31  

If you are NOT using ActiveDirectory, then ignore all of the other solutions above. The confusion stems from the new ApplicationPoolIdentity setting default in IIS 7.5 (MS keeps changing the identity mechianisms)

如果您不使用ActiveDirectory，请忽略上述所有其他解决方案。混乱源于IIS 7.5中新的ApplicationPoolIdentity设置默认值（MS不断更改身份机制）

1. Open SQL Management Studio, connect to your local machine as an admin.
2. 打开SQL Management Studio，以管理员身份连接到本地计算机。
3. Expand the Security branch.
4. 展开安全分支。
5. Right click on Logins and select New Login
6. 右键单击Logins并选择New Login
7. Into the Login Name field, type "IIS APPPOOL\MyApplicationName". Do NOT click the search button. The user profile dosn't actually exist on the local machine, it's dynamically created on demand.
8. 在“登录名”字段中，键入“IIS APPPOOL \ MyApplicationName”。不要单击搜索按钮。用户配置文件实际上并不存在于本地计算机上，而是根据需要动态创建的。

6  

The error means the web application doesn't have access to your database. On Windows 7 / IIS 7, by default each application pool has its own user. It seems the idea is to improve security by restricting what that web application can do (in case it gets compromised and controlled from the outside). You can change what user the application pool is running under but that will defeat its own purpose. A better way seems to give the pool's user the needed permissions (and not a bit more).

该错误表示Web应用程序无权访问您的数据库。在Windows 7 / IIS 7上，默认情况下每个应用程序池都有自己的用户。似乎这个想法是通过限制Web应用程序可以执行的操作来提高安全性（如果它从外部受到攻击和控制）。您可以更改运行应用程序池的用户，但这会破坏其自身的用途。一种更好的方法似乎是为池的用户提供所需的权限（而不是更多）。

On the SQL Management Studio connect to the server you want your web app to connect (tested with SQL server 2008). Go to

在SQL Management Studio上，连接到您希望Web应用程序连接的服务器（使用SQL Server 2008进行测试）。去

Security -> Log ins

right click, New Log in. In the form that comes up leave everything as default except username, where you have to type whatever username the web app is trying to use, in this case 'IIS APPPOOL\MyApplicationName'. Note that the search function of that dialog fails to find or check as valid that user, but nevertheless it works.

右键单击，新登录。在出现的表单中，除了用户名之外，将所有内容保留为默认值，您必须键入Web应用程序尝试使用的任何用户名，在本例中为“IIS APPPOOL \ MyApplicationName”。请注意，该对话框的搜索功能无法找到或检查该用户是否有效，但它仍然有效。

Still on the SQL Management Studio connected to the server go to

仍然在连接到服务器的SQL Management Studio上

Databases -> *YOUR-DATABASE* -> Security -> Users

right click and New User. I'm not sure if the user name field there has any effect, I just set it the last part of the username, like MyApplicationName. Then I've set the login name to IIS APPPOOL\MyApplicationName. You can click on the ... button and use the check and search, this time it works. If you don't do the previous step, the user will not be present here. Then give it whatever permissions you want to this user, like db_datareader.

右键单击和新用户。我不确定用户名字段是否有任何影响，我只是将其设置为用户名的最后一部分，如MyApplicationName。然后我将登录名设置为IIS APPPOOL \ MyApplicationName。您可以单击...按钮并使用检查和搜索，这次它可以工作。如果您不执行上一步，则该用户将不在此处。然后为此用户提供您想要的任何权限，例如db_datareader。

And that's it, you've given permission. If lack of permissions was your problem, then it should be solved (or at least, I've just solved it that way).

就是这样，你得到了许可。如果缺少权限是你的问题，那么它应该被解决（或者至少，我刚刚解决了这个问题）。

I have a total amount of 2hs of experience with IIS and about three weeks with SQL Server and less than two months with Microsoft technologies so take my advice with a grain of salt, I can be totally wrong. (If another person can confirm these are the right steps, feel free to remove the last warning).

