ASPNET account and NT Authentication with SQL Server -Account Locked Out

[ryan.d.rembaum]

I have an application running on an IIS box that is trying to make a
connection to a separate SQL server box. The application is using
Windows NT authentication. During development I can access my data
just fine. When I view it in the browser I get the message that the
database does not exist or I do not have the necessary permission to
logon. I have narrowed the problem to one of security rights. It
seems that windows is passing the ASPNET account to the SQL server box.
So what I did was change the password of the ASPNET account. I then
created an ASPNET account on the other box and gave it the same
password. (I tried this with the IUSR_[MachineName] account first, but
the following is what leads me to believe it is the ASPNET account that
is causing the trouble:

When I go to access the web page, the SQL Server account gets locked
out. I am not sure why! Is it autogenerating a new password to
overight my change?

I know I could impersonate someone, but I would rather not setup some
sort of dummy account like that; there is a lot of bureaucracy to go
through to do so. I also do not want to deal with SQL authentication
and store the password in the connection string. It seems that in a
Windows intranet environment this just should not be that hard! I must
be missing something.

Anyhelp would be greatly appreciated. (If it helps, I created the
connection string I am using via the ASP.Net wizard. It contains the
directive to use integrated security.)

Thanks!!!
Ryan

 

[Joe Kaplan \(MVP - ADSI\)]

Can you set up a domain account to run ASP.NET under and use that to access
SQL? The matching machine accounts thing always struck me as kind of
hackish.

Joe K.

 

[Paul Clement]

On 8 Sep 2005 16:07:14 -0700, (e-mail address removed) wrote:

¤ I have an application running on an IIS box that is trying to make a
¤ connection to a separate SQL server box. The application is using
¤ Windows NT authentication. During development I can access my data
¤ just fine. When I view it in the browser I get the message that the
¤ database does not exist or I do not have the necessary permission to
¤ logon. I have narrowed the problem to one of security rights. It
¤ seems that windows is passing the ASPNET account to the SQL server box.
¤ So what I did was change the password of the ASPNET account. I then
¤ created an ASPNET account on the other box and gave it the same
¤ password. (I tried this with the IUSR_[MachineName] account first, but
¤ the following is what leads me to believe it is the ASPNET account that
¤ is causing the trouble:
¤
¤ When I go to access the web page, the SQL Server account gets locked
¤ out. I am not sure why! Is it autogenerating a new password to
¤ overight my change?
¤
¤ I know I could impersonate someone, but I would rather not setup some
¤ sort of dummy account like that; there is a lot of bureaucracy to go
¤ through to do so. I also do not want to deal with SQL authentication
¤ and store the password in the connection string. It seems that in a
¤ Windows intranet environment this just should not be that hard! I must
¤ be missing something.
¤
¤ Anyhelp would be greatly appreciated. (If it helps, I created the
¤ connection string I am using via the ASP.Net wizard. It contains the
¤ directive to use integrated security.)

You don't mention the error you are generating from your ASP.NET app but I will assume it's the
"Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;316989

I would agree with Joe. It would probably be much easier to implement a single domain account rather
than use two local accounts with matching credentials if you are not going to enable impersonation.


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[ryan.d.rembaum]

On 8 Sep 2005 16:07:14 -0700, (e-mail address removed) wrote:

¤ I have an application running on an IIS box that is trying to make a
¤ connection to a separate SQL server box. The application is using
¤ Windows NT authentication. During development I can access my data
¤ just fine. When I view it in the browser I get the message that the
¤ database does not exist or I do not have the necessary permission to
¤ logon. I have narrowed the problem to one of security rights. It
¤ seems that windows is passing the ASPNET account to the SQL server box.
¤ So what I did was change the password of the ASPNET account. I then
¤ created an ASPNET account on the other box and gave it the same
¤ password. (I tried this with the IUSR_[MachineName] account first, but
¤ the following is what leads me to believe it is the ASPNET account that
¤ is causing the trouble:
¤
¤ When I go to access the web page, the SQL Server account gets locked
¤ out. I am not sure why! Is it autogenerating a new password to
¤ overight my change?
¤
¤ I know I could impersonate someone, but I would rather not setup some
¤ sort of dummy account like that; there is a lot of bureaucracy to go
¤ through to do so. I also do not want to deal with SQL authentication
¤ and store the password in the connection string. It seems that in a
¤ Windows intranet environment this just should not be that hard! I must
¤ be missing something.
¤
¤ Anyhelp would be greatly appreciated. (If it helps, I created the
¤ connection string I am using via the ASP.Net wizard. It contains the
¤ directive to use integrated security.)

