Using integrated security

[Marina]

Hi, I would like to give the ASPNET process that is running on my machine
permission to connect to a sql server database that is on another machine.
When I try to do this it says: 'Windows NT user or user group
'mymachinename\ASPNET not found'.

This all works however, if the databse server is my local machine.

So the question then becomes, how can I give this user privileges to connect
to this remote database server?

 

[Guest]

Marina
Since you are using integrated security, the account that ASP.NET uses is the account that will connect to SQL server. In this case, 'mymachinename\ASPNET' account. This account is local only to that machine and SQL Server has no knowledge of this account. You can assign the ASPNET account to run using a network account that have rights to access SQL Server to solve this problem

Tu-Thac

----- Marina wrote: ----

Hi, I would like to give the ASPNET process that is running on my machin
permission to connect to a sql server database that is on another machine
When I try to do this it says: 'Windows NT user or user grou
'mymachinename\ASPNET not found'

This all works however, if the databse server is my local machine

So the question then becomes, how can I give this user privileges to connec
to this remote database server

 

[Mark]

* You can assign the ASPNET account to run using a network account *

What exactly do you mean by this? Do you mean REPLACE the ASPNET account,
or modify the current ASPNET account to be a domain account?

Mark

Marina,
Since you are using integrated security, the account that ASP.NET uses is

the account that will connect to SQL server. In this case,
'mymachinename\ASPNET' account. This account is local only to that machine
and SQL Server has no knowledge of this account. You can assign the ASPNET
account to run using a network account that have rights to access SQL Server
to solve this problem.

 

[Guest]

Mark
What I meant is that you can set which account ASPNET should run as. You can specify Local System Account or this account, which allows you to type in the account name and password the service should run as

Tu-Thac

----- Mark wrote: ----

* You can assign the ASPNET account to run using a network account

What exactly do you mean by this? Do you mean REPLACE the ASPNET account
or modify the current ASPNET account to be a domain account

Mar

Marina
Since you are using integrated security, the account that ASP.NET uses i

the account that will connect to SQL server. In this case
'mymachinename\ASPNET' account. This account is local only to that machin
and SQL Server has no knowledge of this account. You can assign the ASPNE
account to run using a network account that have rights to access SQL Serve
to solve this problem

 

[Mark]

Your reply implies that ASP.NET is running as a service which would allow me
to go to start - control panel - admin tools - services, and modify the
account that the service is running under. However, I don't see such a
service. Where exactly did you mean that you would make this change?

Thanks.

Mark

Mark,
What I meant is that you can set which account ASPNET should run as. You

can specify Local System Account or this account, which allows you to type
in the account name and password the service should run as.

 

[Guest]

You can do that by going to IIS console, right click on the web site that you want to manage and choose properties. THen, go to the directory security tab, click edit and make sure the allow anonymous checkbox is checked. You can then select an account to run. Either way, a better way to let ASP.NET run using an account is to enable impersonation using the <identity> tag for the Web application. That way, you don't have to mess with setting account, etc.

Tu-Thach

----- Mark wrote: -----

Your reply implies that ASP.NET is running as a service which would allow me
to go to start - control panel - admin tools - services, and modify the
account that the service is running under. However, I don't see such a
service. Where exactly did you mean that you would make this change?

Thanks.

Mark

Mark,
What I meant is that you can set which account ASPNET should run as. You

can specify Local System Account or this account, which allows you to type
in the account name and password the service should run as.

 

[Mark]

Thanks Tu-Thach. I guess this points at a bigger issue:

I'm confounded how difficult it is to setup a connection from an ASP.NET
application to SQL Server on a different machine in the same windows domain
using windows authentication. My research has found the following three
options:

1. Use delegation to leverage the current user's account.
2. Replace the ASPNET local account that is running .NET applications on the
web server with a domain account.
3. Use impersonation specifiying a specific domain user and password in the
web.config.

In options 2 and 3 above, the new account must be granted all the rights
that the ASPNET account comes with by default. Moreover, if you have a
development machine, a live machine, and local installs of IIS for all your
developers, the rights must be recreated on every blasted box. That sounds
like a maintenance nightmare. Option 1 raises all sorts of security
concerns. Understandably, our DBA wants to keep SQL Server authentication
turned off since we have a windows network.

Am I missing something here? What is the "obvious" choice?

Thanks in advance.

Mark

You can do that by going to IIS console, right click on the web site that

you want to manage and choose properties. THen, go to the directory security
tab, click edit and make sure the allow anonymous checkbox is checked. You
can then select an account to run. Either way, a better way to let ASP.NET
run using an account is to enable impersonation using the <identity> tag for
the Web application. That way, you don't have to mess with setting account,
etc.