Unable to connect to database using Win Auth on from ASP.Net web app hosted in IIS7

2

I've a web application hosted on Windows Server 2008 64 Bit with IIS 7 and SQL Server 2008. The web application pool account is Network Service and I've added this account to SQL Server 2008 logins and mapped to user in database with dbowner rights.

This Web site is in ASP.Net 2.0 and it's using Forms Authentication to secure access to some of its resources(not all) so Anonymous Access, Imersonation=True and Forms Authentication is Enabled in IIS 7. Web application is utilizing Membership Provider Controls.

When the website starts; inside the "Application starts" it tries to connect to database and read some startup configurations. The connection string for database is saved in web.config. Following is the connection string.

Data Source=XXXXX; Initial Catalog=XXXXX; Integrated Security=SSPI; Trusted_Connection=True;

However When the application starts it failed to connect to database and I found following 3 entries in Event Log.

SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: ]


Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: ]


Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 4/26/2011 9:22:05 PM 
Event time (UTC): 4/26/2011 6:22:05 PM 
Event ID: 71a4b2cd8d40492ab89af3430cf42ea5 
Event sequence: 2 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/5/ROOT-1-129483157247676684 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\LMS Projects\Deployment\Web Applications\Microsoft Dynamics CRM Customer LMS Portal\ 
    Machine name: LMS 

Process information: 
    Process ID: 3688 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Exception information: 
    Exception type: LoyaltyException 
    Exception message: Exception of type 'LMS.Helpers.LoyaltyException' was thrown. 

Request information: 
    Request URL: http://localhost:6666/default.aspx 
    Request path: /default.aspx 
    User host address: ::1 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Thread information: 
    Thread ID: 4 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at ASP.global_asax.Application_Start() in c:\LMS Projects\Deployment\Web Applications\Microsoft Dynamics CRM Customer LMS Portal\Global.asax:line 27

The exception shown above is custom exception which I throws after handling the platform exception so not to be mistaken with the error in the code. This code is working fine on Windows Server 2003 and IIS 6.0 environment.

windows-server-2008
iis-7
asp.net
asked on Server Fault Apr 26, 2011 by S M Kamran

1 Answer

1

Impersonation will cause your anonymous user to be used, rather than your app pool user.

Here are a couple recommendations:

  • If you give each site their own app pool, then for your anonymous user set it to use the app pool user. Then you only need to maintain one user.
  • Set your app pool user to something other than network service. Since you're using on IIS 7.0 (WS08 RTM) it's more difficult to work with the IIS APPPOOL\AppPoolName user, and isn't generally not good to work with NETWORK SERVICE directly. There are some known elevation of permission security holes, and granting permission for that account opens it up for other applications too. I would probably just create a custom user, assign to the app pool, grant permissions on disk, and then grant access to the database.
answered on Server Fault May 4, 2011 by Scott Forsyth - MVP

User contributions licensed under CC BY-SA 3.0