SQL\IIS authentication issues

Posted on 2013-12-27
Last Modified: 2013-12-27
We are in the process of migrating a client from sbs 2003 to server 2012.  During the migration we found that their is a web app that is running on the sbs 2003 server that they need to run for the next month or so.  After removing exchange from sbs and demoting the sbs server to a member server and cleaning up dns, we are no longer able to access the site.  

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.  If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors.  This only started happening after demoting the server.  I have attached screenshots of the error from IE.

Here are the errors in the event log:
error 1:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 12/27/2013 10:17:28 AM 
Event time (UTC): 12/27/2013 3:17:28 PM 
Event ID: 40705810a0124788bebc7d14fff209eb 
Event sequence: 11 
Event occurrence: 10 
Event detail code: 0 
Application information: 
    Application domain: /LM/W3SVC/1/Root/rsystem20-1-130326266395505287 
    Trust level: Full 
    Application Virtual Path: /rsystem20 
    Application Path: C:\Inetpub\wwwroot\rsystem20\ 
    Machine name: GALAXY 
Process information: 
    Process ID: 848 
    Process name: w3wp.exe 
Exception information: 
    Exception type: SqlException 
    Exception message: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. 
Request information: 
    Request URL: unhandled exception has occurred.frsystem20An unhandled exception has occurred.fDefault.aspx 
    Request path: /rsystem20/login.aspx 
    User host address: 
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
Thread information: 
    Thread ID: 7 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
   at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at login.btnLog_Click(Object sender, EventArgs e) in C:\Inetpub\wwwroot\rsystem20\login.aspx.vb:line 19
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details: 

For more information, see Help and Support Center at

Open in new window

Error 2
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <local machine>]

For more information, see Help and Support Center at

Open in new window

I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
Question by:cnesupport
  • 3
  • 3
LVL 59

Expert Comment

by:Kevin Cross
Comment Utility
Couple thoughts:
- is the new domain name the same for the new server?  In other words, you demoted the old SBS 2003 server, so does the new 2012 system host Active Directory as the SBS did before?

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.
- configure anonymous authentication in IIS.  Launch IIS Manager > Features View > Authentication page > Anonymous Authentication, then set user credentials.  Note: your NTFS permissions for the web directory needs to allow the selected credentials.

When we try and login to the software we get authentication errors...I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
- did you assign NETWORK SERVICE a role in the database containing the user logins?  
- In setting the credentials above, you could pick the domain user with access to SQL server.  
- Further, you can create a specific user in SQL server/domain for the application, assigning it permissions.  Instead of using trusted connection, which logs in with the authenticated Windows account, you can connect to SQL with named username and password through Web.config.

Author Comment

Comment Utility
Yes the domain is the same, transferred AD and FSMO roles over to the 2012 server.  The app is still hosted on the 2003 sbs server that has been demoted to a member server.

This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.

I did try and add the anonymous connection but it didn't work.  I will continue playing with these settings to get this corrected.

I also did add the network services but it made no difference.  I will also continue experimenting with this as well.

Author Comment

Comment Utility
Also forgot to mention when I add the network services login to the database it doesn't allow me to login to it at all.  Instead of giving me the error in the screenshot it says invalid username or password.
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 59

Expert Comment

by:Kevin Cross
Comment Utility
Ah.  Is the SQL server still on the SBS 2003 system, or did it move to the new server?
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.

If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.

It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012.  For IIS on Windows 2003, use

The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.

Author Comment

Comment Utility
correct the sql database and iis are still running on the old 2003 box.  
I did get the anonymous access working. (at least a small victory)

So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
LVL 59

Accepted Solution

Kevin Cross earned 500 total points
Comment Utility
Yes.  Given the server was a domain controller before, you can check to see if there was an existing Active Directory account.  It may need additional policies and permissions that are already setup.  You can check your login and database security in SQL to gain insight also.  If you find an existing account, it could reduce the amount of configuration you have to hunt down.

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now