ASPNET account and NT Authentication with SQL Server -Account Locked Out

Discussion in 'ASP .Net Security' started by ryan.d.rembaum@kp.org, Sep 9, 2005.

  1. Guest

    I have an application running on an IIS box that is trying to make a
    connection to a separate SQL server box. The application is using
    Windows NT authentication. During development I can access my data
    just fine. When I view it in the browser I get the message that the
    database does not exist or I do not have the necessary permission to
    logon. I have narrowed the problem to one of security rights. It
    seems that windows is passing the ASPNET account to the SQL server box.
    So what I did was change the password of the ASPNET account. I then
    created an ASPNET account on the other box and gave it the same
    password. (I tried this with the IUSR_[MachineName] account first, but
    the following is what leads me to believe it is the ASPNET account that
    is causing the trouble:

    When I go to access the web page, the SQL Server account gets locked
    out. I am not sure why! Is it autogenerating a new password to
    overight my change?

    I know I could impersonate someone, but I would rather not setup some
    sort of dummy account like that; there is a lot of bureaucracy to go
    through to do so. I also do not want to deal with SQL authentication
    and store the password in the connection string. It seems that in a
    Windows intranet environment this just should not be that hard! I must
    be missing something.

    Anyhelp would be greatly appreciated. (If it helps, I created the
    connection string I am using via the ASP.Net wizard. It contains the
    directive to use integrated security.)

    Thanks!!!
    Ryan
    , Sep 9, 2005
    #1
    1. Advertising

  2. Can you set up a domain account to run ASP.NET under and use that to access
    SQL? The matching machine accounts thing always struck me as kind of
    hackish.

    Joe K.

    <> wrote in message
    news:...
    >I have an application running on an IIS box that is trying to make a
    > connection to a separate SQL server box. The application is using
    > Windows NT authentication. During development I can access my data
    > just fine. When I view it in the browser I get the message that the
    > database does not exist or I do not have the necessary permission to
    > logon. I have narrowed the problem to one of security rights. It
    > seems that windows is passing the ASPNET account to the SQL server box.
    > So what I did was change the password of the ASPNET account. I then
    > created an ASPNET account on the other box and gave it the same
    > password. (I tried this with the IUSR_[MachineName] account first, but
    > the following is what leads me to believe it is the ASPNET account that
    > is causing the trouble:
    >
    > When I go to access the web page, the SQL Server account gets locked
    > out. I am not sure why! Is it autogenerating a new password to
    > overight my change?
    >
    > I know I could impersonate someone, but I would rather not setup some
    > sort of dummy account like that; there is a lot of bureaucracy to go
    > through to do so. I also do not want to deal with SQL authentication
    > and store the password in the connection string. It seems that in a
    > Windows intranet environment this just should not be that hard! I must
    > be missing something.
    >
    > Anyhelp would be greatly appreciated. (If it helps, I created the
    > connection string I am using via the ASP.Net wizard. It contains the
    > directive to use integrated security.)
    >
    > Thanks!!!
    > Ryan
    >
    Joe Kaplan \(MVP - ADSI\), Sep 9, 2005
    #2
    1. Advertising

  3. Paul Clement Guest

    On 8 Sep 2005 16:07:14 -0700, wrote:

    ¤ I have an application running on an IIS box that is trying to make a
    ¤ connection to a separate SQL server box. The application is using
    ¤ Windows NT authentication. During development I can access my data
    ¤ just fine. When I view it in the browser I get the message that the
    ¤ database does not exist or I do not have the necessary permission to
    ¤ logon. I have narrowed the problem to one of security rights. It
    ¤ seems that windows is passing the ASPNET account to the SQL server box.
    ¤ So what I did was change the password of the ASPNET account. I then
    ¤ created an ASPNET account on the other box and gave it the same
    ¤ password. (I tried this with the IUSR_[MachineName] account first, but
    ¤ the following is what leads me to believe it is the ASPNET account that
    ¤ is causing the trouble:
    ¤
    ¤ When I go to access the web page, the SQL Server account gets locked
    ¤ out. I am not sure why! Is it autogenerating a new password to
    ¤ overight my change?
    ¤
    ¤ I know I could impersonate someone, but I would rather not setup some
    ¤ sort of dummy account like that; there is a lot of bureaucracy to go
    ¤ through to do so. I also do not want to deal with SQL authentication
    ¤ and store the password in the connection string. It seems that in a
    ¤ Windows intranet environment this just should not be that hard! I must
    ¤ be missing something.
    ¤
    ¤ Anyhelp would be greatly appreciated. (If it helps, I created the
    ¤ connection string I am using via the ASP.Net wizard. It contains the
    ¤ directive to use integrated security.)

