+- 0Day Forums (https://0day.red)
+-- Forum: Coding (https://0day.red/Forum-Coding)
+--- Forum: Database (https://0day.red/Forum-Database)
+---- Forum: Microsoft SQL Server (https://0day.red/Forum-Microsoft-SQL-Server)
+---- Thread: Add IIS 7 AppPool Identities as SQL Server Logons (/Thread-Add-IIS-7-AppPool-Identities-as-SQL-Server-Logons)
Pages:
1
2
Add IIS 7 AppPool Identities as SQL Server Logons - tinobhxxpbrqpz - 07-31-2023
I'm running an IIS 7 Website with an AppPool of *Integrated Pipeline Mode*.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
**While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).**
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
RE: Add IIS 7 AppPool Identities as SQL Server Logons - kitar - 07-31-2023
This may be what you are looking for...
[To see links please register here]
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
RE: Add IIS 7 AppPool Identities as SQL Server Logons - orangutan376 - 07-31-2023
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
RE: Add IIS 7 AppPool Identities as SQL Server Logons - explanation622 - 07-31-2023
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
1. In SQL Server Management Studio, look for the **Security** folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
1. Right click logins and select "New Login"
1. In the Login name field, type **IIS APPPOOL\YourAppPoolName** - do not click search
1. Fill whatever other values you like (i.e., authentication type, default database, etc.)
1. Click OK
As long as the AppPool name actually exists, the login should now be created.
RE: Add IIS 7 AppPool Identities as SQL Server Logons - Propreaccustomed880 - 07-31-2023
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests [
[To see links please register here]
][1]. The only difference is that these processes are **members** of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and **not** users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
[1]:
[To see links please register here]
RE: Add IIS 7 AppPool Identities as SQL Server Logons - ninnettedgidi - 07-31-2023
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
RE: Add IIS 7 AppPool Identities as SQL Server Logons - kaitlynsogtsmzvs - 07-31-2023
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the `Configuration Editor` for the website in
`Section: system.webServer/security/authentication/windowsAuthentication`
`From: ApplicationHost.config <locationpath='ServerName/SiteName' />`
called `useAppPoolCredentials` (which is set to `False` by default. Set this to `True` and life becomes great again!!! Hope this saves pain for the next guy....
![enter image description here][1]
[1]:
RE: Add IIS 7 AppPool Identities as SQL Server Logons - slow908 - 07-31-2023
Look at:
[To see links please register here]
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
RE: Add IIS 7 AppPool Identities as SQL Server Logons - talky72 - 07-31-2023
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
RE: Add IIS 7 AppPool Identities as SQL Server Logons - designyqvdx - 07-31-2023
You can solve like this,
1. Open "Applications Pools",
2. You should right click that you have choosed application pool. Then choose
"Advanced Settings".
3. Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
[1]: