Connecting to SQL with ANONYMOUS LOGON since switch to IIS7

Question

I've recently had my PC upgraded to Vista, which means it includes IIS7. The problem is that the ASP.NET website we're working on doesn't work anymore. I get an error because the application is trying to connect to the SQL Server with NT AUTHORITY/ANONYMOUS LOGON instead of my domain user, and anonymous isn't authorized. I've tried several things, but no solution yet: - install and enable the 'IIS Metabase and IIS 6 configuration compatibility' - enable Windows Authentication for this website - created a different Application Pool with managed pipeline mode set to Classic - enabled IIS6 WMI compatibility and IIS6 management console (getting desperate here)

In our web.config there's and in our machine.config there's . I've tried putting impersonate to false and entering my domain user and password in the machine.config (it used to be like this) but that didn't help either.

Are there things I'm missing? Has anyone else had a similar problem?

Answer 1

How does your application authenticate with SQL Server? Does it use SQL or Windows Auth? I hope you are trying to use Windows Auth. In that case, your IIS worker process should be running under that Windows user account. If not, it should at the least impersonate a Windows user account that has necessary access rights to SQL Server. If you have impersonation enabled and if you are using the right Windows user account and if SQL Server authenticates using Windows auth and if you are still unable to access SQL Server, you may be running into the classic double hop issue. In other words, you are trying to authenticate to IIS once and you are using the same crdentials to authenticate to the SQL Server over a network next(which is your second hop) and Windows does not allow that for security reasons.

Answer 2

I believe I have found a/the solution. At least it's working now. This is what I did:

• The website is now running in a seperate application pool with Managed Pipeline mode set to classic, Load userprofile set to False and Identity set to custom and using a domain user (and password) that has access to the database.
• Under 'authorization' of the website itself, I have Anonymous set to enabled and ASP.NET impersonate set to disabled.
• in the web.config of the site is also set.

Credit where it's due, this site helped me.

Answer 3

I'm sorry to say I can't look into the issue any further. Indeed, it probably is something with the way we connected to SQL Server (Win Auth) because we've changed it now. Now we connect with username and password in the connection string and it's solved. So I can't really say if you provided the answer, msvcyc, but I did vote on your solution. Thanks for the time and trouble.

Answer 4

Well, I recommend you migrate to Integrated mode if there is not too many troubles to enjoy the innovation it brings. :)

http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx