When I run web application via VS 2008, the application is able to log onto Sql server and check credentials ( user name and password ) entered by the user, but when I browse to this application via IIS 7 and try to postback user name and password, the application reports an exception:
System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'
thanx
EDIT:
Hello,
It works now, though I don’t understand why machine account needed those rights. I understand machine account needs some rights to be able to “talk to” with specific program(Sql server), but why needs it rights to accesses database and its tables? Isn’t it up to the account specified in connection string
<add name="MyConnection" connectionString="data source=localhost; integrated security=sspi; initial catalog=aspnetdb;" />
to have appropriate access rights to database and its tables?
This account does not have a password, and any password information that you supply is ignored. The Local System account has full access to the system, including the directory service on domain controllers. Because the Local System account acts as a computer on the network, it has access to network resources.
NT AUTHORITY\NetworkService ( S-1-5-20 ; also displayed as simply "NETWORK SERVICE") "is a predefined local account used by the service control manager.. has minimum privileges on the local computer and acts as the computer on the network."
When the OS can't validate who you are, you are NT AUTHORITY\ANONYMOUS LOGON. You typically see this in double hop situations like when you have a client connecting to SSRS and SSRS isn't on the same server as the SQL Server where the DB is located. As you might have guessed, they shouldn't have done this.
You will need to actually create an account in SQL Server for the Network Service account. Then you will grant it access to your database, the specific permissions that you grant the account depend on the nature of the tasks that your database needs to do.
You can do this all in SSMS via the "Security" section, right click on "Logins" and select add. You will be adding a Windows Account, you can then lookup and validate the name "NETWORK SERVICE". Then switch to the "User Mapping" section and grant permission to view your database. The permissions as I said are up to you, or you can assign it dbowner permissions for full control.
After doing that you will be fine. I do caution against giving the application more permissions than needed!
Personally I would run the Web app under a custom service account. If you really want to run it under Network Service- see this MSDN document.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With