    You don't mention the error you are generating from your ASP.NET app but I will assume it's the
    "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;316989

    I would agree with Joe. It would probably be much easier to implement a single domain account rather
    than use two local accounts with matching credentials if you are not going to enable impersonation.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Clement, Sep 9, 2005
    #3
  4. Guest

    Paul Clement wrote:
    > On 8 Sep 2005 16:07:14 -0700, wrote:
    >
    > ¤ I have an application running on an IIS box that is trying to make a
    > ¤ connection to a separate SQL server box. The application is using
    > ¤ Windows NT authentication. During development I can access my data
    > ¤ just fine. When I view it in the browser I get the message that the
    > ¤ database does not exist or I do not have the necessary permission to
    > ¤ logon. I have narrowed the problem to one of security rights. It
    > ¤ seems that windows is passing the ASPNET account to the SQL server box.
    > ¤ So what I did was change the password of the ASPNET account. I then
    > ¤ created an ASPNET account on the other box and gave it the same
    > ¤ password. (I tried this with the IUSR_[MachineName] account first, but
    > ¤ the following is what leads me to believe it is the ASPNET account that
    > ¤ is causing the trouble:
    > ¤
    > ¤ When I go to access the web page, the SQL Server account gets locked
    > ¤ out. I am not sure why! Is it autogenerating a new password to
    > ¤ overight my change?
    > ¤
    > ¤ I know I could impersonate someone, but I would rather not setup some
    > ¤ sort of dummy account like that; there is a lot of bureaucracy to go
    > ¤ through to do so. I also do not want to deal with SQL authentication
    > ¤ and store the password in the connection string. It seems that in a
    > ¤ Windows intranet environment this just should not be that hard! I must
    > ¤ be missing something.
    > ¤
    > ¤ Anyhelp would be greatly appreciated. (If it helps, I created the
    > ¤ connection string I am using via the ASP.Net wizard. It contains the
    > ¤ directive to use integrated security.)
    >
    > You don't mention the error you are generating from your ASP.NET app but I will assume it's the
    > "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;316989
    >
    > I would agree with Joe. It would probably be much easier to implement a single domain account rather
    > than use two local accounts with matching credentials if you are not going to enable impersonation.
    >
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic)


    Hello,

    The actual error message is: SQL Server does not exist or access
    denied. I have definitely considered adding an account under the
    domain, but because of our corporate structure there is a lot of red
    tape involved in creating an account without a real corresponding user.
    Is there a reason the synching of two identical account names and
    passwords would not work? It seems when we have applied it here in
    other situations. I also don't understand why it would cause the
    password to be revoked on the SQL box. Is there some service that
    might be changing the password back to some other value after I make my
    changes? I have entered the passwords on both boxes for both accounts
    multiple times to try to make sure I did not mistype between the two.

