When I try and access my newly deployed (to lcoal IIS 7.5) MVC4 app, I get the error:
当我尝试访问新部署的(lcoal IIS 7.5) MVC4应用程序时,我得到了错误:
Login failed for user 'DOMAIN\MACHINE-NAME$'
用户“DOMAIN\MACHINE-NAME$”登录失败
where the '$' is appended and not part of the machine name.
将'$'附加在后面而不是机器名的一部分。
The connection string in web.config looks like this:
web中的连接字符串。配置是这样的:
<add name="ComairRIEntities"
connectionString="metadata=res://*/Data.ComairRI.csdl|res://*/Data.ComairRI.ssdl|res://*/Data.ComairRI.msl;provider=System.Data.SqlClient;provider connection string="data source=(local);initial catalog=MyDB;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework""
providerName="System.Data.EntityClient" />
8 个解决方案
#1
9
This is what's going on:
这就是正在发生的事情:
In your connection string you have the following setting: integrated security=True What this means is that the SQL Server connection will be authenticated with the credentials of the process which initiates the connection. Since you are running under IIS and IIS uses application pools, the connection will be authenticated with the Windows user which runs the application pool. By default this is a user with almost no permissions called NetworkService. NetworkService (or maybe in IIS7.5 it's a different one) will never have access rights to your database. The nuances of your particular scenario might be a bit different because there is a bunch of different security inheritances in IIS and a bunch of different users your process may end up, however, the basic problem is that you have integrated security=True and the user the IIS process is running with is a standard user with almost no rights.
在连接字符串中,您有以下设置:integration security=True这意味着SQL Server连接将通过启动连接的进程的凭据进行身份验证。由于您正在IIS下运行,IIS使用应用程序池,因此连接将通过运行应用程序池的Windows用户进行身份验证。默认情况下,这是一个几乎没有NetworkService权限的用户。NetworkService(或者可能是IIS7.5)永远不会拥有对数据库的访问权限。特定场景的细微差别可能有点不同,因为有很多不同的安全遗产IIS和一群用户您的过程可能会不同,但是,基本的问题是,你有集成安全= True和用户运行IIS进程是一个标准的用户几乎没有权利。
To fix you have a few options:
为了解决这个问题,你有几个选择:
- Change integrated security=True to username\password authentication. This will solve it 100%, but you may not want to store your password clear text in the web.config file.
- 更改集成安全性=用户名\密码验证。这将100%地解决这个问题,但是您可能不希望在web中存储密码明文。配置文件。
- In your IIS virtual directory settings, configure the anonymous user to be a meaningful one which has access rights to your db. This will help eventually, but you will have to play with different settings to get it right.
- 在IIS虚拟目录设置中,将匿名用户配置为具有访问权限的有意义的用户。这最终会有所帮助,但是你必须使用不同的设置才能把它做好。
If you need more help with #2, you have to provide the following information:
如果你需要更多的帮助,你必须提供以下信息:
- The identity of the AppPool
- AppPool的标识
- The identity of the Virtual Directory and all the authentication settings of the virtual directory.
- 虚拟目录的标识和虚拟目录的所有身份验证设置。
#2
3
There is plenty of good information in this question: Login failed for user 'DOMAIN\MACHINENAME$'.
在这个问题中有很多很好的信息:用户“DOMAIN\MACHINENAME$”登录失败。
If you see a failure like Login failed for user 'DOMAIN\MACHINENAME$' it means that a process running as NETWORK SERVICE or as LocalSystem has accessed a remote resource, has authenticated itself as the machine account and was denied authorization.
如果用户“DOMAIN\MACHINENAME$”出现登录失败的情况,则意味着以网络服务或LocalSystem方式运行的进程访问了远程资源,已验证自己为机器帐户,并被拒绝授权。
What seems odd here is that you are still trying to access a local database, yet a username of DOMAIN\MACHINENAME$ implies that it is accessing a non-local database.
奇怪的是,您仍然在尝试访问本地数据库,但是DOMAIN\MACHINENAME$的用户名意味着它正在访问非本地数据库。
Are you certain the connection string you posted is in fact the one that is used?
你确定你贴出的连接字符串实际上是被使用的那个吗?
The other thing you could look at doing is creating a specific user account for the application pool your site is running in - it would most likely need read and write permissions.
您还可以考虑为站点正在运行的应用程序池创建一个特定的用户帐户——它很可能需要读和写权限。
The type of user account will depend on your environment: if you are running within a domain, you could create a domain user and continue to use integrated security=True in your connection string, or if not you could investigate using SQL authentication.
