Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

I have:

(1) SQL 2005 on a member server, Windows Authentication

(2) I'm using Visual Studio.Net 2005 on my Windows XP sp2 work station.

(3) From my machine, within my development application, I have no problem accessing the Data in the SQL server.

(4) I Receive the Login Failed error after I copy my project to the Test Web Server (Same machine that houses SQL) and test from either my machine or from the host server.

More details of the error message are:

Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.

Source Error:

Line 33: DA = New SqlDataAdapter(sSql, CONN_STRING)
Line 34: DS = New DataSet
Line 35: DA.Fill(DS)
Line 36:
Line 37: Session("NameInquiry_DS") = DS

Source File: C:\Inetpub\wwwroot\nameinquiry\NameInquiry.aspx.vb Line: 35

The finished product is to be an Intranet site only; accessible by employees within our own private network.

The SQL is a new install with only test data.

What have I missed that is causing the permission problem? The event viewer shows a nonauthenticated user is causing the problem. But, how do I correct this?

Could you please post the connection string here and the part of the web.config file about impersonation (if any and not commented out). This is a configuration problem. Which user do you want to authenticate while connecting to the database ?

http://msdn2.microsoft.com/en-us/library/aa302377.aspx

HTH, Jens K. Suessmeyer.

http://www.sqlserver2005.de|||

Hi, Terry

Try to read following article, they probably include solution to your problem:

1) http://support.microsoft.com/kb/316989/

2) https://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=348662&SiteID=17

3) http://msdn2.microsoft.com/en-us/library/ab4e6cky(vs.80).aspx

Good Luck!

Ming.

|||

Here is my connection string and the Web.Config.

What is confusing is that I have zero issues running the application within VS ASP.NET. It's only when I run the application outside the development software.

When I check the Event Viewer on the server that houses SQL, the login name is blank. That's why I believe I have a permissions error. I just don't have any idea what permissions to set. It doesn't matter which desktop I use, the connection fails. If I try to access the website from the Server it's housed using the administrator login, I still get the Login failed message.

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">

<appSettings>
<add key="ConnStringer" Value="packet size=4096;Data Source=MYSERVER;Initial Catalog=MyDataBase;Integrated Security=True;"/>
</appSettings>

<connectionStrings>
<add name="myConnection" connectionString="server=MYSERVER;database=MyDataBase;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<authentication mode="Forms" />
<roleManager enabled="true" />
<compilation debug="true" strict="false" explicit="true"/>
<pages>
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.

<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>

-->

<anonymousIdentification enabled="true"/>
<profile enabled="true">
<properties>
<add name="myGroupID" allowAnonymous="true"/>
<add name="myUserID" allowAnonymous="true"/>
</properties>
</profile>


</system.web>
</configuration>

|||

Ming,

The articles were very informitive but none of the possible solutions resolved my problem.

In an earlier post, I stated that everything worked fine within my VS .NET application. I have since learned that as long as I view data only, it works. If I attempt to do any writes, the application fails. Therefore, I'm more convinced this is an authentication related issue. Now I'm asking the following questions as I try to locate and resolve this issue:

I have determined that NT AUTHORITY\NETWORK SERVICE is the default login when I run my application. Based on what I've read from the many web posts concerning Windows Authenticaion, this is normal. How do I control the default login name? Meaning, can this be changed? If so, How? Should it be changed? Can I set various permissions to the various SQL databases? If so, How?

|||

Are your client and server machine in WORKGROUP instead of domain? If so, can you try grant database login to "<machinename>\guest" see whether it works?

As for your questions that how to control default login name, it is more of ASP.NET configuration issue, such as you can change ASP.NET account( http://www.bluevisionsoftware.com/WebSite/TipsAndTricksDetails.aspx?Name=AspNetAccount)

or post your question in ASP.NET forum.

The workaround here is

1) Change your connection string to force tcp connection(adding prefix "tcp:" in DataSource field ).

2) Use SQL authentication.

Good Luck!

Ming.

|||

Hi,

using Anonymous authentication will make you able to use a single user connecting to the database. This uer has to be setup in the security tab of the website in the IIS configuration screen. If you want to use this combination, you will have to set the tag of the web.config to impersonate=true. This will let you use login procided within the IIS to access SQL Server. If you want to authenticate / impersonate the user which is currently accessing the web page, you will have to (assuming that the web server is on the same server as the SQl Server) disbal the anonymous access option in the IIS configuration dialog.

HTH, Jens K. Suessmeyer.

http://www.sqlserver2005.de

|||

I think that the 3rd of Ming's posts alludes to the potential problem and provides links to additional relevant info (and your hunch about authentication related issue would also be accurate). The most likely source of the problem, as Ming and Jens have pointed out, is impersonation.

NT AUTHORITY\NETWORK SERVICE is the account that IIS runs under on Windows Server 2003 and without any additional configuration, this is the account that will attempt to access whatever resources the web application needs. Since this is the account that is trying to access the database, it appears that the outbound attempt is not attempting the connection as the connected user. This is where the web.config settings that Jens mentioned come into play and there's a good synopsis of the options available on http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp (this looks identical to the link Jens posted earlier). You probably don't need or want IIS to run under a different account.

If you want each domain user to have a separate connection to the database, you will need to disable Anonymous Access and turn on Integrated Windows authentication (this would be on the Directory Security tab for the web site in IIS Manager). You'd then specify <identity impersonate="true"/> in your web.config. You may also want to change the <authentication> element to be mode="Windows"...check with MSDN and or the ASP.NET forum for additional info/guidance on the specifics there, as I'm well outside my area of expertise on that point.

If you want all DB access to route through a single connection (I'm not entirely sure that's advisable, but your circumstances may dictate this) and/or as a single user (also not advisable...auditability of data written to the database would be compromised, so you wouldn't be able to determine who made a given change), you could continue to use Integrated Windows authentication on your web app but change the web.config to be:

<identity impersonate="false"/>

<authentication mode="Windows"/>

You'd then provide access to the SQL Server table via one of the server roles for the NT AUTHORITY\NETWORK SERVICE account. An example would be to use sp_addrolemember to add this account to public and grant public insert and update permissions on these tables (if it doesn't have them already).

There is a "How To" article on these options available at: http://msdn2.microsoft.com/en-us/library/ht43wsex(VS.80).aspx

Good luck,

Jason