    Thanks,
    Ryan
    , Sep 13, 2005
    #4
  5. Paul Clement Guest

    On 13 Sep 2005 14:35:16 -0700, wrote:

    ¤
    ¤ Paul Clement wrote:
    ¤ > On 8 Sep 2005 16:07:14 -0700, wrote:
    ¤ >
    ¤ > ¤ I have an application running on an IIS box that is trying to make a
    ¤ > ¤ connection to a separate SQL server box. The application is using
    ¤ > ¤ Windows NT authentication. During development I can access my data
    ¤ > ¤ just fine. When I view it in the browser I get the message that the
    ¤ > ¤ database does not exist or I do not have the necessary permission to
    ¤ > ¤ logon. I have narrowed the problem to one of security rights. It
    ¤ > ¤ seems that windows is passing the ASPNET account to the SQL server box.
    ¤ > ¤ So what I did was change the password of the ASPNET account. I then
    ¤ > ¤ created an ASPNET account on the other box and gave it the same
    ¤ > ¤ password. (I tried this with the IUSR_[MachineName] account first, but
    ¤ > ¤ the following is what leads me to believe it is the ASPNET account that
    ¤ > ¤ is causing the trouble:
    ¤ > ¤
    ¤ > ¤ When I go to access the web page, the SQL Server account gets locked
    ¤ > ¤ out. I am not sure why! Is it autogenerating a new password to
    ¤ > ¤ overight my change?
    ¤ > ¤
    ¤ > ¤ I know I could impersonate someone, but I would rather not setup some
    ¤ > ¤ sort of dummy account like that; there is a lot of bureaucracy to go
    ¤ > ¤ through to do so. I also do not want to deal with SQL authentication
    ¤ > ¤ and store the password in the connection string. It seems that in a
    ¤ > ¤ Windows intranet environment this just should not be that hard! I must
    ¤ > ¤ be missing something.
    ¤ > ¤
    ¤ > ¤ Anyhelp would be greatly appreciated. (If it helps, I created the
    ¤ > ¤ connection string I am using via the ASP.Net wizard. It contains the
    ¤ > ¤ directive to use integrated security.)
    ¤ >
    ¤ > You don't mention the error you are generating from your ASP.NET app but I will assume it's the
    ¤ > "Login failed for user 'MachineName\ASPNET" message. The following KB article documents the issue:
    ¤ >
    ¤ > http://support.microsoft.com/default.aspx?scid=kb;en-us;316989
    ¤ >
    ¤ > I would agree with Joe. It would probably be much easier to implement a single domain account rather
    ¤ > than use two local accounts with matching credentials if you are not going to enable impersonation.
    ¤ >
    ¤ >
    ¤ > Paul
    ¤ > ~~~~
    ¤ > Microsoft MVP (Visual Basic)
    ¤
    ¤ Hello,
    ¤
    ¤ The actual error message is: SQL Server does not exist or access
    ¤ denied. I have definitely considered adding an account under the
    ¤ domain, but because of our corporate structure there is a lot of red
    ¤ tape involved in creating an account without a real corresponding user.
    ¤ Is there a reason the synching of two identical account names and
    ¤ passwords would not work? It seems when we have applied it here in
    ¤ other situations. I also don't understand why it would cause the
    ¤ password to be revoked on the SQL box. Is there some service that
    ¤ might be changing the password back to some other value after I make my
    ¤ changes? I have entered the passwords on both boxes for both accounts
    ¤ multiple times to try to make sure I did not mistype between the two.

    Is your system configured for Kerberos? I don't believe credential delegation (to the SQL Server
    box) is going to work if you're using Integrated Windows Security w/o Kerberos.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Clement, Sep 15, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Varro

    ASPNET account locked out

    Varro, Feb 27, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    3,515
    Varro
    Feb 27, 2004
  2. Jeremy

    Re: ASPNET Account Gets Locked

    Jeremy, Jul 1, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    1,316
    Jeremy
    Jul 1, 2004
  3. Scott Allen

    Re: ASPNET Account Gets Locked

    Scott Allen, Jul 2, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    525
    Scott Allen
    Jul 2, 2004
  4. =?Utf-8?B?VDk5cm95?=

    Locked ASPNET Account

    =?Utf-8?B?VDk5cm95?=, Aug 4, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    799
    =?Utf-8?B?VDk5cm95?=
    Aug 4, 2004
  5. Replies:
    7
    Views:
    626
    Juan T. Llibre
    Mar 23, 2007
Loading...

Share This Page