Solved

http status 401 Access denied

Posted on 2004-09-09
7
981 Views
Last Modified: 2010-08-05
hello

i have the following architecture

--------------------------------
Client console application
calls
WebService1
calls
WebService2
calls
StoredProcedure1 on SQL 2000
--------------------------------

other points
1. the db is on a remote machine
2. all the applications and web services are on my local machine
3. I have set up my default website for anonymous access
2. My database connection string has integrated security
3. My web.config on Webservice2 <authentication mode="Windows" /> <identity impersonate="true" />

When i try and call  StoredProcedure1 from the client i get

"An unhandled exception of type 'System.Net.WebException' occurred in system.web.services.dll

Additional information: The request failed with HTTP status 401: Access Denied."

any ideas?
0
Comment
Question by:MrKevorkian
7 Comments
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
I think what you want to do here is set up a Domain account not an Anonymous one as it will need the appropriate permissions to access your sproc.  My guess is your anonymous account does not have sufficient privaleges to run the sproc and thats why you get the generic error message.  It does always die at the sproc correct?

Regards,

Aeros
0
 
LVL 2

Expert Comment

by:netjkus
Comment Utility
try this.
1. Check if you are able to connect using the same username/pwd combination from your PC to the DB.
2. the remote machine should allow you to connect to the DB if your username is recognised, so if you pass #1, it is allowing.
3. Remove the Authentication (make it none) and try.

Do you have an idea where it fails?
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 400 total points
Comment Utility
Aeros is on the right track, but the problem is that your IIS is set up to use a local account to authenticate anonymous requests.  That account is IUSR_<machinename>, and your SQL Server box knows nothing about it, so SQL is not allowing the connection.  You need to create a domain account for anonymous requests and then change the IIS setting to use that account.  Then go to your SQL Server Enterpise Manager and add that domain account to the Logins under the Security section.  Then go to the database that youtr web service needs to access, and make that login a user for the database.  Set the database role to something like Data Reader so the account only has select access on the tables (unless updates need to be done as well).  Just give the account only the permissions it needs on the database.

John
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 10

Expert Comment

by:jnhorst
Comment Utility
Also, make sure you have this in web.config right after <authentication mode="Windows" />:

<identity impersonate="true" />

If you do not have this, then your web service code will run under the local ASPNET account context, and the same thing applies; the SQL Server box doesn't know anything about your local ASPNET account, so it will not allow it.  If you have this <identity> tag, then the webservice code will run under the account that authenticated the anonymous request, and if that account is a domain account that has been added as a login in SQL Serevr and given permissions to the needed DB, everything should work fine.

John

0
 
LVL 33

Expert Comment

by:raterus
Comment Utility
http://support.microsoft.com/default.aspx?kbid=294382

Possible here..Have you given any though to how this is going to run in production.  I can almost guarantee when you run this away from your local computer it isn't going to be nearly as forgiving security wise.  You may need to be looking at enabling Delegation in the future.
0
 
LVL 1

Author Comment

by:MrKevorkian
Comment Utility
sorry i was away on friday.

thanks for your replies.

jnhorst i like your instructions.
but i am unsure how i change IIS to use a domain account for anonymous requests
how do i do this
thanks


0
 
LVL 1

Author Comment

by:MrKevorkian
Comment Utility
silly question!

ive just seen how to do it!

im just testing, ill let you know how it goes shortly
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now