Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


SQL\IIS authentication issues

Posted on 2013-12-27
Medium Priority
Last Modified: 2013-12-27
We are in the process of migrating a client from sbs 2003 to server 2012.  During the migration we found that their is a web app that is running on the sbs 2003 server that they need to run for the next month or so.  After removing exchange from sbs and demoting the sbs server to a member server and cleaning up dns, we are no longer able to access the site.  

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.  If you put in a domain username and password it continues to the software login page. When we try and login to the software we get authentication errors.  This only started happening after demoting the server.  I have attached screenshots of the error from IE.

Here are the errors in the event log:
error 1:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 12/27/2013 10:17:28 AM 
Event time (UTC): 12/27/2013 3:17:28 PM 
Event ID: 40705810a0124788bebc7d14fff209eb 
Event sequence: 11 
Event occurrence: 10 
Event detail code: 0 
Application information: 
    Application domain: /LM/W3SVC/1/Root/rsystem20-1-130326266395505287 
    Trust level: Full 
    Application Virtual Path: /rsystem20 
    Application Path: C:\Inetpub\wwwroot\rsystem20\ 
    Machine name: GALAXY 
Process information: 
    Process ID: 848 
    Process name: w3wp.exe 
Exception information: 
    Exception type: SqlException 
    Exception message: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. 
Request information: 
    Request URL: http://mail.robinshore.com/rsystem20/login.aspx?ReturnUrl=An unhandled exception has occurred.frsystem20An unhandled exception has occurred.fDefault.aspx 
    Request path: /rsystem20/login.aspx 
    User host address: 
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
Thread information: 
    Thread ID: 7 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
   at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at login.btnLog_Click(Object sender, EventArgs e) in C:\Inetpub\wwwroot\rsystem20\login.aspx.vb:line 19
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details: 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

Error 2
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <local machine>]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
Question by:cnesupport
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 60

Expert Comment

by:Kevin Cross
ID: 39742117
Couple thoughts:
- is the new domain name the same for the new server?  In other words, you demoted the old SBS 2003 server, so does the new 2012 system host Active Directory as the SBS did before?

First when we try and access the site it pops up a username and password box.  Instead of going directly to the software login page.
- configure anonymous authentication in IIS.  Launch IIS Manager > Features View > Authentication page > Anonymous Authentication, then set user credentials.  Note: your NTFS permissions for the web directory needs to allow the selected credentials.
ref: http://technet.microsoft.com/en-us/library/hh831515.aspx#Step3

When we try and login to the software we get authentication errors...I logged into the sql management and added the nt authority\network service as a login account but it didn't make a difference.
- did you assign NETWORK SERVICE a role in the database containing the user logins?  
- In setting the credentials above, you could pick the domain user with access to SQL server.  
- Further, you can create a specific user in SQL server/domain for the application, assigning it permissions.  Instead of using trusted connection, which logs in with the authenticated Windows account, you can connect to SQL with named username and password through Web.config.

Author Comment

ID: 39742145
Yes the domain is the same, transferred AD and FSMO roles over to the 2012 server.  The app is still hosted on the 2003 sbs server that has been demoted to a member server.

This app\webisite will not be moved to the new server as it is being phased out for a newer software that they have selected to use and just needs to work temporarily.

I did try and add the anonymous connection but it didn't work.  I will continue playing with these settings to get this corrected.

I also did add the network services but it made no difference.  I will also continue experimenting with this as well.

Author Comment

ID: 39742154
Also forgot to mention when I add the network services login to the database it doesn't allow me to login to it at all.  Instead of giving me the error in the screenshot it says invalid username or password.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 60

Expert Comment

by:Kevin Cross
ID: 39742167
Ah.  Is the SQL server still on the SBS 2003 system, or did it move to the new server?
Regarding the network services, adding it as a login is one step, but to function with the application the account likely needs permission to the specific database.

If the SQL server is not on the same server, the credentials may not work because it is trying to use a local account on the SBS 2003 server versus one on the target server...this would be a good reason to use a specific AD user account in SQL and IIS created for the application.

It sounds like you set anonymous access already, but for completeness the reference above was for IIS on Windows 2012.  For IIS on Windows 2003, use http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx?mfr=true.

The NTFS note still applies; therefore, if you set anonymous directory access but receive a prompt for username/password, your NTFS permissions do not include the anonymous user account.

Author Comment

ID: 39742177
correct the sql database and iis are still running on the old 2003 box.  
I did get the anonymous access working. (at least a small victory)

So basically I need to figure out how to change it so that IIS and the SQL database and the permissions on the apps folder are using a domain account instead of the local network services account, is that correct?
LVL 60

Accepted Solution

Kevin Cross earned 2000 total points
ID: 39742262
Yes.  Given the server was a domain controller before, you can check to see if there was an existing Active Directory account.  It may need additional policies and permissions that are already setup.  You can check your login and database security in SQL to gain insight also.  If you find an existing account, it could reduce the amount of configuration you have to hunt down.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question