我总共有2小时的IIS经验和大约三个星期的SQL Server以及不到两个月的微软技术，所以我的建议很简单，我可能完全错了。 （如果其他人可以确认这些是正确的步骤，请随时删除最后一个警告）。

2  

Here is an article that explains why AppPoolIdentities are in use; basically, it's about enhanced security: http://learn.iis.net/page.aspx/624/application-pool-identities/

这篇文章解释了为什么AppPoolIdentities正在使用中;基本上，它是关于增强安全性：http：//learn.iis.net/page.aspx/624/application-pool-identities/

(That article claims I can use these virtual accounts just like any regular account but on my Windows Server 2008 that does not seem to be possible; adding e.g. IIS AppPool\DefaultAppPool just produces an error: "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid.")

（该文章声称我可以像任何常规帐户一样使用这些虚拟帐户，但在我的Windows Server 2008上似乎不可能;添加例如IIS AppPool \ DefaultAppPool只会产生错误：“以下对象不是来自列出的域在“选择位置”对话框中，因此无效。“）

2  

Erick Falsken is right, however he is missing the User Mappings. So right click on the new IIS APPPOOL/DefaultAppPool, click on Properties and then check boxes for: 1) databases master and yourdatabase 2) db_owner and public

Erick Falsken是对的，但他缺少用户映射。因此，右键单击新的IIS APPPOOL / DefaultAppPool，单击Properties，然后选中以下框：1）数据库master和yourdatabase 2）db_owner和public

1  

This error usually means that the user that your site is running as (or more to the point the application pool), does not have permissions to use the DB. You can either check in IIS what user the pool is running under and give them permissions, or instead change your SQL connection string to not use trusted authentication and supply the credentials of a user that does have permission in the connection string.

此错误通常意味着您的站点正在运行的用户（或更多到应用程序池的位置）没有使用该DB的权限。您可以在IIS中签入运行池的用户并为其授予权限，或者将SQL连接字符串更改为不使用受信任的身份验证，并提供在连接字符串中具有权限的用户的凭据。

Edit: If you right click on the pool Identity section and go to properties, it should come up with a box that lets you either choose from 3 builtin system accounts, or specify your own account. Either give one of the builtin accounts permission for the DB, or use an account that has permission. Or leave it as is and change your connection string.

编辑：如果右键单击池标识部分并转到属性，它应该会出现一个框，允许您从3个内置系统帐户中进行选择，或指定您自己的帐户。为DB提供一个内置帐户权限，或使用具有权限的帐户。或保持原样并更改连接字符串。

1  

Well...changing the ApplicationPoolIdentity property and setting it to NETWORK SERVICE seems to have fixed my problems. Not sure if that's the "right" way to do things or not (as in, I'm not sure if that's the recommended way to do things in IIS7 or not), but it seems to at least be working and has gotten me past this hang-up for now. Thanks.

嗯...更改ApplicationPoolIdentity属性并将其设置为NETWORK SERVICE似乎解决了我的问题。不确定这是否是“正确”的做事方式（因为，我不确定这是否是在IIS7中做的事情的推荐方式），但它似乎至少起作用并让我过去这个挂机现在。谢谢。

1  

I'm familiar with the idea of giving permissions to the user that the application is running under...my problem is that in IIS7, the "user" seems to be virtual or something strange like that. Prior to me changing the "Identity" property of the Application Pool properties to NETWORK SERVICE, it was set to "ApplicationPoolIdentity", and the error I was getting was that "IIS APPPOOL\MyApplicationName" didn't have access to the database. When I attempted to add the "IIS APPPOOL\MyApplicationName" user to the database, it didn't appear to exist...not that I could find anyway.

