Login failed for user 'NT AUTHORITY\LOCAL SERVICE'.

[Guest]

Wonder if someone can help!

We're getting the following error on our Intranet system as soon as we login..

------------------

Exception Details: System.Data.SqlClient.SqlException: Login failed for user
'NT AUTHORITY\LOCAL SERVICE'.

Source Error:


sql = "SELECT Projects.ProjectID, ProjectName, SessionID FROM Projects,
Sessions WHERE (Sessions.ProjectID = Projects.ProjectID) AND
(Sessions.SessionDate >= '" + theStart + "' AND Sessions.SessionDate <= '" +
theEnd + "') ORDER BY Projects.ProjectID DESC";

SqlConnection dbConn = new
SqlConnection(ConfigurationSettings.AppSettings.Get("System_ConnectionString"));

dbConn.Open();
SqlCommand prjCmd= new SqlCommand(sql, dbConn);
SqlDataReader prjDr = prjCmd.ExecuteReader();

-----------------

the error occurs at the "dbConn.Open();" line.

I've got no idea why this is suddenly happening. This has been working fine,
and then has suddenly stopped. As far as I'm aware, nothing has changed on
the server.

Details...

..net 2.0
Win2k3 Server
MSDE

the Intranet is running in its own pool in IIS.

It looks like a security issue, but what?!

Any help greatly appreciated!

Cheers


Dan

 

[Guest]

Well, the error is exactly what it says. NT AUTHORITY\LOCAL SERVICE doesn't
have a login to the SQL Server / database. Either give it one, or have the
app use a different connection string with credentials that do have access.
Peter

 

[Guest]

Hi Peter

Yeah that makes sense, but WHAT is this LOCAL SERVICE!? I've never heard of
it before? I thought everything was done from \NETWORK SERVICE?! Is that a
wrong assumption?!

Cheers


Dan

 

[Guest]

OK,
Let's go to the source and read up on it!

http://msdn2.microsoft.com/en-us/library/ms143504.aspx

Peter
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com

 

[Steven Cheng[MSFT]]

Hi Dan,

The error message did indicate that the login user doesn't have sufficient
permission access the target database, and since you mentioned the error
occur at the connection opening time, it is likely the calling
application's security identity doesn't have sufficient permission.
Currently I'd like to confirm the following information:

1. Are you running the ASP.NET application on a windows 2003 server with
IIS 6(also the ASP.NET application is hosted in IIS rather than .net test
server)?

2. Are you connecting to a SQL Server database in server engine or a SQL
Express data file?

3. If convenient, would you also paste the connectionstring to us(whether
use sql authentication or integrated windows)..

If you're using IIS6, then the ASP.NET security context should be the
application pool's identity (if you're not using impersonate in ASP.NET),
and by default the application pool identity is "NT AUTHORITY\NETWORK
SERVICE", however ,it is possible that someone changed it to other ones
such as LOCAL SYSTEM or LOCAL Service(these three accounts is common ones
used by service application).

Also, if you're using SQL Express database, by default the ASP.NET will
generate connectionstring which use "user instance" connnection mode that
help restricted account to access SQL Express data file. Sometimes changes
on this setting may cause login failed error:

#User Instances for Non-Administrators
http://msdn2.microsoft.com/en-us/library/ms143684.aspx

Anyway, please have a look at the above ones and if there is anything
unclear in them or any other questions, please feel free to post here.


Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Dan,

How are you doing on this issue, does my last reply helps you a little? If
there is anything else we can help, please feel free to post here.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



Steven Cheng

Microsoft MSDN Online Support Lead

 

[Guest]

Hi Steven

Apologies for not replying - I went away and forgot about this problem!

I need to find out from the client if it's still happening, and if it is
I'll go through your post and address the issues you've brought up!

Thanks - and sorry again for disappearing!

Cheers



Dan

 

[Steven Cheng[MSFT]]

Thanks for your followup Dan,

Nevermind. Just keep your focus on your first priority items and if there
is anything else need help later, please feel free to post here.

Regards,

Steven Cheng

Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Steven,

Ok, it's still broken, so to reply to your original questions...

Hi Dan,

The error message did indicate that the login user doesn't have sufficient
permission access the target database, and since you mentioned the error
occur at the connection opening time, it is likely the calling
application's security identity doesn't have sufficient permission.
Currently I'd like to confirm the following information:

1. Are you running the ASP.NET application on a windows 2003 server with
IIS 6(also the ASP.NET application is hosted in IIS rather than .net test
server)?

IIS 6 running on Win2k3 Standard. The app is running in it's own AppPool and
its built on .NET v2.0.50727.

2. Are you connecting to a SQL Server database in server engine or a SQL
Express data file?

MSDE, so thats SQL Server Engine I think?

3. If convenient, would you also paste the connectionstring to us(whether
use sql authentication or integrated windows)..

Don't have it to hand, but I could get it if necessary... I can tell you
that we use Windows Authentication for the app, and I think the sql conex
string is using a Trusted Connection.

Okay, you then said...

If you're using IIS6, then the ASP.NET security context should be the
application pool's identity (if you're not using impersonate in ASP.NET),
and by default the application pool identity is "NT AUTHORITY\NETWORK
SERVICE", however ,it is possible that someone changed it to other ones
such as LOCAL SYSTEM or LOCAL Service(these three accounts is common ones
used by service application).

This is a possibility cos I'm not the server Admin, so something could have
been changed by someone else. How do I check/change the Security context?

Thanks for your time!

 

[Steven Cheng[MSFT]]

Thanks for your followup Dan,

I'm sorry to hear that the problem still remain. I still think the issue is
due to the security context of the application that used to access the MSDE
db. For your further questions:

MSDE, so thats SQL Server Engine I think?
===================================
Yes, MSDE is a desktop database engine in contrast to SQL Server 2000
server engine. Currently SQL 2005 has shipped a new free desktop engine
named "SQLExpress". (This is much more powerful and I would suggest you
have a look at your convenience )



Don't have it to hand, but I could get it if necessary... I can tell you
that we use Windows Authentication for the app, and I think the sql conex
string is using a Trusted Connection.
=========================
Since you can confirm that the connection is using trusted
connection(windows authentication), the decent string is not necessary.



This is a possibility cos I'm not the server Admin, so something could have
been changed by someone else. How do I check/change the Security context?
======================================

You can use the following code snippet to display the current security
identity of ASP.NET worker thread(be executing):

Response.Write("<BR/>Security Identity: " +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);

BTW, since you're caring about the identity used to access the SQL server
(MSDE), you can put the above code right before the connection opening code.

Hope this helps. Please feel free to post here if there is anything unclear
or any other problem on this.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Dan,

How are you doing or any progress on this issue? Please feel free to post
here if you got any progress or still need any assistance on this.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)