I am hosting asp.net application in iis 7.5 and i am using sql server 2008 R2 its is running fine if i host it outside Default Website and turn its application pool identity to local system at that time my connection string is,
<add name="In****" connectionString="Data Source=PC\SQLEXPRESS;Database=*****;Integrated Security=SSPI; Persist Security Info=false; Trusted_Connection=Yes;" providerName="System.Data.SqlClient"/>
when i tried to run it under default website i deploy it as same but change connection string like,
<add name="In*****" connectionString="Data Source=PC\SQLEXPRESS;Database=*****;User ID=****;Password=****;Trusted_Connection=False;"/>
but i get error,
Login failed for user 'IIS APPPOOL\DefaultAppPool'. Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]
i check it alot and get many solution like,
1) Change database name and then try it with sa user by restarting sql services.
2) I also create another user other then sa and attach it with database require for this application.
But error remain same :(
3) I also got solution that in Application pool click default website and then its advance setting then change its identity to Network services.
On this try i got this error,
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]
Hopes for you suggestion thanks in Advance.
The connection to the database will be established using the security context of the user that is running the IIS application pool. In this case, it is the Network Service local account, which is the one used by default.
I assume that this was working fine during development because you were running Visual Studio with your own user and your user has permissions to this database.
There are a number of solutions for this, some of them not recommended for a production environment, and the final one is my actual recommendation:
If this database is local, you can give the Network Service account permissions to the database.
You can use your own account as the user your site's Application Pool will run with, or
THIS IS THE ONE RECOMMENDED: For production environments, you typically create a domain service account (or local if this is not in the scope of a domain controller), give it non-admin permissions in the database, but enough to run your app. And then use the same account to run the application pool.
Give permissions to the user to access the DB:http://technet.microsoft.com/en-us/library/ms172405(v=SQL.105).aspx
Assign user to app pool: http://technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx
Hope this clarifies
Since a little while I'm having the same problem. MY connection string specifically states a user and password to use for logging in. However on one of my application pages I'm getting the same error, all others are working perfectly fine.
It worked perfectly fine on my test server previously so I thought it might be due to a received update? So I started de-installing some recent .NET updates and found this:
Initial error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Then after de-installing KB2901126 & KB2898869 the error changes to:
Login failed for user 'DOMAIN\COMPUTERNAME$'.
Note that both of those updates are security patches which prevent users of getting elevated rights:
From KB2901126
This update resolves vulnerabilities that could allow elevation of privilege if a user visits a specially crafted website or a website that contains specially crafted web content.
So I then wanted to re-install both updates again but I get this message:
Windows update error message
Notice the error, 80244022. The error occurs because of a connection interruption between my server and the update server. Bit weird since the other updates successfully manages to download and install itself.
MS might have removed the updates? I'm not sure what's happening but I'm fairly sure this is happening because of a MS update. No way my "working" app went from working to 1 broken page within 2 weeks without me even updating code from that specific page (or references behind it).
I'm going to try to see whether the same update on my DEV machines could have broken my build.
As a workaround I created a domain account and granted it access to the database, then I switched the app pool to this domain account. Without DB rights, and without editing the connecting string, the error on the specific page changed to "DOMAIN\new account" is unable to access the db. This confirms that for some reason that specific page, and the code behind, disregards the UID & PW in the connection string and uses integrated security.
I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain
I have a web project (C# Asp.Net, EF 4, MS SQL 2008 and IIS 7) and I need to migrate it to IIS 7 locally (at the moment works fine with CASSINI).
Locally in IIS I have my Default Web Site with my deploy. Both my deploy and Default Web Site are on pool ASP.NET v4.0 (look image for settings) the pool target Framework 4 as my web project.
When visiting the site, the browser does not show the page and allow the browser to download the page instead.
I have other projects running on IIS locally and they work with no problems (but they do not use Entity Framework).
Using the Event Logger I see errors as below:
Exception information:
Exception type: EntityException
Exception message: The underlying provider failed on Open.
at System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure)
Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure)
Related question
UPDATE:
You can read in the resources on this question that permissions must be granted on MS SQL 2008 manually as arift explain in his answer.
Using IIS 7.5 and MS SQL 2008 R2, setting manually permission should not be necessary.
Looks like it's failing trying to open a connection to SQL Server.
You need to add a login to SQL Server for IIS APPPOOL\ASP.NET v4.0 and grant permissions to the database.