我熟悉为应用程序运行的用户授予权限的想法......我的问题是在IIS7中，“用户”似乎是虚拟的或类似的东西。在我将应用程序池属性的“身份”属性更改为NETWORK SERVICE之前，它被设置为“ApplicationPoolIdentity”，我得到的错误是“IIS APPPOOL \ MyApplicationName”无法访问数据库。当我尝试将“IIS APPPOOL \ MyApplicationName”用户添加到数据库时，它似乎不存在...不是我能找到的。

So my ultimate problem is not understanding or being able to find any good documentation on how the IIS7 security model works. When I created the application, it seemed to create an AppPool with the same name just for this application. I don't know exactly what changes I need to make to give the application and/or the user it runs under privileges to the database, considering the fact that the user that the AppPool runs as doesn't appear to actually exist.

所以我的最终问题是没有理解或能够找到有关IIS7安全模型如何工作的任何好的文档。当我创建应用程序时，似乎只为此应用程序创建了一个具有相同名称的AppPool。考虑到AppPool运行的用户似乎并不真实存在，我不知道我需要做什么更改才能使应用程序和/或用户在数据库权限下运行。

As I mentioned, changing the Identity of the AppPool to NETWORK SERVICE seems to have worked for now, but I'm trying to find out what the best practice is for this kind of thing under IIS7. Thanks.

正如我所提到的，将AppPool的身份更改为NETWORK SERVICE似乎现在已经有效，但我正在尝试找出IIS7下此类事情的最佳实践。谢谢。

1  

leave the hard problems for someone else -

给别人留下难题 -

create a sql user and use SQL Auth. :D

创建一个sql用户并使用SQL Auth。 ：d

1  

If you follow Mr. Fernández' advice, you will get everything working. This is the new way of giving least privilege to a site.

如果按照费尔南德斯先生的建议，你将获得一切运作。这是为网站提供最低权限的新方法。

So don't do the easy, less secure thing (NETWORK SERVICE). Do the right thing. Scroll up. ;)

所以不要做简单，不太安全的事情（网络服务）。做正确的事。向上滑动。 ;）

1  

Using Trusted Connection in Windows Authenticated Mode: OS: windows 7 32 bit IIS 7, Sql Server 2008 R2 Express Connection String: cn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=test;Data Source=mycomputername\sqlexpress;" (if instance name is sqlexpress or whatever instance name you have used)

在Windows身份验证模式下使用可信连接：操作系统：Windows 7 32位IIS 7，Sql Server 2008 R2 Express连接字符串：cn.open“Provider = SQLOLEDB.1;集成安全性= SSPI;持久安全信息= False;初始目录= test ; Data Source = mycomputername \ sqlexpress;“ （如果实例名称是sqlexpress或您使用的任何实例名称）

If you are not able to connect sql server using windows mode authenticated connection to sql server 2008.

如果您无法使用Windows模式身份验证连接到sql server 2008连接sql server。

NT AUTHORITY\IUSR Account might not have permission in sql server to authorize connection with database.

NT AUTHORITY \ IUSR帐户可能没有权限在sql server中授权与数据库的连接。

Connect Sql server using windows authentication mode. Expand Security node. Select NT AUTHORITY\IUSR (IF NOT THERE THEN ADD NEW LOG IN FOR THAT) Click on "User Mapping" under Select a page at Log-in properties window. Select the database that you are trying to connect. Select following permissions from "Database role membership for:......" 1. db_datareader 'this allows to open connection 2. db_datawriter 'this allows to fetch data records from datatable

使用Windows身份验证模式连接Sql server。展开安全节点。选择NT AUTHORITY \ IUSR（如果没有那么添加新登录）点击登录属性窗口中选择页面下的“用户映射”。选择您尝试连接的数据库。从“数据库角色成员资格：......”中选择以下权限：1。db_datareader'这允许打开连接2. db_datawriter'这允许从数据表中获取数据记录

1  

The first step is to verify which account your website is running under. Create a simple aspx page with:

第一步是验证您的网站在哪个帐户下运行。创建一个简单的aspx页面：

<%@ Page Language="C#" %>
<% Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); %>

If you're using windows authentication the WindowsIdentity account will need to have a login in your SQL Server. Under Security -> Logins -> Login New you'll want to add whatever name that was displayed by WindowsIdentity and make sure Windows authentication is selected.

