Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

In the IIS7 app pool, under the Integrated Managed Pipeline mode, for the Identity, NetworkService does not work.

How do I setup my SQL Server 2008 user and my Identity user so that this error goes away and the site actually works?

Using an administrator account works, but that's not secure right? How do I setup an account for the SQL Server 2008 account that works and what permissions do I grant that user on my Windows 2008 Web Server / IIS7 box and my SQL Server 2008 box?

Thanks!
LVL 2
Starr DuskkASP.NET VB.NET DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
This article:
>>http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx 
demonstrates how to turn on:
Configure ASP.NET Impersonation Authentication (IIS 7)
When I change to those settings, it just errors indicating that ajax toolkit is not installed. If I use my original settings I never see this error.
 >>http://forums.iis.net/p/1161275/1958682.aspx
This article someone asks a question about a specific problem. Some throws out a WAG a year later. However, there are no specifics to the problem. Nor how to set it up.
This article:
http://support.microsoft.com/kb/810572
on:
How to configure an ASP.NET application for a delegation scenario
These instructions are for IIS7.
This post:
http://msdn.microsoft.com/en-us/library/ms998355.aspx
Applies To ASP.NET version 2.0
Internet Information Services version 6.0
 
I am using IIS7 and the .NET Framework 3.5 and 4.0
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
Would someone please provide me a bullet point list of what user I need, to setup where, with what permissions granted?
My Application Pool integrated user works fine if I use an administrator and dbo, but what is the minimum this account needs? I can setup a specific user, with whatever permissions are required minimally. My IISUser with only standard permissions on the server and db_datareader and db_datawriter permissions does not work.
Please do not send me to a bunch of non-pertinent links.
 
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

PberSolutions ArchitectCommented:
  • Sometimes it's hard to determine the exact issue or experience a user is having from a few lines in a question.  I suggested the use of contained delegation as it provides security at the database level.  
  • I posted links that related to delegation and I also realize that some referred to IIS 6 as well, but none the less the concept is the same and are good for background knowledge if required.  
  • I have about 10 years of experience with implementing delegation between IIS and multi-hop SQL servers.  I was just trying to help you,
  • Good luck, perhaps someone else with more experience than me can help you.
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
>>I have about 10 years of experience with implementing delegation between IIS and multi-hop SQL servers.  I was just trying to help you,

Do I create a standard user account?
Do I assign this user permissions on the database? If so, what permissions?
Where do I set it up to add this user to the website?
If you have done this, and you were setting up a new web server, and had to create this user; what permissions would you give this user on the web server box and on the database and where would you add it to the website in IIS7?
I think it's a simple question for someone who has been doing it for ten years.
 
Jim P.Commented:
I'm going to preface this with I don't have much experience with IIS in relation to SQL.

The absolutely worst thing you can do is use a domain admin account for the SQL Server service along with the IIS account.

You should copy the account that is used by the IIS service.  (It should be something like the IUSR_xxx account.)
On the SQL Box give the account full permissions to the C:\Program Files\Microsoft SQL Server\ directory hive and also to the X:\Program Files\Microsoft SQL Server\MSSQL.# folder that houses your database files (mdf/ldf).
Next change the logon account for both the IIS server and the SQL Server accounts in the services on both computers.
Restart quickly the SQL Services then the IIS services in that order.

From there you should be good.
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
Thank you Jimpen,
I'll give it a try within the next few days. My daughter is sick and so I don't know how soon I can get to it.
Thanks so much!
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
>>On the SQL Box give the account full permissions to the C:\Program Files\Microsoft SQL Server\ directory hive and also to the X:\Program Files\Microsoft SQL Server\MSSQL.# folder that houses your database files (mdf/ldf).

I don't know what you mean by "directory hive"
If I grant permissions to the first path, wouldn't that include the second path?
>>Next change the logon account for both the IIS server and the SQL Server accounts in the services on both computers.

Do you mean the anonymous user? or do you mean the application pool Identity user? Or something else?
Thanks!
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
Aw forget it.
Jim P.Commented:
>> I don't know what you mean by "directory hive"

The C:\Program Files\Microsoft SQL Server\ directories will have an 80, 90 and other folders below them.

>> If I grant permissions to the first path, wouldn't that include the second path?

The MSSQL.# is the folder that holds your database folders, logs, backups etc. for the instance. Depending on how your setup is, these folders can be on different drives. Commonly you don't want to share the C: drive with your database because of space, disk contention, tuning, and a host of reasons. As you get deeper into the SQL Server side this will become more apparent.

>> or do you mean the application pool Identity user

I meant the application pool user. That way it has native access to the SQL databases on that instance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.