Hello,
I have an asp.net application written in vb that uses windows integrated authentication. The application was originally written on an 2000 server machine running IIS 5 for development. I have the web.config set to use authentication "Windows" and Impersonate="true". I have the development server set to be trusted for delegation to talk to the sql server. Everything worked just wonderfully.
Now I've copied the application over to our live server running 2003 server and IIS 6.0, enabled the live server for delegation, rebooted and the app no longer works. I just keep getting the "Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection." error.
I dont know if I've missed a step or if something is different in 2003 server or IIS 6.0 ... I've been looking online all day and cannot find anything. Can someone please help?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Yes.
The UserID *must* be a member of the IIS_WPG group for the applciation pool to start.
Additionally, the UserID must have appropriate SPNs set for Kerberos Authentication Delegation to work properly.
What I would suggest is to change the Application Pool to use Network Service for the time being - this will allow it to use the auto generated SPNs of the server.
In your question you said the dev server was trusted for delegation. Is the live server trusted as well? This will not work if it isn't.
Dave Dietz
What is the IIS_WPG Group? I didnt do anything with that on the development server?
I have SPN's set for the sql server, but didnt know had to do that with the user as well? How can I do that?
Also, dont know how to set app pool to use Network service...?
The live server IS trusted for delegation.
Thanks for helping.
~~Kim
The IIS_WPG group is a group that is given proper permissions to particular resources to be able to be used as the identity of an Application Pool.
By default System, Local Service, Network Service and IWAM_<machinename> are in this group. If you want to run the app pool as a user not included here you must add them to the group.
To set an SPN for a user you use the SetSPN utility with a command line similar to the following:
SetSPN -A http/hostheadername domain\userid
where hostheadername is the name you use to access the website and domain\userid is the doamin and name of the account the application pool runs as.
To set the AppPool to run as Network Service you simply open the properties on the AppPool, go to the identity tab, select the Predefined radio button and select Network Service on the dropdown.
Enoguh details for now? :-)
Dave Dietz
Thank you - I thought I was making progress, but now I'm not. I found an article that showed how to give the IIS_WPG group permission on SQL. I did that yesterday before going home. Now today, that group is no longer listed under Security in SQL - and when I try to re-add it, it tells me the group does not exist.
The program IS running under the default application pool.
What am I doing wrong??
I have gone through each step listed on this page:
http://msdn.microsoft.com/
* IIS Directory Security is listed as Windows Integrated. Anonymous Access is not enabled.
* Web.Config file includes the following :
<authentication mode="Windows">
</authentication>
<authorization>
<allow users="*" />
</authorization>
<identity impersonate="true" />
* Web.Config also includes connection string :
<appSettings>
<add key="ConnectionString" value="data source=Sql-Server;Trusted_
</appSettings>
* Web Server is trusted for Kerberos Delegation
* Application is running in the Default App Pool as Network Service
The only thing I didn't fully understand in the article was configuring SQL Server...
"To configure SQL Server for Windows integrated security
From the Windows Start menu, choose Microsoft SQL Server, and then choose Enterprise Manager.
Open the node for the server and expand the node for the database you want to give users permissions for.
Right-click the Users node and choose New Database User.
In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK. Alternatively, configure the SQL Server to allow all domain users to access the database. "
I didnt do anything with this for the development site, but went ahead and added "domain/primary-group" to have permissions to the database in SQL.
After all of this, I still get the "Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection." error.
SQL Server is Windows 2003 Server running SQL 2000
Web Server is Windows 2003 Server running IIS 6
Domain Controller with Active Directory is Windows 2003 Server
Application is written with .NET Framework 1.1 ASP.NET (VB)
The only difference between the working development site and the non working live site is the development site uses a Windows 2000 Professional machine as a "web server".
This doesn't seem like it should be overly complicated to set up. After days of researching, checking, trying different things, I find it pretty frustrating that still nothing works. I am completely at a loss.
Any suggestions or help, please??
Thanks,
~~Kim
Under Sql Server Properties, Security tab
Authentication selected is "SQL Server and Windows"
Start and run SQL server is "This Account".
The domain/username there is added as a user to SQL Security that does have permission to the database I'm trying to get to.
Is that what you were asking?
I believe those settings are like that for another windows based application that is used company wide.
Yes, that is what I was looking for.
Since SQL is not running as the System account it has to have an SPN registered for it for Kerberos to work properly.
The following article explains this:
811889 How to troubleshoot the "Cannot generate SSPI context" error message
http://support.microsoft.c
The reason you are seeing the user NULL is that when you try to use NTLM instead of Kerberos there are no credentials passed at all.
Dave Dietz
The user it's running as has full administrator rights - shouldn't it then be able to create it's own SPN?
Quote the article :
"If you test using a domain administrator account as the SQL Server service account, the SPN is successfully created because the domain administrator-level credentials that you must have to create an SPN are present."
The user it runs as would have to have Domain Admin rights since registering an SPN makes a modification to Active Directory. Local Admins do not have the proper permissions to modify these AD settings.
The earlier comment regarding the Network Service account has to do with the SPNs on the *web* server. Now I am thinking that the issue has more to do with the SPNs on the *SQL* server - both have to be set correctly for auth delegation to work.
Dave Dietz
No. I do not know how to set the spns.
I downloaded a setspn program from microsoft and followed their directions on how to do it http://support.microsoft.c
SQL shouldn't be running as a local admin, if i'm looking in the right place in SQL, right click the server --> Properties --> "Start and Run SQL in the following account", the account there is the domain administrator acount, which from anything I've read it should have permissions to create its own SPNs .. ?
I even tried to put a plain .aspx page in that project that doesn't have any database access and I can't even access that. I changed impersonation to false in web config to see what i would get and now i get login failed for user DOMAIN\WEBSERVER$ .
I still dont understand why SQL is the problem when it's the same SQL server that the application runs with and talks to when the application was on our development server.
It's using NTLM because there's something not configured right for Kerbros Delegation.
If all the pieces aren't right Kerberos will not work and you'll use NTLM instead which cannot be used for Authentication Delegation.
The SPNs have to be configured correctly on the Web Server and the SQL Server.
DNS has to resolve the names properly.
AD Entries for the computer accounts have to be configured correctly.
Etc...
Look at the following article:
http://support.microsoft.c
This will help determine if the problem is that Kerberos isn't working between the client and the web server or if it is failing between the web server and the SQL server....
Dave Dietz
Business Accounts
Answer for Membership
by: Dave_DietzPosted on 2005-01-28 at 22:49:07ID: 13170322
What UserID is the Application pool running as that contains your application?
Dave Dietz