SQL\IIS authentication issues

Posted on 2013-12-27
Last Modified: 2013-12-27
We are in the process of migrating a client from sbs 2003 to server 2012.  During the migration we found that their is a web app that is running on the sbs 2003 server that they need to run for the next month or so.  After removing exchange from sbs and demoting the sbs server to a member server and cleaning up dns, we are no longer able to access the site.  

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.  If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors.  This only started happening after demoting the server.  I have attached screenshots of the error from IE.

Here are the errors in the event log:
error 1:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 12/27/2013 10:17:28 AM 
Event time (UTC): 12/27/2013 3:17:28 PM 
Event ID: 40705810a0124788bebc7d14fff209eb 
Event sequence: 11 
Event occurrence: 10 
Event detail code: 0 
Application information: 
    Application domain: /LM/W3SVC/1/Root/rsystem20-1-130326266395505287 
    Trust level: Full 
    Application Virtual Path: /rsystem20 
    Application Path: C:\Inetpub\wwwroot\rsystem20\ 
    Machine name: GALAXY 
Process information: 
    Process ID: 848 
    Process name: w3wp.exe 
Exception information: 
    Exception type: SqlException 
    Exception message: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. 
Request information: 
    Request URL: unhandled exception has occurred.frsystem20An unhandled exception has occurred.fDefault.aspx 
    Request path: /rsystem20/login.aspx 
    User host address: 
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
Thread information: 
    Thread ID: 7 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
   at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at login.btnLog_Click(Object sender, EventArgs e) in C:\Inetpub\wwwroot\rsystem20\login.aspx.vb:line 19
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details: 

For more information, see Help and Support Center at

Open in new window

Error 2
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <local machine>]

For more information, see Help and Support Center at

Open in new window

I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
Question by:cnesupport
  • 3
  • 3
LVL 59

Expert Comment

by:Kevin Cross
ID: 39742117
Couple thoughts:
- is the new domain name the same for the new server?  In other words, you demoted the old SBS 2003 server, so does the new 2012 system host Active Directory as the SBS did before?

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.
- configure anonymous authentication in IIS.  Launch IIS Manager > Features View > Authentication page > Anonymous Authentication, then set user credentials.  Note: your NTFS permissions for the web directory needs to allow the selected credentials.

When we try and login to the software we get authentication errors...I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
- did you assign NETWORK SERVICE a role in the database containing the user logins?  
- In setting the credentials above, you could pick the domain user with access to SQL server.  
- Further, you can create a specific user in SQL server/domain for the application, assigning it permissions.  Instead of using trusted connection, which logs in with the authenticated Windows account, you can connect to SQL with named username and password through Web.config.

Author Comment

ID: 39742145
Yes the domain is the same, transferred AD and FSMO roles over to the 2012 server.  The app is still hosted on the 2003 sbs server that has been demoted to a member server.

This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.

I did try and add the anonymous connection but it didn't work.  I will continue playing with these settings to get this corrected.

I also did add the network services but it made no difference.  I will also continue experimenting with this as well.

Author Comment

ID: 39742154
Also forgot to mention when I add the network services login to the database it doesn't allow me to login to it at all.  Instead of giving me the error in the screenshot it says invalid username or password.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 59

Expert Comment

by:Kevin Cross
ID: 39742167
Ah.  Is the SQL server still on the SBS 2003 system, or did it move to the new server?
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.

If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.

It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012.  For IIS on Windows 2003, use

The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.

Author Comment

ID: 39742177
correct the sql database and iis are still running on the old 2003 box.  
I did get the anonymous access working. (at least a small victory)

So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
LVL 59

Accepted Solution

Kevin Cross earned 500 total points
ID: 39742262
Yes.  Given the server was a domain controller before, you can check to see if there was an existing Active Directory account.  It may need additional policies and permissions that are already setup.  You can check your login and database security in SQL to gain insight also.  If you find an existing account, it could reduce the amount of configuration you have to hunt down.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In SQL Server, when rows are selected from a table, does it retrieve data in the order in which it is inserted?  Many believe this is the case. Let us try to examine for ourselves with an example. To get started, use the following script, wh…
In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now