Classic ASP problem connecting to remote SQL Server database

8
votes

I have a classic ASP app that I am trying to connect to a SQL Server 2008 database on a different server. The ASP app is being served from IIS7 on Windows Server 2008.

I have changed the web site's application pool to run under a specific windows account, that I have verified has access to the database on the remote server.

However, when I run the app in the browser, I get this error:

Application Error 
Number: -2147217843 (0x80040E4D)
Source: Microsoft OLE DB Provider for SQL Server
Description: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Why is it trying to connect using NT AUTHORITY\ANONYMOUS LOGON? Does the App pool identity not apply to classic ASP code? How can I make this connect as a specific user?

EDIT

Here is the connection string I am using:

Provider=SQLOLEDB.1;Data Source=myDbServer;Initial Catalog=myDatabase;Integrated Security=SSPI

3
sql-serverweb-applicationsiis-7asp-classicdatabase-connection

3 Answers

22
votes

For a site to use the application pool identity for classic ASP, you need to change the credentials used for Anonymous Authentication. By default, the site will be set to use a specific user, namely IUSR.

Select Authentication from the IIS area of your site, then select Anonymous Authentication followed by Edit. Change from Specific user to Application pool identity.

It's advisable to use Windows authentication (integrated security) over SQL authentication so that you don't have credentials in your config files so that if those files are compromised, you don't lose control of the credentials.

0
votes

Does your app impersonate the caller? You need to enable constrained delegation: Configuring Servers for Delegation.

-1
votes

you should specify a username and password for the connection string www.connectionstrings.com or set the IIS application to run as a specific user however that would then render a lot of the security settings in IIS obsolete. 

Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Uid=myUsername; Pwd=myPassword;

And have a look here: aspfaq

Lastly, make sure anonymous access is disabled on the IIS site so that it actually impersonates the user you selected instead of passing the anonymous tokens through.