用户帐户的类型将取决于您的环境:如果您正在域内运行,您可以创建一个域用户并在连接字符串中继续使用integration security=True,或者如果没有,您可以使用SQL身份验证进行调查。
Edit:
编辑:
I had this exact error once, doing almost exactly the same thing. In my case the database was on a separate server (i.e., not the same machine as it appears to be in your case), but the solution was this:
我犯过一次同样的错误,做的几乎是一样的。在我的例子中,数据库位于一个单独的服务器上(即:,但解决方案是这样的:
- Create a domain account.
- 创建一个域帐户。
- Add it to Security\Logins and Security\Users in SQL Management Studio.
- 将它添加到SQL Management Studio中的安全\登录和安全\用户。
- Provide it with
db_datareaderanddb_datawriterrole membership in SQL Management Studio. - 在SQL管理Studio中提供db_datareader和db_datawriter角色成员。
- On the web server, run
aspnet_regiis -ga domain\account_name - 在web服务器上,运行aspnet_regiis -ga域名\account_name
- Set this account to be the one used for anonymous access.
- 将此帐户设置为用于匿名访问的帐户。
- Create a new application pool for this web application.
- 为这个web应用程序创建一个新的应用程序池。
- Set the identity of the application pool to be this account.
- 将应用程序池的标识设置为该帐户。
Note that this was for IIS 6, so if you are in IIS 7+ you may not need steps 4, 5 and 6.
注意,这是针对IIS 6的,所以如果您在IIS 7+中,您可能不需要步骤4、5和6。
#3
2
One thing to note is that DOMAIN\MACHINE-NAME$ is the syntax used to represent the machine's credentials on the domain. Similar to how you have a user account, there is also a machine account that is nearly identical (except the permissions are significantly different).
需要注意的是,DOMAIN\ machine - name $是用于表示域上机器凭据的语法。与您拥有一个用户帐户的方式类似,还有一个几乎相同的机器帐户(除了权限有很大的不同)。
Since you are getting DOMAIN\MACHINE-NAME$ you don't have an impersonation problem. The first thing to do is to look at the application pool to see what identity it is running as.
由于您得到的是DOMAIN\MACHINE-NAME$,所以没有模拟问题。首先要做的是查看应用程序池,看看它运行的是什么身份。
You can do this by opening IIS Manager and selecting Application Pools. Next select the application pool and click "View Applications" to the right, this allows you to verify everything is setup correctly.
可以通过打开IIS管理器并选择应用程序池来实现这一点。接下来选择应用程序池并单击右边的“查看应用程序”,这允许您验证所有设置是否正确。
If it is configured correctly then click "Advanced Settings...", under the "Process Model" header there is an "Identity" field, it should be one of the following:
如果配置正确,请单击“高级设置…”,在“流程模型”页眉下有一个“标识”字段,它应该是以下其中之一:
- ApplicationPoolIdentity
- ApplicationPoolIdentity
- LocalService
- LocalService
- LocalSystem
- LocalSystem
- NetworkService
- NetworkService
- DOMAIN\Account
- 域\帐户
If it is ApplicationPoolIdentity it is set as you expect, if it is a non-custom one otherwise, you will likely get DOMAIN\MACHINE-NAME$ as you are experiencing. It is doubtful a custom account since that would show up as that account.
如果它是ApplicationPoolIdentity,如您所期望的那样设置,如果它是非自定义的,您可能会在您正在经历的过程中获得DOMAIN\MACHINE-NAME$。一个自定义帐户是值得怀疑的,因为它将显示为那个帐户。
If it is ApplicationPoolIdentity and the SQL machine is not on the same machine (or potentially if you use a host name or IP address) you may get DOMAIN\MACHINE-NAME$ since that is the network credentials of ApplicationPoolIdentity. ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local access, but DOMAIN\MACHINE-NAME$ for remote access, since the former is only available locally.
如果它是ApplicationPoolIdentity,而SQL机器不是在同一台机器上(或者如果您使用主机名或IP地址),您可能会得到DOMAIN\ machine - name $,因为这是ApplicationPoolIdentity的网络凭据。ApplicationPoolIdentity使用IIS AppPool\程序池进行本地访问,但是使用DOMAIN\MACHINE-NAME$进行远程访问,因为前者仅在本地可用。
Also make sure you are actually using that exact connection string, for the reasons I detailed above about access method being important.
还要确保您实际使用的是确切的连接字符串,因为我在上面详述了访问方法的重要性。
If this doesn't resolve it, it would help if you detailed what Identity you have set, and whether ASP.Net impersonation is enabled.
如果这不能解决问题,那么如果您详细说明您已经设置了什么标识,以及是否设置了ASP,这将会有所帮助。净启用模拟。
#4
1
Are you sure that this bit needs to have the "?
