On 13 Sep 2005 14:35:16 -0700,
wrote:
¤
¤ Paul Clement wrote:
¤ > On 8 Sep 2005 16:07:14 -0700,
wrote:
¤ >
¤ > ¤ I have an application running on an IIS box that is trying to make a
¤ > ¤ connection to a separate SQL server box. The application is using
¤ > ¤ Windows NT authentication. During development I can access my data
¤ > ¤ just fine. When I view it in the browser I get the message that the
¤ > ¤ database does not exist or I do not have the necessary permission to
¤ > ¤ logon. I have narrowed the problem to one of security rights. It
¤ > ¤ seems that windows is passing the ASPNET account to the SQL server box.
¤ > ¤ So what I did was change the password of the ASPNET account. I then
¤ > ¤ created an ASPNET account on the other box and gave it the same
¤ > ¤ password. (I tried this with the IUSR_[MachineName] account first, but
¤ > ¤ the following is what leads me to believe it is the ASPNET account that
¤ > ¤ is causing the trouble:
¤ > ¤
¤ > ¤ When I go to access the web page, the SQL Server account gets locked
¤ > ¤ out. I am not sure why! Is it autogenerating a new password to
¤ > ¤ overight my change?
¤ > ¤
¤ > ¤ I know I could impersonate someone, but I would rather not setup some
¤ > ¤ sort of dummy account like that; there is a lot of bureaucracy to go
¤ > ¤ through to do so. I also do not want to deal with SQL authentication
¤ > ¤ and store the password in the connection string. It seems that in a
¤ > ¤ Windows intranet environment this just should not be that hard! I must
¤ > ¤ be missing something.
¤ > ¤
¤ > ¤ Anyhelp would be greatly appreciated. (If it helps, I created the
¤ > ¤ connection string I am using via the ASP.Net wizard. It contains the
¤ > ¤ directive to use integrated security.)
¤ >
¤ > You don't mention the error you are generating from your ASP.NET app but I will assume it's the
¤ > "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:
¤ >
¤ >
http://support.microsoft.com/default...b;en-us;316989
¤ >
¤ > I would agree with Joe. It would probably be much easier to implement a single domain account rather
¤ > than use two local accounts with matching credentials if you are not going to enable impersonation.
¤ >
¤ >
¤ > Paul
¤ > ~~~~
¤ > Microsoft MVP (Visual Basic)
¤
¤ Hello,
¤
¤ The actual error message is: SQL Server does not exist or access
¤ denied. I have definitely considered adding an account under the
¤ domain, but because of our corporate structure there is a lot of red
¤ tape involved in creating an account without a real corresponding user.
¤ Is there a reason the synching of two identical account names and
¤ passwords would not work? It seems when we have applied it here in
¤ other situations. I also don't understand why it would cause the
¤ password to be revoked on the SQL box. Is there some service that
¤ might be changing the password back to some other value after I make my
¤ changes? I have entered the passwords on both boxes for both accounts
¤ multiple times to try to make sure I did not mistype between the two.
Is your system configured for Kerberos? I don't believe credential delegation (to the SQL Server
box) is going to work if you're using Integrated Windows Security w/o Kerberos.
Paul
~~~~
Microsoft MVP (Visual Basic)
Similar Threads
