cnesupport
asked on
SQL\IIS authentication issues
We are in the process of migrating a client from sbs 2003 to server 2012. During the migration we found that their is a web app that is running on the sbs 2003 server that they need to run for the next month or so. After removing exchange from sbs and demoting the sbs server to a member server and cleaning up dns, we are no longer able to access the site.
First when we try and access the site it pops up a username and password box. Instead of going directly to the software login page. If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors. This only started happening after demoting the server. I have attached screenshots of the error from IE.
Here are the errors in the event log:
error 1:
Error 2
I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
IE-error.JPG
First when we try and access the site it pops up a username and password box. Instead of going directly to the software login page. If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors. This only started happening after demoting the server. I have attached screenshots of the error from IE.
Here are the errors in the event log:
error 1:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 12/27/2013 10:17:28 AM
Event time (UTC): 12/27/2013 3:17:28 PM
Event ID: 40705810a0124788bebc7d14fff209eb
Event sequence: 11
Event occurrence: 10
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/Root/rsystem20-1-130326266395505287
Trust level: Full
Application Virtual Path: /rsystem20
Application Path: C:\Inetpub\wwwroot\rsystem20\
Machine name: GALAXY
Process information:
Process ID: 848
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: SqlException
Exception message: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
Request information:
Request URL: http://mail.robinshore.com/rsystem20/login.aspx?ReturnUrl=An unhandled exception has occurred.frsystem20An unhandled exception has occurred.fDefault.aspx
Request path: /rsystem20/login.aspx
User host address: 72.196.107.195
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at login.btnLog_Click(Object sender, EventArgs e) in C:\Inetpub\wwwroot\rsystem20\login.aspx.vb:line 19
at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details:
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Error 2
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <local machine>]
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
IE-error.JPG
ASKER
Yes the domain is the same, transferred AD and FSMO roles over to the 2012 server. The app is still hosted on the 2003 sbs server that has been demoted to a member server.
This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.
I did try and add the anonymous connection but it didn't work. I will continue playing with these settings to get this corrected.
I also did add the network services but it made no difference. I will also continue experimenting with this as well.
This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.
I did try and add the anonymous connection but it didn't work. I will continue playing with these settings to get this corrected.
I also did add the network services but it made no difference. I will also continue experimenting with this as well.
ASKER
Also forgot to mention when I add the network services login to the database it doesn't allow me to login to it at all. Instead of giving me the error in the screenshot it says invalid username or password.
Ah. Is the SQL server still on the SBS 2003 system, or did it move to the new server?
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.
If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.
It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012. For IIS on Windows 2003, use http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx?mfr=true.
The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.
If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.
It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012. For IIS on Windows 2003, use http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx?mfr=true.
The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.
ASKER
correct the sql database and iis are still running on the old 2003 box.
I did get the anonymous access working. (at least a small victory)
So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
I did get the anonymous access working. (at least a small victory)
So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- is the new domain name the same for the new server? In other words, you demoted the old SBS 2003 server, so does the new 2012 system host Active Directory as the SBS did before?
- configure anonymous authentication in IIS. Launch IIS Manager > Features View > Authentication page > Anonymous Authentication, then set user credentials. Note: your NTFS permissions for the web directory needs to allow the selected credentials.
ref: http://technet.microsoft.com/en-us/library/hh831515.aspx#Step3
- did you assign NETWORK SERVICE a role in the database containing the user logins?
- In setting the credentials above, you could pick the domain user with access to SQL server.
- Further, you can create a specific user in SQL server/domain for the application, assigning it permissions. Instead of using trusted connection, which logs in with the authenticated Windows account, you can connect to SQL with named username and password through Web.config.