I'm trying to access an oracle database using
using System.Data.OracleClient;
from a console application, accessing the database is fine. however from an ASP.NET web site i get the error:
ORA-12640: Authentication adapter initialization failed
I've googled around and found that changing sqlnet.ora file would solve the issue
//before
SQLNET.AUTHENTICATION_SERVICES= (NTS)
//after
SQLNET.AUTHENTICATION_SERVICES= (NONE)
Later I found another application on the same server, that uses other database of Oracle as well, is requiring the value of SQLNET.AUTHENTICATION_SERVICES to be "NTS". This would cause my web site to fail accessing the database with the error ORA-12640. I have tried "ALL" as value but still it didn't work.
How can I configure my website to access the oracle database while sqlnet.ora is configured as "SQLNET.AUTHENTICATION_SERVICES= (NTS)" ?
P.S. the website uses Windows Authentication and impersonate as follow:
<authentication mode="Windows"/>
<identity impersonate="true"/>
This looks like the multi-hop impersonation issue to me.
If it's an option for you, I suggest having your application run under a single identity when accessing the database (this should also allow connection pooling to occur as a beneficial side-effect).
To do this, you would need to configure an app pool to run under an account that has access to Oracle. Once the application is running under that app pool, turn impersonation off in your application so that the database calls occur using the app pool identity.
If you have to impersonate the calling users over the network, the method used will depend on your environment. For more information, see How to Use Impersonation and Delegation in ASP.NET 2.0.
I was also facing the same issue, but finally got it working. Created a service account(named kerb_user in the active directory) and changed the app pool authentication to run as "kerb_user".
First I tried with this, but it was failed.
Please check the request log in oracle database, where you can verify the OS_USERNAME carefully. In my case it shows kerb_user, where as for other kerberos user requested OS_USERNAME was suffixed with domain name, which was missing in my case.
Then I did two changes.
Modified the app pool identity with domain name: kerb_user#xyz.com
Modified the sqlnet.ora file on app server and changed authentication to "ALL"
//before - not working
SQLNET.AUTHENTICATION_SERVICES= (NONE)
//after - worked
SQLNET.AUTHENTICATION_SERVICES= (ALL)
Debugging
Check the oracle log, if requested OS_USERNAME is suffixed with domain name(here kerb_user#xyz.com) or not. If suffixed, will work for sure.
Please verify service user on both side(app- AD User and db- Service User) server, user should have same name.
Verify the service user access at db server and ensure, user must have kerberos access to that database.
Check the SPN settings
Ref: https://www.codeproject.com/Articles/27554/Authentication-in-web-services-using-C-and-Kerbero
Related
I have an app service in Azure operating as an API for a system I'm designing. As the API is responsible for accessing the database directly, I obviously don't want to be storing connection strings containing credentials anywhere if possible, so am looking to use Managed Identities to grant the App Service access to the database (also hosted on Azure).
Within the Azure portal, I've enabled System-Assigned Identity within the Settings section of the App Service, then given the service the role of owner of the SQL Server via SQL Server -> Access Control -> Role Assignments-> Add.
As I understand it, Active Directory Users shouldn't even come into this as they are user-assigned identities rather than system-assigned identities, and take more setting up (or storing their credentials in the connection string).
As for the code, it's pretty much a carbon copy of this >> https://github.com/medhatelmasry/JwtAuthentication, the only differences being that I've added
services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();
to the end of the ConfigureServices method within Startup.cs, and added the below to the constructor of ApplicationDbContext as per Microsoft's instructions:
var conn = (System.Data.SqlClient.SqlConnection)Database.GetDbConnection();
conn.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
When attempting to run this service in Azure, however, I get an exception when calling services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I've tried StackOverflow, MSDN, Azure Help, Pluralsight and whatever random forums turn up from Google, and not managed to find an answer on any of them. I've only just got through a whole week of staying up until stupid o'clock every day trying to fix connection string configurations only to find Azure was changing the name of the connection string parameter that I was giving it and not saying a word about it (and nothing in any Microsoft documentation about it either).
Azure is becoming a serious pain in my ass, I haven't even started adding endpoints to the API yet, let alone creating an actual application to use it, this is ridiculous.
Eventually found the answer here >> https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql#create-a-contained-user-in-the-database-that-represents-the-vms-system-assigned-identity
The App Service was indeed set as an owner of the server, but hadn't had a user provisioned on the database, so my problem was resolved by logging into the database via SSMS and running:
CREATE USER [My App Service Name] FROM EXTERNAL PROVIDER
then:
ALTER ROLE db_owner ADD MEMBER [My App Service Name]
However, I removed the ownership role of the App Service on the server's Access Control (IAM) page, and am still able to connect successfully, not sure why that is but this is probably just a lack of SQL user knowledge on my part. It actually suits me as at the moment my App Service has a provisioned SQL user with db_owner role assigned on the database itself, but not on the overall server.
