspx Zhao Ji Ma Sincerely, Microsoft Online Community Support “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 08-22-2008, 10:20 AM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7	Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Thanks, these articles are helpful.  The articles apply to IIS 6.0.  Do these same articles apply to IIS 7.0?

• 08-24-2008, 10:35 PM

  In reply to

  Zhao Ji Ma - MSFT Joined on 01-05-2007, 12:36 AM Posts 765

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Hi cmsharp,  You can use it for IIS 7 too.  Zhao Ji Ma Sincerely, Microsoft Online Community Support “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 08-24-2008, 10:47 PM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7	Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Great, thanks for your help.

• 08-24-2008, 11:25 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,581

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact What you need to do is add the web server machine account on the sql server.  When network service is used for authentication in this manner, in AD the machine account is what needs permissions.  SV-IIS$ is the machine account for the server SV-IIS.  Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 08-25-2008, 2:10 PM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Why do I need to add the web server machine account on the SQL server?  I want the user's credentials to flow through from IE to the SQL Server.  The user's credentials already has access to the SQL server.  I have enabled Impersonation, but whenever I attempt to access the SQL server, the Network Service account is used, not the user's credentials.

• 08-28-2008, 5:17 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM Posts 105

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Hi, You are encountering the classic 'double-hop' scenario. In order to pass your browser user's credentials to your SQL server you need to either use basic authentication or Kerberos in your environment. Only basic authentication and kerberos credentials can be delegated in this way. Regards, Paul Lynch www.iisadmin.co.uk

• 09-04-2008, 4:27 PM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Thanks Paul.  I found a lot of contradictory documentation, from Microsoft, about whether to use Basic vs. Windows Integrated security.  I included the conflicting statements and URLs below.  I also encountered two additional problems that I didn't easily find in any of the SQL/IIS documents.  One, if the website uses a name other than the server name (host name), this needs to be registered as a SPN in AD.  Two, I had to modify the web.config file because of this http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx Colin    “In IIS, only Basic Authentication logs users on with a security token that flows across the network to a remote SQL server. By default, other IIS security modes used in conjunction with the identity configuration element settings will not result in a token that can authenticate to a remote SQL Server.” http://msdn.microsoft.com/en-us/library/bsz5788z.aspx   “To use a SQL server database, configure the security settings of your project to work with Integrated Security. To do this, turn off anonymous access and turn on impersonation, as indicated in the following procedure.” http://msdn.microsoft.com/en-us/library/aa302120(VS.71).aspx   “If you enable impersonation and do not specify a domain account as the identity, you will not be able to connect to another computer on the network unless your IIS application is configured to use Basic authentication.” http://msdn.microsoft.com/en-us/library/xh507fc5.aspx   “You should use Integrated Windows authentication instead of basic authentication because it avoids transmitting user credentials over the network. Because Kerberos v5 authentication supports mutual authentication, users can also authenticate the server to which they are connecting.  Integrated Windows authentication is best suited for an intranet environment, where both the client and Web server computers are part of the same, or trusting, domains.” http://msdn.microsoft.com/en-us/library/aa480475.aspx  “By using impersonation, ASP.NET applications can execute code or access resources with the identity of the authenticated user or a fixed Windows identity. Standard impersonate-level impersonation tokens that are usually created when you enable impersonation allow you to access local resources only. To be able to access remote network resources, you require a delegate-level token. To generate a delegate-level token when you impersonate, you need to use Kerberos authentication and your process account needs to be marked as trusted for delegation in Active Directory.” http://msdn.microsoft.com/en-us/library/ms998358.aspx

• 09-04-2008, 4:54 PM

  In reply to

  cmsharp Joined on 08-18-2008, 5:25 PM Posts 7

  Re: Probem with IIS 7 Windows authentication and Remote SQL Server Reply Contact Two things I failed to mention.  My ASP application using Windows Authentication w/Kerboros on IIS 7 against a remote SQL server now works.  A co-worker pointed me to this artcicle that explains the gotchas with orchestrating Kerboros.  Since my ASP application uses a host name, not the server name, we needed to add the hostname as an SPN in AD.  http://blogs.msdn.com/vijaysk/archive/2007/10/19/orchestrating-kerberos-authentication-spn-cheat-sheet.aspx