如果您使用的是Windows身份验证，则WindowsIdentity帐户需要在SQL Server中进行登录。在Security - > Logins - > Login New下，您需要添加WindowsIdentity显示的任何名称，并确保选中Windows身份验证。

If you ever happen to move your database to a separate machine you'll have to create a domain account and use impersonation in your web.config. Google <identity impersonate="true"> for more info.

如果您碰巧将数据库移动到单独的计算机，则必须创建域帐户并在web.config中使用模拟。 Google 了解更多信息。

0  

If you look in the description of the field it states that running under "Network Services" account is the recommended account to use. Not sure why in Win7 it defaults to the ApplicationPoolIdentity setting.

如果您查看该字段的说明，则表明在“网络服务”帐户下运行是建议使用的帐户。不确定为什么在Win7中它默认为ApplicationPoolIdentity设置。

0  

I have the exact same issue. I'm running Windows 7 RC. When I'm trying to usa a .mdf file (located in App_Data), there is now way to make that thing work. I did try to change the AppPool's identity for LocalSystem, but it simply won't work.

我有完全相同的问题。我正在运行Windows 7 RC。当我试图发布一个.mdf文件（位于App_Data中）时，现在有办法使这个东西工作。我确实试图改变AppPool的LocalSystem身份，但它根本行不通。

If I use a "standard" database, then it will work if I'm using LocalSystem, but it won't work with the famous 'IIS APPPOOL\DefaultAppPool'.

如果我使用“标准”数据库，那么如果我使用的是LocalSystem，它将会起作用，但它不适用于着名的“IIS APPPOOL \ DefaultAppPool”。

I find it a bit disturbing not to find any information on that matter, it seems that the 'IIS APPPOOL\DefaultAppPool' user is totally useless if you are using a database of any kind...

我发现有点令人不安的是没有找到关于这个问题的任何信息，如果你使用任何类型的数据库，似乎'IIS APPPOOL \ DefaultAppPool'用户完全没用...

I have it running, but I'm also bit frustrated not to understand the security model, as stated by ryexley.

我已经运行了，但是我也有点不理解安全模型，正如ryexley所说的那样。

0  

yes, the app pool identity method doesn't work like they say (not in IIS7 anyway) it's supposed to. I think there are hackers at MS who make this security convoluted on purpose so you take the path of least resistance and leave your system less secure (so they can hack into it later). - just kidding, but really, their security model is pure insanity, no straightforward (step by step) instructions anywhere on MSDN - nada, zip!

是的，应用程序池标识方法不像他们所说的那样工作（不管是在IIS7中）。我认为MS中的黑客会故意使这种安全性错综复杂，因此您采取阻力最小的路径并使您的系统不那么安全（因此他们可以在以后破解它）。 - 开玩笑，但实际上，他们的安全模型是纯粹的疯狂，在MSDN上的任何地方都没有直接（一步一步）说明 - nada，zip！

0  

I faced same problem between (SQL2008 that is installed on standalone Win-server2003 server) and (IIS6 with ASP.NET3.5 that are installed on standalone Win-server2003 server).

我遇到了（安装在独立的Win-server2003服务器上的SQL2008）和安装在独立的Win-server2003服务器上的IIS6与ASP.NET3.5之间的相同问题。

Where, IIS tries to access SQL2008 using some user in the domain "domain\username".

其中，IIS尝试使用域“domain \ username”中的某个用户访问SQL2008。

I removed following option out of connectionstring, and every thing works fine now.

我从connectionstring中删除了以下选项，现在一切正常。

Integrated Security=True;