You don't mention the error you are generating from your ASP.NET app but I will assume it's the
"Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;316989

I would agree with Joe. It would probably be much easier to implement a single domain account rather
than use two local accounts with matching credentials if you are not going to enable impersonation.


Paul
~~~~
Microsoft MVP (Visual Basic)

Hello,

The actual error message is: SQL Server does not exist or access
denied. I have definitely considered adding an account under the
domain, but because of our corporate structure there is a lot of red
tape involved in creating an account without a real corresponding user.
Is there a reason the synching of two identical account names and
passwords would not work? It seems when we have applied it here in
other situations. I also don't understand why it would cause the
password to be revoked on the SQL box. Is there some service that
might be changing the password back to some other value after I make my
changes? I have entered the passwords on both boxes for both accounts
multiple times to try to make sure I did not mistype between the two.

Thanks,
Ryan

 

[Paul Clement]

On 13 Sep 2005 14:35:16 -0700, (e-mail address removed) wrote:

¤
¤ Paul Clement wrote:
¤ > On 8 Sep 2005 16:07:14 -0700, (e-mail address removed) wrote:
¤ >
¤ > ¤ I have an application running on an IIS box that is trying to make a
¤ > ¤ connection to a separate SQL server box. The application is using
¤ > ¤ Windows NT authentication. During development I can access my data
¤ > ¤ just fine. When I view it in the browser I get the message that the
¤ > ¤ database does not exist or I do not have the necessary permission to
¤ > ¤ logon. I have narrowed the problem to one of security rights. It
¤ > ¤ seems that windows is passing the ASPNET account to the SQL server box.
¤ > ¤ So what I did was change the password of the ASPNET account. I then
¤ > ¤ created an ASPNET account on the other box and gave it the same
¤ > ¤ password. (I tried this with the IUSR_[MachineName] account first, but
¤ > ¤ the following is what leads me to believe it is the ASPNET account that
¤ > ¤ is causing the trouble:
¤ > ¤
¤ > ¤ When I go to access the web page, the SQL Server account gets locked
¤ > ¤ out. I am not sure why! Is it autogenerating a new password to
¤ > ¤ overight my change?
¤ > ¤
¤ > ¤ I know I could impersonate someone, but I would rather not setup some
¤ > ¤ sort of dummy account like that; there is a lot of bureaucracy to go
¤ > ¤ through to do so. I also do not want to deal with SQL authentication
¤ > ¤ and store the password in the connection string. It seems that in a
¤ > ¤ Windows intranet environment this just should not be that hard! I must
¤ > ¤ be missing something.
¤ > ¤
¤ > ¤ Anyhelp would be greatly appreciated. (If it helps, I created the
¤ > ¤ connection string I am using via the ASP.Net wizard. It contains the
¤ > ¤ directive to use integrated security.)
¤ >
¤ > You don't mention the error you are generating from your ASP.NET app but I will assume it's the
¤ > "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:
¤ >
¤ > http://support.microsoft.com/default.aspx?scid=kb;en-us;316989
¤ >
¤ > I would agree with Joe. It would probably be much easier to implement a single domain account rather
¤ > than use two local accounts with matching credentials if you are not going to enable impersonation.
¤ >
¤ >
¤ > Paul
¤ > ~~~~
¤ > Microsoft MVP (Visual Basic)
¤
¤ Hello,
¤
¤ The actual error message is: SQL Server does not exist or access
¤ denied. I have definitely considered adding an account under the
¤ domain, but because of our corporate structure there is a lot of red
¤ tape involved in creating an account without a real corresponding user.
¤ Is there a reason the synching of two identical account names and
¤ passwords would not work? It seems when we have applied it here in
¤ other situations. I also don't understand why it would cause the
¤ password to be revoked on the SQL box. Is there some service that
¤ might be changing the password back to some other value after I make my
¤ changes? I have entered the passwords on both boxes for both accounts
¤ multiple times to try to make sure I did not mistype between the two.

Is your system configured for Kerberos? I don't believe credential delegation (to the SQL Server
box) is going to work if you're using Integrated Windows Security w/o Kerberos.


Paul
~~~~
Microsoft MVP (Visual Basic)