你确定这一点需要有“?”
provider connection string="
Should it not be just a quote mark like in the rest of the string?
它不应该像字符串的其他部分那样只是一个引号吗?
There is also one at the end of the string.
在弦的末端也有一个。
#5
1
That's the local user account that the App Pool identity manifests itself as when connecting to SQL Server. Try either changing the App Pool to use Network Service and giving Network Service permission to your database, or give IUSR_YOUR-MACHINE permission to the database. As you're working locally, it might be easier to make Network Service db_owner of your local database. Obviously there are security issues with doing this in production!
这是应用程序池标识在连接SQL Server时显示的本地用户帐户。尝试更改应用程序池以使用网络服务,并将网络服务权限授予您的数据库,或者将IUSR_YOUR-MACHINE权限授予数据库。当您在本地工作时,可能更容易使您的本地数据库的网络服务db_owner。显然,在生产中这样做存在安全问题!
#6
1
Check the identity that the AppPool for your app is running under in IIS Manager. It will probably be AppPoolIdentity. Then check that you have created a login in SQL Server for that identity, that it is mapped to your database and that it has the necessary role memberships / permissions needed by the application. The identity name will be "IIS AppPool\[AppPoolName]". (See http://www.iis.net/learn/manage/configuring-security/application-pool-identities for further info).
检查应用程序的AppPool在IIS管理器下运行的标识。这很可能是不可理喻的。然后检查您已经在SQL Server中为该标识创建了一个登录名,它被映射到您的数据库,并且它具有应用程序所需的必要角色从属关系/权限。标识名将是“IIS AppPool\[AppPoolName]”。(更多信息请参见http://www.iis.net/learn/manage/configuring-security/applicationpool - identity)。
If that doesn't work, please explain the way you have your application database connection configured, including whether or not impersonation is enabled.
如果这不起作用,请解释您的应用程序数据库连接的配置方式,包括是否启用了模拟。
#7
1
I will review the following.
我将回顾以下内容。
Instead of "data source=(local)" use the computer name where the database resides. Check DNS resolution to be sure the name is correct.
使用数据库所在的计算机名称而不是“数据源=(本地)”。检查DNS解析,确保名称是正确的。
Be sure that the user that the application pool is running under has permission to connect to the database server.
请确保正在运行的应用程序池的用户具有连接数据库服务器的权限。
#8
1
You need to add the app pool identity to sql server as a login. read this: http://www.iis.net/learn/manage/configuring-security/application-pool-identities-and-sql-server-express
您需要将应用程序池标识添加到sql server作为登录。读这篇文章:http://www.iis.net/learn/manage/configuring-security/application-pool-identities-and-sql-server-express
#1
9
This is what's going on:
这就是正在发生的事情:
In your connection string you have the following setting: integrated security=True What this means is that the SQL Server connection will be authenticated with the credentials of the process which initiates the connection. Since you are running under IIS and IIS uses application pools, the connection will be authenticated with the Windows user which runs the application pool. By default this is a user with almost no permissions called NetworkService. NetworkService (or maybe in IIS7.5 it's a different one) will never have access rights to your database. The nuances of your particular scenario might be a bit different because there is a bunch of different security inheritances in IIS and a bunch of different users your process may end up, however, the basic problem is that you have integrated security=True and the user the IIS process is running with is a standard user with almost no rights.
在连接字符串中,您有以下设置:integration security=True这意味着SQL Server连接将通过启动连接的进程的凭据进行身份验证。由于您正在IIS下运行,IIS使用应用程序池,因此连接将通过运行应用程序池的Windows用户进行身份验证。默认情况下,这是一个几乎没有NetworkService权限的用户。NetworkService(或者可能是IIS7.5)永远不会拥有对数据库的访问权限。特定场景的细微差别可能有点不同,因为有很多不同的安全遗产IIS和一群用户您的过程可能会不同,但是,基本的问题是,你有集成安全= True和用户运行IIS进程是一个标准的用户几乎没有权利。
To fix you have a few options:
为了解决这个问题,你有几个选择:
- Change integrated security=True to username\password authentication. This will solve it 100%, but you may not want to store your password clear text in the web.config file.
- 更改集成安全性=用户名\密码验证。这将100%地解决这个问题,但是您可能不希望在web中存储密码明文。配置文件。
- In your IIS virtual directory settings, configure the anonymous user to be a meaningful one which has access rights to your db. This will help eventually, but you will have to play with different settings to get it right.
