Here is the scenario:
A web server is running on IIS 8.5 using AppPoolIdendtity to pass through the credential to connect to Reporting Service which is remotely installed in a MSSQL Server.
The reporting service has added the machine account DOMAIN\MACHINENAME$ to the system role assignment from http://MSSSQLRS/ReportServer as System Administrator like this:
The permissions granted to user ' are insufficient for performing this operation. (rsAccessDenied)"}
Testing local MSSQL server is smooth with local access. However, whenever the connection is established from the IIS web server. The "rsAccessDenied" error came up as DOMAIN\MACHINENAME$ user.
Not sure what else is wrong either on the WEB IIS or MSSQL server....
Sounds like RS Windows NTLM is not configured correctly. See this article.
Related
Ok, I have followed the steps from https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql-server-2017 to try and fix this issue as well as the SUSE/Redhat documentation for connecting to an AD server.
The servers are on the domain, I can log into the servers with my domain credentials but when I attempt to login to SQL as a domain user ( that is a Sysadmin on the SQL Server ) I get a the Login failed, the login is from an Untrusted domain and cannot be used with integrated authentication ( Error 18452) when attempting to use SSMS from a Windows box that works if I log in with a local account from it. When I log in as the domain user on the linux box I get the SSPI Provider: Server not found in Kerberos database and Cannot Generate SSPI context. Iif I use sqlcmd for a local user connecting to the FQDN of either server it connects fine. I haven't touched Linux from an Admin standpoint in over 15 years.
This is on both a SUSE 12 SP2 and a Redhat 7.5 server in our test environment. Not a big deal for me but our users are complaining because they now need a local account to log in for testing purposes instead of just using their domain accounts like the Windows side of things. Any help is greatly appreciated, most of what I am finding online just points me back to the Microsoft document and I have basically rebuilt the servers a couple times trying to add it to the domain before installing SQL and also after installing SQL to see if that made any difference, get the same error both ways.
I have two servers. First one is a server with ASP app on it and the second one is an LDAP auth server. I need to login on app server over LDAP on the second server and I need to use windows auth (NTLM or Negotiate). As I know based on my research to login on the server using active directory domain from other server they must be in the same local network. This can be established by VPN. But the thing is that I can't use a VPN. Can it be established somehow? I'm currently trying to configure IIS to not identify my user on my current domain and serve the credentials to remote server over LDAP using .Net. Sorry if I have a wrong understanding about something, I'm still newbie in windows auth and AD. Correct me if I wrong in something.
I'm using ASP.NET Core RC2 and IISExpress 10 on my local machine and my target framework is 452 due to using some old modules.
On remote app server I'm using IIS 8.5
I have a Win 2012 server with IIS 8 running on that. Also installed Management Service with Remote Access allowed.
Another admin-user account is used to set up few default websites and now when I login to the same server using my admin-user account, I cannot see anything in the IIS.
I have tried connecting to server as localhost and with computer name as well but not allowing me to connect.
Any help on this would be great.
Found the issue -
There is a firewall implemented for the domain users to access. And when I tried to login as an Admin who is not permitted by firewall, I am just able to access the machine and internally my IIS component is not able to connect with the localhost or local server.
I have the following configuration for a web site:
Two Web front-ends (e.g. machine names: WFE1 & WFE2) 1 SQ
One SQL Server Database cluster (e.g. machine name: DBCluster)
All machines are in the same domain (e.g. MyDomain) running Windows 2008 R2 Enterprise and SQL Server 2008 R2.
I am in the process of deploying a web application that uses the Application Pool Identity. I have named the pool MyWebApp, which translates to the name, [IIS APPPOOL\MyWebApp]. When I try adding this user to SQL Server I get an error:
Windows NT user or group 'IIS APPPOOL\MyWebApp' not found. Check the name again.
The script that I have used to create the account in SQL Server is:
CREATE LOGIN [IIS APPPOOL\MyWebApp]
FROM WINDOWS WITH DEFAULT_DATABASE=[MyDatabase], DEFAULT_LANGUAGE=[us_english]
GO
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
Can someone please shed some light on how this problem can be resolved? Is using a domain account my only option or can I still get the application pool accounts to work?
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
That's exactly the problem. The IIS AppPool account only exists on the web server. If you were able to add this account to SQL Server, you would be authorizing an IIS AppPool that is running on the same machine as SQL Server. (I suspect it might still fail.)
The most secure solution would probably be to do as you say - create an account on the domain, give that account appropriate permissions on the database, and run the AppPool using that account's credentials.
However, if you'd still like to do it, you need to authorize the computer that the AppPool is running on - ie, DOMAINNAME\ComputerName$ (note the $ at the end).
Take a look at this article for more information (specifically, the section titled Accessing the Network).
I think that's a bad idea, however, because it authorizes any program running as NetworkService to access the database - not just your web applications.
I have a .net 2.0 app being hosted on IIS, that connects to a Ingres DB. The connection uses iBatis with an ODBC driver to connect to an ingres database being protected behind an installation password.
For some reason, when I'm debugging my code, everything runs fine. It establishes the connection without any problems. However, when I try to host the site on my local IIS, ingres comes back with this error
ERROR [5000H] [CA][Ingres ODBC Driver][Ingres]User authorization check failed.
Your user identifier was not known to this installation.
Contact your system manager for further assistance.
ERROR [08S01] [CA][Ingres ODBC Driver][Ingres]The connection to the server has been aborted.
I'm wondering why the installation password would work fine against my debug session, and refuse to connect behind IIS? Does IIS use a different 'name' that isn't my computer name to establish a connection with the installation password?
The connection is being rejected because the target server is not aware of the user trying to connect or that user has not been added. Check to see if the process owner of your local IIS instance is a valid ingres user. IIRC the account name is normally something like IUSR_MACHINENAME, where MACHINENAME is the hostname of your IIS box. Add the user account using the following SQL on the server:
echo "create user IUSR_MACHINENAME\g" | sql iidbdb