HELP!!! My website is having permissions problems...

  • There must be some pieces missing in my understanding of security on databases and the use of IIS as well as how to deploy a website via Visual Studio 2008 Professional. My SQL Server instance is located on a Vista Ultimate 64-bit opsys on a machine with a quad-core 2.83 GHz Intel cpu and 8 GIG of RAM. I configured SQL Server via SAC to use at most 4 GIG, so that I would still have plenty of RAM for video capture work.

    The problem I'm having is that I set up a web site, and configured the bindings to each network card with just an IP address and no host name, and configured ASP.NET impersonation and Windows authentication as the available authentication methods, and despite those things, I am unable to go to a browser on that machine and type in http://servername/websitename/Default.aspx without getting a 404 not found error. This was previously working, and I don't know why it's not working now. I can use Visual Studio to get to the website, as that uses http://localhost:portnumber/etc...., but even then, I still have a problem, as the report I built doesn't display any data, and it appears to be a database permissions problem. Come to think of it, I'm not even sure I accurately remember what the conditions were that allowed me to actually see the report results, but at one point I know I had some kind of permissions error, and adding the ASP.NET impersonation authentication method got me past that problem, only to show a blank report. I strongly suspect database permissions are somehow involved, as the ASP.NET provided is being used by the website, but I don't know how to configure this so that it just passes along the Windows domain user id that I've logged in to the machine with. Can anyone provide some suggestions on things to check, and some basics on how to properly configure IIS 7 ? Any/all help will be appreciated. Thanks!

    Steve

    (aka smunson)

    :):):)

    Steve (aka sgmunson) 🙂 🙂 🙂
    Rent Servers for Income (picks and shovels strategy)

  • The IIS website properies has a security tab. That should allow you to use Windows Auth, or anonymous connections that go through a windows account you specify.

    Those should be what connect to SQL Server. Can you connect to your instance of SQL with SSMS? Is that working with your credentials?

  • I'll try allowing an anonymous connection tonight just to see if that works, but I need to learn how to NOT have such things available, as could be expected were I to gain employment as a DBA. I have no difficulties using SSMS with my windows credentials. I'm also wondering if I should be turning Windows authentication off if I'm using ASP.NET impersonation, or should I go the other way and turn off ASP.NET impersonation, or if I need to configure the ASP.NET impersonation differently, or what the best practice would be for that setup?

    Steve

    (aka smunson)

    :):):)

    Steve (aka sgmunson) 🙂 🙂 🙂
    Rent Servers for Income (picks and shovels strategy)

  • Steve, I'm a little weak on the ASP.NET impersonation.

    The thing to remember is that IIS runs things, so it has to determine the upper level account under which things run. Then ASP.NET next runs under the IIS account (either service, or the ones you've set in security), and that could conceivably make it's own connection to SQL. I'm not sure which one is passing through to SQL Server, and Profiler might help you here (or auditing failed logins) to determine that.

    I'd use separate accounts everywhere to try and determine what is executing what.

  • Thanks Steve... I was going to try anonymous authentication last night, but later in my workday yesterday I happened across a way to make a report be all one page, regardless of actual size, and I was so excited that I spent most of my time last night making that happen.

    However, I did get a chance to at least clarify my troubles. I have two problems:

    1.) On the Vista Ultimate machine, I get a 404 error if I open IE and navigate to my website. It doesn't matter if I correctly spell out the exact address to the default page, or I shorten it all the way down to http://servername - all of those links get a 404. However, if I go to any other machine on my network, I can get to the default page, where problem #2 occurs.

    2.) Once I get to my default page on another machine, when I click on a link to my web page that has the report control in it, the text header shows up, but the report control does not, and an error message states:

    "An error has occurred during report processing.

    Exception has been thrown by the target of an invocation.

    Cannot open database "XXXXXXX" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.

    I tried to solve the 2nd problem by eliminating Windows Authentication and leaving only ASP.NET impersonation, but that causes me to get the good old "Forbidden" error getting to any of the web pages, so I turned it back on. Then I configured ASP.NET impersonation for a LAN ID that I know has permission to the database, and from a machine logged on with that ID, it made no difference, but from another machine logged on with a different ID, it gave me an "Error in Server Application" screen, with suggestions about how to configure custom errors.

    My objective is to have this website's security operate entirely on Windows Authentication, but it appears I just don't quite know how to do that. I also may need to reconfigure security on the database, but for this specific database, I can't just grant the NETWORK SERVICE any rights - I have to lock it down to specific users.

    Anyone out there know what I need to do? Any/all help is much appreciated as I learn how to do this stuff. Thanks!

    Steve

    (aka smunson)

    :):):)

    Steve (aka sgmunson) 🙂 🙂 🙂
    Rent Servers for Income (picks and shovels strategy)

  • UPDATE: I've discovered that my report file (*.rdlc) had no connection string or data provider, and it was likely because I chose SQL Native Client, not thinking about the lack of that software on the client machines that would access the website. I added the values manually, to "ADO.NET data provider" and the appropriate connection string, and that eliminates the error message I was getting about the network service not having access to the database. Unfortunately, I now get a blank report with no records, and no error message to tell me what's wrong. I'm going to create a new dataset tonight and see if I can do that correctly this time.

    The other problem continues. I still get a 404 on my website from the local machine. It's as if you "can't get there from here", despite the fact that in this case, here and there are the same place. Interesting that the report still works fine if you choose to browse it from within VS.

    Steve

    (aka smunson)

    :):):)

    Steve (aka sgmunson) 🙂 🙂 🙂
    Rent Servers for Income (picks and shovels strategy)

  • UPDATE and SOLUTION:

    I did all kinds of things in trying to get where I needed to be, and it may have been a combination of multiple things. Here are the things that I did, but not necessarily in the order in which they were performed:

    - Ensured that Windows Authentication and ASP.NET impersonation were enabled at both my site level AND at the IIS level.

    - Manually updated the RDLC file for my report to ensure it used "ADO.NET data provider" instead of "" for the DataProvider section.

    - Manually updated the RDLC file for my report to ensure it used a proper connection string instead of "" for the ConnectString section.

    - Discovered and corrected a new problem where the RDLC file that was a result of "Publish" within VS was nothing more than a "marker file", and didn't contain the actual RDLC file content. This may have had to do with trying the option to not allow the site to be "updateable" from within the publish part of VS.

    - Made sure I better understood database roles and permissions, and set the permissions appropriately for the database.

    Conclusions: I'm not 100% sure that VS 2008 is capable of producing an ASP.NET 3.5 website without manual intervention to specify things that shouldn't have to be specified, but given my relative newbie status in doing this stuff, I'd hate to have to troubleshoot some advanced configuration, given my extraordinary difficulty in this very simple setup. I did enjoy the challenge however, and now that I've finally succeeded on my first .NET web project, I have at least the start of the tools needed to start doing some more serious .NET stuff.

    Steve

    (aka smunson)

    :):):)

    Steve (aka sgmunson) 🙂 🙂 🙂
    Rent Servers for Income (picks and shovels strategy)

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply