Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 987
  • Last Modified:

SQL\IIS authentication issues

We are in the process of migrating a client from sbs 2003 to server 2012.  During the migration we found that their is a web app that is running on the sbs 2003 server that they need to run for the next month or so.  After removing exchange from sbs and demoting the sbs server to a member server and cleaning up dns, we are no longer able to access the site.  

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.  If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors.  This only started happening after demoting the server.  I have attached screenshots of the error from IE.

Here are the errors in the event log:
error 1:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 12/27/2013 10:17:28 AM 
Event time (UTC): 12/27/2013 3:17:28 PM 
Event ID: 40705810a0124788bebc7d14fff209eb 
Event sequence: 11 
Event occurrence: 10 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/1/Root/rsystem20-1-130326266395505287 
    Trust level: Full 
    Application Virtual Path: /rsystem20 
    Application Path: C:\Inetpub\wwwroot\rsystem20\ 
    Machine name: GALAXY 
 
Process information: 
    Process ID: 848 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 
 
Exception information: 
    Exception type: SqlException 
    Exception message: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. 
 
Request information: 
    Request URL: http://mail.robinshore.com/rsystem20/login.aspx?ReturnUrl=An unhandled exception has occurred.frsystem20An unhandled exception has occurred.fDefault.aspx 
    Request path: /rsystem20/login.aspx 
    User host address: 72.196.107.195 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
 
Thread information: 
    Thread ID: 7 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
   at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at login.btnLog_Click(Object sender, EventArgs e) in C:\Inetpub\wwwroot\rsystem20\login.aspx.vb:line 19
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 
 
Custom event details: 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window


Error 2
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <local machine>]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window



I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
IE-error.JPG
0
cnesupport
Asked:
cnesupport
  • 3
  • 3
1 Solution
 
Kevin CrossChief Technology OfficerCommented:
Couple thoughts:
- is the new domain name the same for the new server?  In other words, you demoted the old SBS 2003 server, so does the new 2012 system host Active Directory as the SBS did before?

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.
- configure anonymous authentication in IIS.  Launch IIS Manager > Features View > Authentication page > Anonymous Authentication, then set user credentials.  Note: your NTFS permissions for the web directory needs to allow the selected credentials.
ref: http://technet.microsoft.com/en-us/library/hh831515.aspx#Step3

When we try and login to the software we get authentication errors...I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
- did you assign NETWORK SERVICE a role in the database containing the user logins?  
- In setting the credentials above, you could pick the domain user with access to SQL server.  
- Further, you can create a specific user in SQL server/domain for the application, assigning it permissions.  Instead of using trusted connection, which logs in with the authenticated Windows account, you can connect to SQL with named username and password through Web.config.
0
 
cnesupportAuthor Commented:
Yes the domain is the same, transferred AD and FSMO roles over to the 2012 server.  The app is still hosted on the 2003 sbs server that has been demoted to a member server.

This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.

I did try and add the anonymous connection but it didn't work.  I will continue playing with these settings to get this corrected.

I also did add the network services but it made no difference.  I will also continue experimenting with this as well.
0
 
cnesupportAuthor Commented:
Also forgot to mention when I add the network services login to the database it doesn't allow me to login to it at all.  Instead of giving me the error in the screenshot it says invalid username or password.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Kevin CrossChief Technology OfficerCommented:
Ah.  Is the SQL server still on the SBS 2003 system, or did it move to the new server?
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.

If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.

It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012.  For IIS on Windows 2003, use http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx?mfr=true.

The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.
0
 
cnesupportAuthor Commented:
correct the sql database and iis are still running on the old 2003 box.  
I did get the anonymous access working. (at least a small victory)

So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
0
 
Kevin CrossChief Technology OfficerCommented:
Yes.  Given the server was a domain controller before, you can check to see if there was an existing Active Directory account.  It may need additional policies and permissions that are already setup.  You can check your login and database security in SQL to gain insight also.  If you find an existing account, it could reduce the amount of configuration you have to hunt down.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now