Solved

http status 401 Access denied

Posted on 2004-09-09
7
982 Views
Last Modified: 2010-08-05
hello

i have the following architecture

--------------------------------
Client console application
calls
WebService1
calls
WebService2
calls
StoredProcedure1 on SQL 2000
--------------------------------

other points
1. the db is on a remote machine
2. all the applications and web services are on my local machine
3. I have set up my default website for anonymous access
2. My database connection string has integrated security
3. My web.config on Webservice2 <authentication mode="Windows" /> <identity impersonate="true" />

When i try and call  StoredProcedure1 from the client i get

"An unhandled exception of type 'System.Net.WebException' occurred in system.web.services.dll

Additional information: The request failed with HTTP status 401: Access Denied."

any ideas?
0
Comment
Question by:MrKevorkian
7 Comments
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12015464
I think what you want to do here is set up a Domain account not an Anonymous one as it will need the appropriate permissions to access your sproc.  My guess is your anonymous account does not have sufficient privaleges to run the sproc and thats why you get the generic error message.  It does always die at the sproc correct?

Regards,

Aeros
0
 
LVL 2

Expert Comment

by:netjkus
ID: 12016915
try this.
1. Check if you are able to connect using the same username/pwd combination from your PC to the DB.
2. the remote machine should allow you to connect to the DB if your username is recognised, so if you pass #1, it is allowing.
3. Remove the Authentication (make it none) and try.

Do you have an idea where it fails?
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 400 total points
ID: 12018176
Aeros is on the right track, but the problem is that your IIS is set up to use a local account to authenticate anonymous requests.  That account is IUSR_<machinename>, and your SQL Server box knows nothing about it, so SQL is not allowing the connection.  You need to create a domain account for anonymous requests and then change the IIS setting to use that account.  Then go to your SQL Server Enterpise Manager and add that domain account to the Logins under the Security section.  Then go to the database that youtr web service needs to access, and make that login a user for the database.  Set the database role to something like Data Reader so the account only has select access on the tables (unless updates need to be done as well).  Just give the account only the permissions it needs on the database.

John
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Expert Comment

by:jnhorst
ID: 12018240
Also, make sure you have this in web.config right after <authentication mode="Windows" />:

<identity impersonate="true" />

If you do not have this, then your web service code will run under the local ASPNET account context, and the same thing applies; the SQL Server box doesn't know anything about your local ASPNET account, so it will not allow it.  If you have this <identity> tag, then the webservice code will run under the account that authenticated the anonymous request, and if that account is a domain account that has been added as a login in SQL Serevr and given permissions to the needed DB, everything should work fine.

John

0
 
LVL 33

Expert Comment

by:raterus
ID: 12020451
http://support.microsoft.com/default.aspx?kbid=294382

Possible here..Have you given any though to how this is going to run in production.  I can almost guarantee when you run this away from your local computer it isn't going to be nearly as forgiving security wise.  You may need to be looking at enabling Delegation in the future.
0
 
LVL 1

Author Comment

by:MrKevorkian
ID: 12042215
sorry i was away on friday.

thanks for your replies.

jnhorst i like your instructions.
but i am unsure how i change IIS to use a domain account for anonymous requests
how do i do this
thanks


0
 
LVL 1

Author Comment

by:MrKevorkian
ID: 12042391
silly question!

ive just seen how to do it!

im just testing, ill let you know how it goes shortly
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now