From my understanding you have to go through the prerequisite process of creating, enabling and allowing Azure AD users and also setting SQL Admin to an Azure AD user.
There's a pretty comprehensive guide here including creating, accessing and using tokens for Managed Identities Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
I am making a website at work, the main website is linked to a backend SQL which I don't have access to. Up until yesterday everything was working fine for months. Then yesterday my system had some issues and we needed to perform a revert to a more stable point.
and now my website is throwing this error:
System.Data.SqlClient.SqlException
Exception: Login failed. The login is from an untrusted domain and cannot be used
with Windows authentication.
The main website works, But these are being thrown from the ASP controls we set up.
I read over a few posts on StackOverflow and MSDN but I personally do not have access to that side database to switch the settings or connection strings. My manager thinks it's something with my user-profile settings but I can't see anything wrong, especially since it was working just fine before.
Is there anything I can do on my end to get the connection back to what is was before?
The "untrusted domain" part of the error message has me curious. Are you using integrated authentication to the web server? Are you doing impersonation as well and using the user's credentials to connect to SQL? If so it could be a matter of needing to set up the SQL server to trust delegation from the web server. A system replacement on the SQL server without setting up the delegation again could explain this. In that case, your windows admin would need to set up the proper trust relationship for delegated credentials.
I am hosting asp.net application in iis 7.5 and i am using sql server 2008 R2 its is running fine if i host it outside Default Website and turn its application pool identity to local system at that time my connection string is,
<add name="In****" connectionString="Data Source=PC\SQLEXPRESS;Database=*****;Integrated Security=SSPI; Persist Security Info=false; Trusted_Connection=Yes;" providerName="System.Data.SqlClient"/>
when i tried to run it under default website i deploy it as same but change connection string like,
<add name="In*****" connectionString="Data Source=PC\SQLEXPRESS;Database=*****;User ID=****;Password=****;Trusted_Connection=False;"/>
but i get error,
Login failed for user 'IIS APPPOOL\DefaultAppPool'. Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]
i check it alot and get many solution like,
1) Change database name and then try it with sa user by restarting sql services.
2) I also create another user other then sa and attach it with database require for this application.
But error remain same :(
3) I also got solution that in Application pool click default website and then its advance setting then change its identity to Network services.
On this try i got this error,
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]
Hopes for you suggestion thanks in Advance.
The connection to the database will be established using the security context of the user that is running the IIS application pool. In this case, it is the Network Service local account, which is the one used by default.
I assume that this was working fine during development because you were running Visual Studio with your own user and your user has permissions to this database.
There are a number of solutions for this, some of them not recommended for a production environment, and the final one is my actual recommendation:
If this database is local, you can give the Network Service account permissions to the database.
You can use your own account as the user your site's Application Pool will run with, or
THIS IS THE ONE RECOMMENDED: For production environments, you typically create a domain service account (or local if this is not in the scope of a domain controller), give it non-admin permissions in the database, but enough to run your app. And then use the same account to run the application pool.
Give permissions to the user to access the DB:http://technet.microsoft.com/en-us/library/ms172405(v=SQL.105).aspx
Assign user to app pool: http://technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx
Hope this clarifies
Since a little while I'm having the same problem. MY connection string specifically states a user and password to use for logging in. However on one of my application pages I'm getting the same error, all others are working perfectly fine.
It worked perfectly fine on my test server previously so I thought it might be due to a received update? So I started de-installing some recent .NET updates and found this:
Initial error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Then after de-installing KB2901126 & KB2898869 the error changes to:
Login failed for user 'DOMAIN\COMPUTERNAME$'.
Note that both of those updates are security patches which prevent users of getting elevated rights:
From KB2901126
This update resolves vulnerabilities that could allow elevation of privilege if a user visits a specially crafted website or a website that contains specially crafted web content.
So I then wanted to re-install both updates again but I get this message:
Windows update error message
Notice the error, 80244022. The error occurs because of a connection interruption between my server and the update server. Bit weird since the other updates successfully manages to download and install itself.
MS might have removed the updates? I'm not sure what's happening but I'm fairly sure this is happening because of a MS update. No way my "working" app went from working to 1 broken page within 2 weeks without me even updating code from that specific page (or references behind it).
I'm going to try to see whether the same update on my DEV machines could have broken my build.
