Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
In the IIS7 app pool, under the Integrated Managed Pipeline mode, for the Identity, NetworkService does not work.
How do I setup my SQL Server 2008 user and my Identity user so that this error goes away and the site actually works?
Using an administrator account works, but that's not secure right? How do I setup an account for the SQL Server 2008 account that works and what permissions do I grant that user on my Windows 2008 Web Server / IIS7 box and my SQL Server 2008 box?
Thanks!
How do I setup my SQL Server 2008 user and my Identity user so that this error goes away and the site actually works?
Using an administrator account works, but that's not secure right? How do I setup an account for the SQL Server 2008 account that works and what permissions do I grant that user on my Windows 2008 Web Server / IIS7 box and my SQL Server 2008 box?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would someone please provide me a bullet point list of what user I need, to setup where, with what permissions granted?
My Application Pool integrated user works fine if I use an administrator and dbo, but what is the minimum this account needs? I can setup a specific user, with whatever permissions are required minimally. My IISUser with only standard permissions on the server and db_datareader and db_datawriter permissions does not work.
Please do not send me to a bunch of non-pertinent links.
My Application Pool integrated user works fine if I use an administrator and dbo, but what is the minimum this account needs? I can setup a specific user, with whatever permissions are required minimally. My IISUser with only standard permissions on the server and db_datareader and db_datawriter permissions does not work.
Please do not send me to a bunch of non-pertinent links.
- Sometimes it's hard to determine the exact issue or experience a user is having from a few lines in a question. I suggested the use of contained delegation as it provides security at the database level.
- I posted links that related to delegation and I also realize that some referred to IIS 6 as well, but none the less the concept is the same and are good for background knowledge if required.
- I have about 10 years of experience with implementing delegation between IIS and multi-hop SQL servers. I was just trying to help you,
- Good luck, perhaps someone else with more experience than me can help you.
ASKER
>>I have about 10 years of experience with implementing delegation between IIS and multi-hop SQL servers. I was just trying to help you,
Do I create a standard user account?
Do I assign this user permissions on the database? If so, what permissions?
Where do I set it up to add this user to the website?
If you have done this, and you were setting up a new web server, and had to create this user; what permissions would you give this user on the web server box and on the database and where would you add it to the website in IIS7?
I think it's a simple question for someone who has been doing it for ten years.
Do I create a standard user account?
Do I assign this user permissions on the database? If so, what permissions?
Where do I set it up to add this user to the website?
If you have done this, and you were setting up a new web server, and had to create this user; what permissions would you give this user on the web server box and on the database and where would you add it to the website in IIS7?
I think it's a simple question for someone who has been doing it for ten years.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Jimpen,
I'll give it a try within the next few days. My daughter is sick and so I don't know how soon I can get to it.
Thanks so much!
I'll give it a try within the next few days. My daughter is sick and so I don't know how soon I can get to it.
Thanks so much!
ASKER
>>On the SQL Box give the account full permissions to the C:\Program Files\Microsoft SQL Server\ directory hive and also to the X:\Program Files\Microsoft SQL Server\MSSQL.# folder that houses your database files (mdf/ldf).
I don't know what you mean by "directory hive"
If I grant permissions to the first path, wouldn't that include the second path?
>>Next change the logon account for both the IIS server and the SQL Server accounts in the services on both computers.
Do you mean the anonymous user? or do you mean the application pool Identity user? Or something else?
Thanks!
I don't know what you mean by "directory hive"
If I grant permissions to the first path, wouldn't that include the second path?
>>Next change the logon account for both the IIS server and the SQL Server accounts in the services on both computers.
Do you mean the anonymous user? or do you mean the application pool Identity user? Or something else?
Thanks!
ASKER
Aw forget it.
>> I don't know what you mean by "directory hive"
The C:\Program Files\Microsoft SQL Server\ directories will have an 80, 90 and other folders below them.
>> If I grant permissions to the first path, wouldn't that include the second path?
The MSSQL.# is the folder that holds your database folders, logs, backups etc. for the instance. Depending on how your setup is, these folders can be on different drives. Commonly you don't want to share the C: drive with your database because of space, disk contention, tuning, and a host of reasons. As you get deeper into the SQL Server side this will become more apparent.
>> or do you mean the application pool Identity user
I meant the application pool user. That way it has native access to the SQL databases on that instance.
The C:\Program Files\Microsoft SQL Server\ directories will have an 80, 90 and other folders below them.
>> If I grant permissions to the first path, wouldn't that include the second path?
The MSSQL.# is the folder that holds your database folders, logs, backups etc. for the instance. Depending on how your setup is, these folders can be on different drives. Commonly you don't want to share the C: drive with your database because of space, disk contention, tuning, and a host of reasons. As you get deeper into the SQL Server side this will become more apparent.
>> or do you mean the application pool Identity user
I meant the application pool user. That way it has native access to the SQL databases on that instance.
ASKER
>>http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
demonstrates how to turn on:
Configure ASP.NET Impersonation Authentication (IIS 7)
When I change to those settings, it just errors indicating that ajax toolkit is not installed. If I use my original settings I never see this error.
>>http://forums.iis.net/p/1161275/1958682.aspx
This article someone asks a question about a specific problem. Some throws out a WAG a year later. However, there are no specifics to the problem. Nor how to set it up.
This article:
http://support.microsoft.com/kb/810572
on:
How to configure an ASP.NET application for a delegation scenario
These instructions are for IIS7.
This post:
http://msdn.microsoft.com/en-us/library/ms998355.aspx
Applies To ASP.NET version 2.0
Internet Information Services version 6.0
I am using IIS7 and the .NET Framework 3.5 and 4.0