Program.X
Reputation: 7412
Authentication: AppPool is set to NETWORK SERVICE user, but DB is getting DOMAIN\MACHINE$ user?
This is vexing and searching around it is producing a lot of useless results (returning problems about NETWORK SERVICE not authenticating - oh to have that particular problem!).
I have deployed an ASP.NET MVC 2 application to an IIS6 and 7 webserver, with the Application Pool set to authenticate as NETWORK SERVICE. However, I get the SQL error:
Login failed for user 'DOMAIN\SERVERNANE$'.
So why is it using this user and not NETWORK SERVICE? To frig it I tried to add a new login for the user, but obviously, it doesn't work.
My web.config if you need it for settings ...
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="ApplicationServices"
connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=<redacted>CrewChangeover.mdf;Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
<add name="<redacted>.CrewChangeoverConnectionString"
connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=<redacted>CrewChangeover.mdf;Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
<add name="<redacted>_HR_FullConnectionString"
connectionString="Data Source=<redacted>\SQLEXPRESS;Initial Catalog=<redacted>;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
</namespaces>
</pages>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
Upvotes: 0
Views: 1070
Answers (1)
TristanK
Reputation: 527
Network Service is that user!
Network Service impersonates the computer account when trying to connect to an off-box resource. Granting permissions to DOMAIN\Servername$ does generally work, though.
So, the rough breakdown is:
- Local Service - low-privileged, connects to external resources as NULL
- Network Service - low-privileged, connects to external resources as DOMAIN\Computer$
- LocalSystem - high-privileged, connects to external resources as DOMAIN\Computer$
If you want the App Pool to authenticate as a specific Windows user:
- Don't use impersonation (it doesn't look like you are)
- Run the App Pool as that specific Windows user
And Robert should be your mother's brother.
Upvotes: 1
Related Questions
- Why asp.net core app uses different user than AppPool identity for Windows Authentication when connecting to SQL Server?
- Login failed for user 'IIS APPPOOL\
- Login failed for user 'IIS APPPOOL\myAppPoolName' and cannot add new user for this
- Login failed for user 'IIS APPPOOL\myAppPool
- Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?
- Cannot open database with 'IIS APPPOOL' when using Windows Authentication
- SQL Server Login for IIS APPPOOL on different machines - same domain
- Why is my Web Application not using AppPoolIdentity to log in to SQL Server on same machine?
- Login Failed for user Domain\MachineName$ on IIS 7.5 with an ApplicationPoolIdentity
- Configuring ASP.NET MVC app's IIS 7.5 Application Pool identity as login on SQL Server 2008 R2