|
Home > Archive > IIS Server Security > November 2004 > how to check what SQL account that an IIS account maps to?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
how to check what SQL account that an IIS account maps to?
|
|
|
| We have an ASP page on an IIS 5.0 web server.
This ASP page connects to a MS SQL 2000 database using integrated security.
Anonymous access is enabled with the username mymachine\IUSER_mymachine.
But when I call the ASP page in a browser, it returns the following error:
====
Microsoft OLE DB Provider for SQL Server error '80004005'
Cannot open database requested in login 'mydb'. Login fails.
/apps/conn.asp, line 5
====
I've googled and found some suggested solutions for the problem. One is
like this:
======
# If you are using integrated security, check the Windows NT account that is
calling the page, and find out what account (if any) it is mapped to.
# SQL Server does not allow an underscore in a SQL account name.
If someone manually mapped the Windows NT IUSR_machinename account to a SQL
account of the same name, it fails.
Map any account that uses an underscore to an account name on SQL that does
not use the underscore.
======
Can anybody answer my question in the subject? I'm not quite familiar with
Windows and IIS.
Thanks in advance for any help,
Bing
| |
| Tom Kaminski [MVP] 2004-11-12, 7:50 am |
| "bing" wrote:
> We have an ASP page on an IIS 5.0 web server.
>
> This ASP page connects to a MS SQL 2000 database using integrated security.
>
> Anonymous access is enabled with the username mymachine\IUSER_mymachine.
>
> But when I call the ASP page in a browser, it returns the following error:
>
> ====
> Microsoft OLE DB Provider for SQL Server error '80004005'
>
> Cannot open database requested in login 'mydb'. Login fails.
>
> /apps/conn.asp, line 5
> ====
>
> I've googled and found some suggested solutions for the problem. One is
> like this:
>
> ======
> # If you are using integrated security, check the Windows NT account that is
> calling the page, and find out what account (if any) it is mapped to.
> # SQL Server does not allow an underscore in a SQL account name.
> If someone manually mapped the Windows NT IUSR_machinename account to a SQL
> account of the same name, it fails.
> Map any account that uses an underscore to an account name on SQL that does
> not use the underscore.
> ======
>
> Can anybody answer my question in the subject? I'm not quite familiar with
> Windows and IIS.
How are you connecting?
http://www.aspfaq.com/show.asp?id=2126
See also:
http://support.microsoft.com/?id=176377
| |
|
| Thanks, Tom, for the pointers. In my case, it connects like this:
Set conn=Server.CreateObject("ADODB.Connection")
strConn = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=maxware;Data Source=dbserver"
conn.Open strConn
I've checked on several things that are mentioned by the articles. Basic
authentication is enables on the web site. The IUSR_machinename user account
that calls the ASP page is defined on the domain controller. This user
account is seen on both the IIS and the SQL 2000 database server. And on
the database server, the IUSR_machinename account has proper previliges on
the database that the ASP page accesses.
The ASP page still returns the login fails error when accessing the databae.
What else should I check?
Thanks,
Bing
"Tom Kaminski [MVP]" wrote:
> "bing" wrote:
>
> How are you connecting?
> http://www.aspfaq.com/show.asp?id=2126
>
> See also:
> http://support.microsoft.com/?id=176377
| |
|
| Never mind. I've figured it out. I've checked the server logs on the
database server and found that every time the ASP page failed accessing the
database created an error that my personal domain account did not have
permission. Looks like the ASP page is called using my domain account. But
my domain account is not a user in the database that the ASP page accessed.
After adding my domain account as a new databae user, every thing works fine
now. Now I understand windows authentication and how to restrict database
access to ASP pages better.
Bing
"bing" wrote:
[vbcol=seagreen]
> Thanks, Tom, for the pointers. In my case, it connects like this:
>
> Set conn=Server.CreateObject("ADODB.Connection")
> strConn = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
> Info=False;Initial Catalog=maxware;Data Source=dbserver"
> conn.Open strConn
>
> I've checked on several things that are mentioned by the articles. Basic
> authentication is enables on the web site. The IUSR_machinename user account
> that calls the ASP page is defined on the domain controller. This user
> account is seen on both the IIS and the SQL 2000 database server. And on
> the database server, the IUSR_machinename account has proper previliges on
> the database that the ASP page accesses.
>
> The ASP page still returns the login fails error when accessing the databae.
> What else should I check?
>
> Thanks,
>
> Bing
>
> "Tom Kaminski [MVP]" wrote:
>
|
|
|
|
|