In SSMS, under the server, expand Security, then right click Logins and select "New Login...".
In the New Login dialog, enter the app pool as the login name and click "OK".
You can then right click the login for the app pool, select Properties and select "User Mapping". Check the appropriate database, and the appropriate roles. I think you could just select db_datareader and db_datawriter, but I think you would still need to grant permissions to execute stored procedures if you do that through EF. You can check the details for the roles here.
You can change the ApplicationPoolIdentity from IIS7 -> Application Pools -> Advanced Settings.
Under ApplicationPoolIdentity you will find local system. This will make your application run under NT AUTHORITY\SYSTEM, which is an existing login for the database by default.
Edit: Before applying this suggestion you should note and understand the security implications.
I solved this problem using sql as following image.
Right click on db-> properties -> permission -> View Server permission -> and then select IIS APPPOOL\ASP.NET v4.0 and grant permission.
ensure you have...
Trusted_Connection=false;
in your connection String
Run this sql script
IF NOT EXISTS (SELECT name FROM sys.server_principals WHERE name = 'IIS APPPOOL\DefaultAppPool')
BEGIN
CREATE LOGIN [IIS APPPOOL\DefaultAppPool]
FROM WINDOWS WITH DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english]
END
GO
CREATE USER [WebDatabaseUser]
FOR LOGIN [IIS APPPOOL\DefaultAppPool]
GO
EXEC sp_addrolemember 'db_owner', 'WebDatabaseUser'
GO
If in the connection string you have specified:
User ID=xxx;Password=yyy
but in the connection string there is:
Trusted_Connection=true;
SQL Server will use Windows Authentication, so your connection values will be ignored and overridden (IIS will use the Windows account specified in Identity user profile).
more info here
The same applies if in the connection string there is:
Integrated Security = true;
or
Integrated Security = SSPI;
because Windows Authentication will be used to connect to the database server.
more info here
go to iis -> application pools -> find your application pool used in application
select your application pool used for the application right click select advanced settings
Select application pool identity
select built in as Local System
and click ok
I had to create a user `IIS APPPOOL\DefaultAppPool' as shown below in SQL Server. Security > Login > Right click and press 'New Login'. You only enter the username as show in red in the screen.
Then go into that new user properties, check the database this user will access (marked in blue below) and select db_owner as well. I had to select because although connection was working but subsequent SELECT queries didn't had the access if this was not selected.
These two should do it. Basically you are making the new user owner for the database so it has full access.
You don't need to restart SQL Server or anything, should work.
1_in SqlServer Security=>Login=>NT AUTHORITY\SYSTEM=>RightClick=>Property=>UserMaping=>Select YourDatabse=>Public&&Owner Select=>OK
2_In IIs Application Pools DefaultAppPool=>Advance Setting=>Identity=>LocalSystem=>Ok
I hate the ApplicationPoolIdentity. I always set a Windows User Account as the account on AppPools.
As adrift says, it does sound like a database security issue. So create an NT user account, assign it to the ASP.NET v4.0 AppPool and then grant it permission on the website folder and to the relevant table(s) in SQL.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost: when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication. Here your web service would not be able to communicate to the SQL server because of access rights issue and Login Failed for user_______ (here your user will come)
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings. You need to change IIS Application pool's identity to local System.
Below are the Steps for windows authentication WCF:
1) Open IIS (windows+R (run) then type inetmgr, then click ok)
2) double click your PC name under Connections
3) Click Application Pools
4) Select your app pool (DefaultAppPool)
5) Then under actions on the right click Advanced Settings:
6) Go to Process Model section and
7) click on Identity.
8) Now select LocalSystem.
Now open your sql server management studio:
open run-> then type ssms ->then press ok
In ssms, login using your windows authentication account.
Open security tab expand logins tab then you will be able to view your account.
Now open properties of your account
go to userMapping then select the database you want to connect
then check the role membership services you want to use for the selected database. click ok.
(For network services i.e. intranet users you need to configure above settings for NT AUTHORITY\SYSTEM user too)
add Trusted_Connection=True; property in your connection string. Save it & deploy the web service. Restart app pool.
you will be able to connect the database now.
Don't use Integrated Security.
Use User Id=yourUser; pwd=yourPwd;
This solves the problem.
I had this issue and it was actually caused by something different - I had the 'IIS APPPOOL\ASP.NET v4.0' user in my database but it still wasn't working.
