Using SQL trusted connections with ASP.NET

G

Guest

Hello all,

I've read over:

http://idunno.org/dotNet/trustedConnections.aspx

I would like to use a trusted connection vice using encrypted database
strings:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp

So, I've created a local account on both the IIS Server and the SQL server.
On IIS 6.0, I've created an Application Pool specific to my application, and
then configured it to run under the local account. On SQL Server 2000 server,
I created a local account with matching username and strong password, then
added the account in SQL EM, granted access to my application database.

Finally, I've changed my web.config file to have a connection string of the
form:

<add key="DatabaseConnection" value="server=myserver;Persist Security
Info=False;database=mydatabase;Integrated Security=SSPI;"/>

If the application runs in the new application pool configured with the
local account, I get the error message:

Service Unavailable

Of course, if I put my ASP.NET application back in the default connection
pool, the application is reachable, but fails upon the first database
connection due to a login failure which uses the machine's credentials.

Suggestions for how to implement this?

Thanks,
 
M

Manohar Kamath

When you are using a trusted connection, you do not have to make any
matching user/password on the SQL server. The user that the ASP.NET worker
process impersonates, should have permissions on the database(s) you are
trying to access. Which means, you add this user (a local or a domain user),
and add this user to the SQL Server. That should do it.
 
S

Scott Allen

Hi Adam:

Do you have any more details about the error? Any thing in the event
viewer? It's possible the account needs some ACLs set on a file or
directory somewhere.
 
S

Scott Allen

When you are using a trusted connection, you do not have to make any
matching user/password on the SQL server. The user that the ASP.NET worker
process impersonates, should have permissions on the database(s) you are
trying to access. Which means, you add this user (a local or a domain user),
and add this user to the SQL Server. That should do it.


I believe Adam is using a "trusted subsystem" model. Using local
accounts, without an AD, requires matching credentials on both sides
so that the database can authenticate the user.
 
B

bruce barker

if your site does not run under the service account, then check dir
permissions. also look at the permissions of the asp.net account, and be
sure your new one has the same.

-- bruce

| Hello all,
|
| I've read over:
|
| http://idunno.org/dotNet/trustedConnections.aspx
|
| I would like to use a trusted connection vice using encrypted database
| strings:
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp
|
| So, I've created a local account on both the IIS Server and the SQL
server.
| On IIS 6.0, I've created an Application Pool specific to my application,
and
| then configured it to run under the local account. On SQL Server 2000
server,
| I created a local account with matching username and strong password, then
| added the account in SQL EM, granted access to my application database.
|
| Finally, I've changed my web.config file to have a connection string of
the
| form:
|
| <add key="DatabaseConnection" value="server=myserver;Persist Security
| Info=False;database=mydatabase;Integrated Security=SSPI;"/>
|
| If the application runs in the new application pool configured with the
| local account, I get the error message:
|
| Service Unavailable
|
| Of course, if I put my ASP.NET application back in the default connection
| pool, the application is reachable, but fails upon the first database
| connection due to a login failure which uses the machine's credentials.
|
| Suggestions for how to implement this?
|
| Thanks,
 
G

Guest

bruce barker said:
if your site does not run under the service account, then check dir
permissions. also look at the permissions of the asp.net account, and be
sure your new one has the same.

The permissions of the aspnet account on IIS turned out to be the issue. It
was easily solved by making aspnet a member of the local administrators
group. :-(

Now, is there any listing of the necessary perms to allow an account to run
an application pool?

Adam
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top