SQL Server and windows authentication in IIS7

9
votes

I'm trying to get an ASP.NET website running on Vista (IIS7), using SQL Server and Windows Authentication. No matter what I do, when I connect to the database, I get the exception:

    SqlException was unhandled
    Login failed for user 'MyDomain\MachineName$'.

It doesn't seem to matter what settings I apply, I cannot get IIS7 to pass through my Windows login credentials.

Extra details:

  • Both the SQL Server and my local machine are on ActiveDirectory
  • Vista Enterprise, IIS7
  • SQL Server 2005
  • Anonymous Authentication disabled, Windows Authentication enabled
  • Impersonation on/off makes no difference
  • All Identities (NetworkService, LocalSystem, etc) give the same result
  • Classic and integrated pipelines give the same result

Help!

4
asp.netsql-serveriis-7windows-authentication
Is ISS and SQL Server on different servers or the same server?Raj More
Yep, they're running on different servers.gerrod

4 Answers

8
votes

Impersonation on/off makes all the difference, when properly configured. What you want is caled 'constrained delegation' and you need to configure IIS and ASP for it:

2
votes

By default, the IIS server is not allowed to impersonate you towards the SQL Server. There's an MSDN article on how to configure it. The configuration process is complex and error prone.

If your production ISS and SQL Server run on different servers, you'll need a domain admin to configure impersonation trust between the two servers. This is typically a no-go in a big organization.

In addition to not being deployed by normal admins, impersonation also prevents users from sharing their connections in the SQL connection pool. This results in a very noticeable performance penalty for even small (5+ users) websites.

0
votes

Did you try to create a new user account for your application, grant it the appropriate rights on the Sql Server, and then set the application pool to run under this new account? This is what I usually do, and it works. I'm not running my application under NetworkService, LocalSystem or other builtin accounts.

0
votes

Does your connection string contain Integrated Security=SSPI?

Have you switched the asp.net context to be a domain user as well?

Here is an MSDN article on this topic

http://msdn.microsoft.com/en-us/library/2xzyzb0f.aspx