- 在IIS虚拟目录设置中,将匿名用户配置为具有访问权限的有意义的用户。这最终会有所帮助,但是你必须使用不同的设置才能把它做好。
If you need more help with #2, you have to provide the following information:
如果你需要更多的帮助,你必须提供以下信息:
- The identity of the AppPool
- AppPool的标识
- The identity of the Virtual Directory and all the authentication settings of the virtual directory.
- 虚拟目录的标识和虚拟目录的所有身份验证设置。
#2
3
There is plenty of good information in this question: Login failed for user 'DOMAIN\MACHINENAME$'.
在这个问题中有很多很好的信息:用户“DOMAIN\MACHINENAME$”登录失败。
If you see a failure like Login failed for user 'DOMAIN\MACHINENAME$' it means that a process running as NETWORK SERVICE or as LocalSystem has accessed a remote resource, has authenticated itself as the machine account and was denied authorization.
如果用户“DOMAIN\MACHINENAME$”出现登录失败的情况,则意味着以网络服务或LocalSystem方式运行的进程访问了远程资源,已验证自己为机器帐户,并被拒绝授权。
What seems odd here is that you are still trying to access a local database, yet a username of DOMAIN\MACHINENAME$ implies that it is accessing a non-local database.
奇怪的是,您仍然在尝试访问本地数据库,但是DOMAIN\MACHINENAME$的用户名意味着它正在访问非本地数据库。
Are you certain the connection string you posted is in fact the one that is used?
你确定你贴出的连接字符串实际上是被使用的那个吗?
The other thing you could look at doing is creating a specific user account for the application pool your site is running in - it would most likely need read and write permissions.
您还可以考虑为站点正在运行的应用程序池创建一个特定的用户帐户——它很可能需要读和写权限。
The type of user account will depend on your environment: if you are running within a domain, you could create a domain user and continue to use integrated security=True in your connection string, or if not you could investigate using SQL authentication.
用户帐户的类型将取决于您的环境:如果您正在域内运行,您可以创建一个域用户并在连接字符串中继续使用integration security=True,或者如果没有,您可以使用SQL身份验证进行调查。
Edit:
编辑:
I had this exact error once, doing almost exactly the same thing. In my case the database was on a separate server (i.e., not the same machine as it appears to be in your case), but the solution was this:
我犯过一次同样的错误,做的几乎是一样的。在我的例子中,数据库位于一个单独的服务器上(即:,但解决方案是这样的:
- Create a domain account.
- 创建一个域帐户。
- Add it to Security\Logins and Security\Users in SQL Management Studio.
- 将它添加到SQL Management Studio中的安全\登录和安全\用户。
- Provide it with
db_datareaderanddb_datawriterrole membership in SQL Management Studio. - 在SQL管理Studio中提供db_datareader和db_datawriter角色成员。
- On the web server, run
aspnet_regiis -ga domain\account_name - 在web服务器上,运行aspnet_regiis -ga域名\account_name
- Set this account to be the one used for anonymous access.
- 将此帐户设置为用于匿名访问的帐户。
- Create a new application pool for this web application.
- 为这个web应用程序创建一个新的应用程序池。
- Set the identity of the application pool to be this account.
- 将应用程序池的标识设置为该帐户。
Note that this was for IIS 6, so if you are in IIS 7+ you may not need steps 4, 5 and 6.
注意,这是针对IIS 6的,所以如果您在IIS 7+中,您可能不需要步骤4、5和6。
#3
2
One thing to note is that DOMAIN\MACHINE-NAME$ is the syntax used to represent the machine's credentials on the domain. Similar to how you have a user account, there is also a machine account that is nearly identical (except the permissions are significantly different).
需要注意的是,DOMAIN\ machine - name $是用于表示域上机器凭据的语法。与您拥有一个用户帐户的方式类似,还有一个几乎相同的机器帐户(除了权限有很大的不同)。
Since you are getting DOMAIN\MACHINE-NAME$ you don't have an impersonation problem. The first thing to do is to look at the application pool to see what identity it is running as.
由于您得到的是DOMAIN\MACHINE-NAME$,所以没有模拟问题。首先要做的是查看应用程序池,看看它运行的是什么身份。
You can do this by opening IIS Manager and selecting Application Pools. Next select the application pool and click "View Applications" to the right, this allows you to verify everything is setup correctly.
