[英]Does ADO in an asp.net web app always use the IIS service account to connect to SQL Server?
I have an ASP.NET web app where I use an ado sql connection to connect to a database on a SQL Server. 我有一个ASP.NET Web应用程序,在其中使用了ado sql连接来连接到SQL Server上的数据库。 The ado connection string is provided with a user login that has sufficient rights to read/write to the database.
ado连接字符串与用户登录名一起提供,该用户登录名具有足够的权限来读取/写入数据库。 I originally pushed out the web app in its own IIS web site, using its own application pool and everything worked fine.
我最初使用自己的应用程序池在自己的IIS网站中推出了该Web应用程序,并且一切正常。
However, I am now trying to include the web app under an already existing web site. 但是,我现在正在尝试将该Web应用程序包含在一个已经存在的网站下。 Everything seemed to work fine until I tried any functionality that called for an INSERT or UPDATE to the database.
在尝试了要求对数据库执行INSERT或UPDATE的任何功能之前,一切似乎都工作正常。 It turns out the user connecting to the DB didn't have sufficient permissions.
事实证明,连接到数据库的用户没有足够的权限。 Finding this strange, I did some research and found a forum post that suggested the IIS Web Site service account needed read/write permissions in the SQL database in order for an app to perform INSERT/UPDATE.
奇怪的是,我进行了一些研究,然后发现了一个论坛帖子,该帖子建议IIS网站服务帐户需要SQL数据库中的读/写权限才能使应用程序执行INSERT / UPDATE。 Is this true?
这是真的?
I tested it out, and yes, indeed it worked, only with the Application Pool Identity account. 我对其进行了测试,是的,的确确实如此,仅适用于应用程序池身份帐户。 The details of my scenario are as follows:
我的方案的详细信息如下:
The web app's first IIS Web Site had an application pool Identity that ran under NETWORK SERVICE, which already had a login for SQL SERVER 该Web应用程序的第一个IIS网站具有一个在NETWORK SERVICE下运行的应用程序池身份,该服务池已经具有SQL SERVER的登录名。
The already existing web site's application pool Identity runs under a domain account. 现有网站的应用程序池标识在域帐户下运行。 This site already runs another web app that connects to the same database using LINQ (developed by someone else).
该站点已经运行了另一个Web应用程序,该应用程序使用LINQ(由其他人开发)连接到相同的数据库。 I am relatively new to web development and am more familiar with ADO, so that is the route I chose.
我是Web开发的新手,并且对ADO更加熟悉,所以这就是我选择的方法。
The domain account mentioned above formerly had no SQL Server login/user mapping. 上面提到的域帐户以前没有SQL Server登录/用户映射。 I set it up as a dbowner, and viola, the new web app worked under the existing web site.
我将其设置为dbowner,然后将新的web应用程序viola在现有网站下运行。
While I found a way for it to work, we would rather not create a SQL login for this Identity account. 尽管我找到了一种可行的方法,但我们不希望为此Identity帐户创建SQL登录名。 We want the login provided in the web app's ADO SqlConnection to be the one to actually connect, because isn't that the point of it?
我们希望Web应用程序的ADO SqlConnection中提供的登录名是实际连接的登录名,因为这不是重点吗? Also, the fact that another web app using LINQ can connect just fine under the same web site leads us to believe this is possible.
此外,另一个使用LINQ的Web应用程序可以在同一网站上正常连接的事实使我们相信这是可能的。 Any experts out there have two cents to offer on this issue?
在这一问题上,有专家提供两美分吗?
SQL Server Windows Authentication is used when the connection string uses Integrated Security
. 当连接字符串使用
Integrated Security
时,将使用SQL Server Windows身份验证。 If the authentication mode is SQL Server Authentication (login/password), then it doesn't matter what account is used. 如果身份验证模式是“ SQL Server身份验证”(登录名/密码),则使用哪个帐户都没有关系。
This works by checking the Windows (Domain) Account of the process making the ADO connection. 通过检查建立ADO连接的进程的Windows(域)帐户,可以使用此功能。
In an ASP.Net web app, there are three accounts involved - IIS Service account, Web Site directory security account, Application Pool account. 在ASP.Net Web应用程序中,涉及三个帐户-IIS服务帐户,网站目录安全帐户,应用程序池帐户。 When connection to SQL Server, the process running ASP.NET web apps is
w3wp.exe
, which is run under the Application Pool, Identity
account. 连接到SQL Server时,运行ASP.NET Web应用程序的进程是
w3wp.exe
,该进程在“ Application Pool, Identity
帐户下运行。 This is the account you need to configure access for. 这是您需要配置访问权限的帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.