I had recently upgraded my SQL Server Install and in the process the User had become disconnected from the Login - so there was an 'IIS APPPOOL\ASP.NET v4.0' under Database -> Security -> Users BUT no User not under Security -> Logins.
Added the Login 'IIS APPPOOL\ASP.NET v4.0' to Security -> Logins, SQL Server automatically mapped it to the User in the database (this used to have to be done manually) and problem fixed.
I had this message and I use Windows Authentication on the web server.
I wanted the currently authenticated web user to be authenticated against the database, rather than using the IIS APPPOOL\ASP.NET v4 User specified in the App Pool.
I found by entering the following in the web.config fixed this for me:
<system.web>
<identity impersonate="true" />
</system.web>
https://msdn.microsoft.com/en-us/library/bsz5788z.aspx
I see other Answers regarding creating the AppPool username in the SQL DB or just to use SQL Auth. Both would be correct if you didn't want to capture or secure individual Windows users inside SQL.
Tom
I Have the same problem I solved it by changing Integrated Security=True to false
now its working
Setting the identity only makes this work in my pages.
Cassini runs your website as your own user identity when you start up the Visual Studio application. IIS runs your website as an App Pool Identity. Unless the App Pool Identity is granted access to the Database, you get errors.
IIS introduced App Pool Identity to improve security. You can run websites under the default App Pool Identity, or Create a new App Pool with its own name, or Create a new App Pool with its own name that runs under a User Account (usually Domain Account).
In networked situations (that are not in Azure) you can make a new App Pool run under an Active Directory Domain user account; I prefer this over the machine account. Doing so gives granular security and granular access to network resources, including databases. Each website runs on a different App Pool (and each of those runs under its own Domain User account).
Continue to use Windows Integrated Security in all Connection Strings. In SQL Server, add the Domain users as logins and grant permissions to databases, tables, SP etc. on a per website basis. E.g. DB1 used by Website1 has a login for User1 because Website1 runs on an App Pool as User1.
One challenge with deploying from the Visual Studio built-in DB (e.g. LocalDB) and built-in Web Server to a production environment derives from the fact that the developer's user SID and its ACLs are not to be used in a secure production environment. Microsoft provides tools for deployment. But pity the poor developer who is accustomed to everything just working out of the box in the new easy VS IDE with localDB and localWebServer, because these tools will be hard to use for that developer, especially for such a developer lacking SysAdmin and DBAdmin support or their specialized knowledge. Nonetheless deploying to Azure is easier than the enterprise network situation mentioned above.
If you have your connection string added in your web.config, make sure that "Integrated Security=false;" so it would use the id and password specified in the web.config.
<connectionStrings>
<add providerName="System.Data.SqlClient" name="MyDbContext" connectionString="Data Source=localhost,1433;Initial Catalog=MyDatabase;user id=MyUserName;Password=MyPassword;Trusted_Connection=true;Integrated Security=false;" />
</connectionStrings>
As pointed out, Do not use Windows Authentication, Use SQL Server Authentication
Also if you created connection using "Server Connection" dialog, make sure to check the connections in web.config. It is likely that you created/modified connection and it was stored as trusted connection in web.config. Simply use this authentication
<add name="MyDBConnectionString" connectionString="Data Source=localhost;Initial Catalog=Finantial;User ID=xxx;Password=xxx" providerName="System.Data.SqlClient"/>
which should fix the error.
Another way of granting permission to the database for the user IIS APPPOOL\ASP.NET v4.0 is as follows.
Add New User with User Name and Login name as IIS APPPOOL\ASP.NET
v4.0 with your default schema.
Go to Owner schema and Membership, Check db_datareader, db_datawriter
You can face this wrong in specific database which is created after SSMS update. Open SSMS and select your databases and open your required database then click Security--> Users--> and right click on Users and click again on 'New User' and add 'NT AUTHORITY\Authenticated Users' and save you work and go to your Form on Web/Desktop whatever do you. Enjoy....
Thought I'd post this as an answer as it is relevant to the question and can answer it in some cases.
That same message appears also if the database does not exist!
Be sure your connection string has no misspellings, is pointing to the right server instance, etc.
In Asp.net webform,
this error fixed when installing asp.net from:
Server Manager > Manage > Add Role and Feature > Server Roles > Web Server (IIS) > Web Server > Application Development > ASP.NET 3.5/4.6 is installed.
my problem fixed.
something similar happened to me what worked for me was changing the property Integrated Security = True to Integrated Security = false in the web.config of the website
go to iis -> application pools -> find your application pool used in application -> click it and then click 'Advance Settings' in Actions panel. Find 'Identity' property and change it to localsystem.
I ran into this error with IIS and dotnet core.
A quick work around for anyone who are using Sql authentication, have your appsetting.json read this to disable Windows Authentication and use SQL authentication.
(This is in the appsetting.json(default one) or anywhere you have specified your db connection string)
"dbContext": "data source=servername;initial catalog=dbname;user id=your_server_username;password=your_server_password;trusted_connection=false;multipleactiveresultsets=true",
cheers and happy coding
Have you done what #Teddy recommended and you STILL get the same error?
Make sure you're changing the settings for the app pool that corresponds to your virtual directory and not the parent server. Each virtual directory has its own AppPool and doesn't inherit.
In DefaultAppPool set NetworkService in the Identity property and in Sql Server add User Network Service and give it the appropiate permissions to your database, that's work very well for me, I've tested locally but I think this is the best configuration for connecting from any other computer in the network. when you set LocalSystem in the Identity in IIS that's work well and it is not necessary to create any other user in Sql Server but I think that will not work in a network environment.
I ran into the same problem testing ASP.NET Web API
Developed Web.Host in Visual Studio 2013 Express
Database created in SQL Server 2012 Express
Executed test using built in IIS Express (working)
Modified to use IIS Local (from properties page - web option)
Ran test with Fiddler
Received error - unable to open database for provider....
citing 'APPPOOL\DefaultAppPool'
Solution that worked.
In IIS
Click on application pool 'DefaultAppPool'
Set Identify = 'ApplicationPoolIdentity'
Set .NET framework = v4.0 (even though my app was 4.5)
In SQL Server Management Studio
Right click on Security folder (under the SQL Server engine so applies to all tables)
Right click on User and add 'IIS APPPOOL\DefaultAppPool'
In securables on the 'Grant' column check the options you want to give.
Regarding the above if you are a DBA you probably know and want to control
what those options are. If you are like me a developer just wanted to test
your WEB API service which happens to also access SQL Server through EF 6
in MVC style then just check off everything. :) Yes I know but it worked.
In case you add a new login, make sure that under server properties ( rightclick -> properties)/security, authentication mode is set to both sqlserver and windows not only windows.
I am using Window Authentication for sql database for my asp.net web application.but after i deploy my website to another computer I'm unable to connect to the database.Is there any property for window authentication to set user name and password in web.config file.
Does this sound like your scenario?
IIS web app built on local machine
Web app uses windows authentication
Web app talks to database also on local machine
Web app users also have valid database logins
Web app users credentials are passed to database via trusted connection
Everything works great. Then you move it to a different environment where the database and IIS are no longer on the same server and then you cannot get the database to recognize the credentials IIS is passing in?
If so, then welcome to my hell a few months ago. The problem is that once the two processes are not on the same box, they don't trust each other any more. Network administration permissions are required to get the two process to trust each other across server boundaries. Unfortunately, I didn't blog about it but the general steps were
mark the IIS service account as trustworthy (Active directory setting)
set the service principal name (SPN) to either the netbios name or FQDN
something had to be set on both boxes to indicate they could trust each other
Sorry for the vague recollection and as I wasn't the one with credentials to fix anything, I only got to observe them clicking the buttons. The starting article on How to connect to SQL Server using Windows Authentication got us fairly far down the track.
This deals with the fact that on your developer box, you (or the anon user? or the user the develper web service spins up as?) is trusted by the local instance of SQL. But, when you deploy, the user ASP.NET runs under is not trusted.
Options
As George mentioned, go with a SQL logon, not windows
Set up a proper trust between the web server and SQL Server
Impersonate a user for the data context (this can get complex, btw)
You are most likely using a trusted connection string, e.g.
Data Source=myServerAddress;Initial
Catalog=myDataBase;Integrated
Security=SSPI;
...as you are using windows authentication. You need to use a standard connection string. e.g.
SQL Server 2008:
Data Source=myServerAddress;Initial
Catalog=myDataBase;User
Id=myUsername;Password=myPassword;
Just be sure to set up a non-windows authentication user within SQL Server.
Authentication mode should be set in the web.config. Also, check if anonymous authentication is disabled or not.
<authentication mode="Windows"/>