可以通过打开IIS管理器并选择应用程序池来实现这一点。接下来选择应用程序池并单击右边的“查看应用程序”,这允许您验证所有设置是否正确。
If it is configured correctly then click "Advanced Settings...", under the "Process Model" header there is an "Identity" field, it should be one of the following:
如果配置正确,请单击“高级设置…”,在“流程模型”页眉下有一个“标识”字段,它应该是以下其中之一:
- ApplicationPoolIdentity
- ApplicationPoolIdentity
- LocalService
- LocalService
- LocalSystem
- LocalSystem
- NetworkService
- NetworkService
- DOMAIN\Account
- 域\帐户
If it is ApplicationPoolIdentity it is set as you expect, if it is a non-custom one otherwise, you will likely get DOMAIN\MACHINE-NAME$ as you are experiencing. It is doubtful a custom account since that would show up as that account.
如果它是ApplicationPoolIdentity,如您所期望的那样设置,如果它是非自定义的,您可能会在您正在经历的过程中获得DOMAIN\MACHINE-NAME$。一个自定义帐户是值得怀疑的,因为它将显示为那个帐户。
If it is ApplicationPoolIdentity and the SQL machine is not on the same machine (or potentially if you use a host name or IP address) you may get DOMAIN\MACHINE-NAME$ since that is the network credentials of ApplicationPoolIdentity. ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local access, but DOMAIN\MACHINE-NAME$ for remote access, since the former is only available locally.
如果它是ApplicationPoolIdentity,而SQL机器不是在同一台机器上(或者如果您使用主机名或IP地址),您可能会得到DOMAIN\ machine - name $,因为这是ApplicationPoolIdentity的网络凭据。ApplicationPoolIdentity使用IIS AppPool\程序池进行本地访问,但是使用DOMAIN\MACHINE-NAME$进行远程访问,因为前者仅在本地可用。
Also make sure you are actually using that exact connection string, for the reasons I detailed above about access method being important.
还要确保您实际使用的是确切的连接字符串,因为我在上面详述了访问方法的重要性。
If this doesn't resolve it, it would help if you detailed what Identity you have set, and whether ASP.Net impersonation is enabled.
如果这不能解决问题,那么如果您详细说明您已经设置了什么标识,以及是否设置了ASP,这将会有所帮助。净启用模拟。
#4
1
Are you sure that this bit needs to have the "?
你确定这一点需要有“?”
provider connection string="
Should it not be just a quote mark like in the rest of the string?
它不应该像字符串的其他部分那样只是一个引号吗?
There is also one at the end of the string.
在弦的末端也有一个。
#5
1
That's the local user account that the App Pool identity manifests itself as when connecting to SQL Server. Try either changing the App Pool to use Network Service and giving Network Service permission to your database, or give IUSR_YOUR-MACHINE permission to the database. As you're working locally, it might be easier to make Network Service db_owner of your local database. Obviously there are security issues with doing this in production!
这是应用程序池标识在连接SQL Server时显示的本地用户帐户。尝试更改应用程序池以使用网络服务,并将网络服务权限授予您的数据库,或者将IUSR_YOUR-MACHINE权限授予数据库。当您在本地工作时,可能更容易使您的本地数据库的网络服务db_owner。显然,在生产中这样做存在安全问题!
#6
1
Check the identity that the AppPool for your app is running under in IIS Manager. It will probably be AppPoolIdentity. Then check that you have created a login in SQL Server for that identity, that it is mapped to your database and that it has the necessary role memberships / permissions needed by the application. The identity name will be "IIS AppPool\[AppPoolName]". (See http://www.iis.net/learn/manage/configuring-security/application-pool-identities for further info).
检查应用程序的AppPool在IIS管理器下运行的标识。这很可能是不可理喻的。然后检查您已经在SQL Server中为该标识创建了一个登录名,它被映射到您的数据库,并且它具有应用程序所需的必要角色从属关系/权限。标识名将是“IIS AppPool\[AppPoolName]”。(更多信息请参见http://www.iis.net/learn/manage/configuring-security/applicationpool - identity)。
If that doesn't work, please explain the way you have your application database connection configured, including whether or not impersonation is enabled.
如果这不起作用,请解释您的应用程序数据库连接的配置方式,包括是否启用了模拟。
#7
1
I will review the following.
我将回顾以下内容。
Instead of "data source=(local)" use the computer name where the database resides. Check DNS resolution to be sure the name is correct.
使用数据库所在的计算机名称而不是“数据源=(本地)”。检查DNS解析,确保名称是正确的。
Be sure that the user that the application pool is running under has permission to connect to the database server.
请确保正在运行的应用程序池的用户具有连接数据库服务器的权限。
#8
1
You need to add the app pool identity to sql server as a login. read this: http://www.iis.net/learn/manage/configuring-security/application-pool-identities-and-sql-server-express
您需要将应用程序池标识添加到sql server作为登录。读这篇文章:http://www.iis.net/learn/manage/configuring-security/application-pool-identities-and-sql-server-express