IIS fails to pass windows credentials through to SQL Server for ASP.NET Core app

dy2hfwbg  于 2023-10-15  发布在  Windows
关注(0)|答案(5)|浏览(106)

I work for a large company with an intranet and Windows AD logins for everyone. We have a number of internal SQL Server databases which allow us to log in using Windows authentication, one of which I'm trying to connect to through an ASP.NET Core application. I can connect to this database through SQL Server Management Studio and query the tables fine.

I've followed the tutorial for an ASP.NET Core app using an existing database as closely as I possibly could, and created a single model class to test with to see if I could read data from the database. When debugging with IIS Express in Visual Studio, I can read data from the database when accessing the auto-generated controller and views.

Everything seems fine when debugging, but when publishing to IIS, I receive the following error:

SqlException: Login failed for user '<DOMAIN>\<COMPUTERNAME>$'.

Where domain is my domain and computername is my computer's name. This is expected, since my computer itself doesn't have access to the database. But it shouldn't be trying to connect using that system account (with the dollar sign), it should be trying to connect with my windows account: <DOMAIN>\<USERNAME> .

What's weirder, the app does seem to recognize my Windows credentials in some capacity - when I access the home page, I get the familiar "Hello, <DOMAIN>\<USERNAME>!" message in the nav bar. So the Windows credentials are definitely getting passed through to the app, but for some reason not getting passed through when trying to connect to the database through DbContext.

Am I missing something obvious here?

My Code

I started with Visual Studio's ASP.NET Core Web Application template.

In launchSettings.json, I have:

"iisSettings": {
    "windowsAuthentication": true, 
    "anonymousAuthentication": false, 
    "iisExpress": {
      "applicationUrl": "http://localhost:60686",
      "sslPort": 44336
    }
  },

In appsettings.json, I have:

"ConnectionStrings": {
    "MyDB": "Server=<servername>;Database=<dbname>;Trusted_Connection=True;"
  },

In Startup.cs, I have the following line in ConfigureServices

services.AddDbContext<MyContext>(options => {
                options.UseSqlServer(Configuration.GetConnectionString("MyDB"));
            });

And from there, I have scaffolded an MVC controller with views using Entity Framework.

IIS has Windows authentication set to Yes and anonymous authentication set to No. My application pool is set to No Managed Code with ApplicationPoolIdentity.

Edit: The problem

To state the actual problem I'm trying to solve, I have a SQL Server database on a remote intranet server which allows access to a subset of the whole company via Windows authentication. If I want to create an ASP.NET application to provide an API to that database, hosted by IIS, what's the best way to do this? Assuming:

  1. I don't want to have to manage permissions myself or have to duplicate them in some way
  2. The people who have access to the database directly should have access to the API, the people who don't should not.
  3. If they're accessing it from within the intranet while logged in to Windows, they shouldn't have to log in again.

I assumed I could just pass their windows credentials from IIS through the app to SQL server but I'm starting to wonder if that's actually the case.

rjee0c15

rjee0c151#

After learning more about .NET and what Windows auth actually does on IIS, I'm going to say that what I was trying to do is not recommended. There is a difference between passing windows credentials to a .NET app in order to read from them, vs. actually executing a secondary process as that user. The latter case is what I was trying to do, but instead should set up my app pool in IIS with a user who can log in to the database, and use the windows credentials to verify against the list of users who have access.

pkln4tw6

pkln4tw62#

You are using Entity-Framework for SqlServer and EF is using ADO.NET SqlClient. Therefore Trusted_Connection=yes; does not work.

Add Integrated Security=true; instead and it should be fixed.

Here some resources to read about it https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax

2eafrhcq

2eafrhcq3#

Not to dig up an old thread, but this is a function that should work as long as Identity Impersonate = True is set. Here's some stuff being worked on.

GitHub Doc

pgvzfuti

pgvzfuti4#

I'll add my answer because this is how I fixed this issue.
The reason a "$"-sign is added to the login name/user must have something to do with the IIS that the application is being hosted on.

I'm not an expert on any of this, so I can't really go in-depth, but I've added the IIS user to the Logins and then it works.

USE [master]
GO

CREATE LOGIN [IIS APPPOOL\'name'] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
GO

ALTER SERVER ROLE [sysadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [securityadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [serveradmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [setupadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [processadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [diskadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [dbcreator] ADD MEMBER [IIS APPPOOL\'name']
GO

ALTER SERVER ROLE [bulkadmin] ADD MEMBER [IIS APPPOOL\'name']
GO

You have to change 'name' to your IIS hosted application name. So for example if you app/site's name in ISS is "My-Backend-App" you should do:

CREATE LOGIN [IIS APPPOOL\My-Backend-App] FROM WINDOWS ...

So all the names should be "My-Backend-App".

When adding this user to the logins, my backend application could access & create the DB, create tables, access data etc...

SIDENOTE: I've used the Windows Event logger to find out this was my issue. My application just crashed, said a "500.30" error but no real information given.

You can access the "Event Viewer" application from Windows Search. Then you can go to "Applications" and there are all application errors/crashes that occured on your machine, and in this case also the reason why. It said it couldn't find user "myUser$" while trying to login to SQL, but the Windows Authentication user was "myUser". So for some reason it added a "$"-sign and couldn't log in. My fix above fixes this issue and you can login etc.

3vpjnl9f

3vpjnl9f5#

@Aias is correct, this answer is for future help only and to complete with some more details:

1 - on IIS, on the Advanced Settings of the Application Pool that has your site, you must set one user that has permissions to access SQL Server instance/database. That is done in Process Model > Identity;

2 - on SQL Server, on the security options (under databases), add the user that you reference on previous point, or, even better, define a group that contains that user;

Cheers.

相关问题