As a workaround I created a domain account and granted it access to the database, then I switched the app pool to this domain account. Without DB rights, and without editing the connecting string, the error on the specific page changed to "DOMAIN\new account" is unable to access the db. This confirms that for some reason that specific page, and the code behind, disregards the UID & PW in the connection string and uses integrated security.
Description of my problem sounds somewhat complicated, what makes me think that my approach is flawed, so I will also appreciate any better idea.
Short description:
Given connection string to MSSQL 2008 DB and website name deployed on IIS6, I want to verify programatically whether website is able to connect to database.
Long description:
I have MSSQL Server database, let's call it portal_db.
I have an application deployed on IIS6, called portal. I can access it by url http://localhost/portal . In Web.config file I specified connection string to my database, which look like: "server=(local)\SQLEXPRESS;trusted_connection=yes;database=portal_db"
Web application is accessing database using System.Data.SqlClient.SqlConnection, without any wrappers, ORMs, mappings, anything.
Website is configured to run in appool PortalAppPool. It's using ApplicationPoolIdentity as a security context.
It is not possible to easily modify web application code (particularly the way it accesses database)
When my web application tries to connect to database it either succeeds or fails, depending on whether user IIS APPPOOL\PortalAppPool is configured in MSSQL database. That's a part which I understand, but when deploying my app I often forget to create new user/login in db for apppool virtual account. So what I want to do, is to verify from separate, standalone, console app (preferably written in C#, but not necessarily), whether my web application can access database, in following way:
Read connection string from Web.config
Read app pool identity settings (managed to do this by Directory Services API)
Impersonate identity with credentials defined on app pool (using impersonation class I found here: http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/ which uses ideas found in many other places, including MSDN)
Open SqlConnection with connection string read from Web.config
It boils down to following snippet:
using (new Impersonator("IIS APPPOOL\\PortalAppPool", "", ""))
{
SqlConnection conn = new SqlConnection(databaseConnectString);
conn.Open();
}
Everything works very well, when my app pool security context is set to any other value than AppPoolIdentity - specific user, local system, etc. When I change credentials passed to Impersonator to my user's name and password, I get desired result (exception when I have no login mapping in database, and everything is OK when I add one). But I just seem to not be able to impersonate IIS APPPOOLS\PortalAppPool virtual account - just have no idea what parameters should be passed to LogonUser - I would not be surprised if it would not be even possible. Maybe I am focused on impersonation approach too much (I am using it to access registry keys and services of other users and it works good), and maybe there is some better way.
If you have any other, better ideas, or need some more explanation to this problem, please let me know.
I don't think you can impersonate a virtual account (IIS service account). They are special service accounts setup mainly for IIS security. They are for local services only and cannot be attached to any domains. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
No password management is required.
The ability to access the network with a computer identity in a domain environment.
You cannot "Log into" a virtual account, they are used by windows for security purposes:
Some light reading if you have time:
This gives a brief overview of MSAs and Virtual Accounts
The differences between MSAs and Virtual Accounts
The dirty details on each and how to manage them
To solve your original problem, you could build an app that could do the same logic but check the sql server if it has the correct users setup instead of simply trying to login with the account.
I have a requirement where I need to be able to access a list which sits in Central Administration from an Application Page which sits on my Web Front End (WFE). The issue I have is that the Application Pool User for my WFE does not have access to the SharePoint_AdminContent database so I get access denied, they both have their own App Pools
In the logs it shows the following:
Reverting to process identity
Current user before SqlConnection.Open: Name:
SharePointDemo\SPContentPool SID:
S-1-5-20 ImpersonationLevel: None
Current user after SqlConnection.Open: Name:
SharePointDemo\SPContentPool: S-1-5-20
ImpersonationLevel: None
Insufficient SQL database permissions for user 'SPContentPool'
in database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275' on SQL Server instance 'SPNSQL'.
Additional error information from SQL
Server is included below. The EXECUTE
permission was denied on the object
'proc_EnumLists', database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275',
schema 'dbo'.
I have tried to runwithelevatedprivileges as well as trying Daniel Larsons method (http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry) which uses the SharePoint\System user token but it only seems to elevate as high as the Application Pool.
I am hoping there is an easy way to impersonate the Application Pool of the Admin Web Application but have been unable to find a way to do so yet... Or change the process identity to one which has access
Any thoughts, ideas or solutions are thankfully received!
Phill
You should try to use the List web service to access the list items. And set the credentials before connecting to the web service.
The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.
Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.
This can be done using the Service Accounts screen at:
http:///_admin/FarmCredentialManagement.aspx
If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.
Have you tried regular windows impersonation? You should probably be able to impersonate the service account and get access to the list that way.