0

I have a Windows Server 2008 R2 called Jack11 that joined a domain called Watson.org.

It has IIS 7 installed.

From my understanding, we need to add the following into the web.config file

<system.web>
    <identity impersonate="true" />
</system.web>

Also, we need to ensure that the server Jack11 can ping to the domain Watson.org.

What other setting do we need to setup in order for a user of domain Watson.org (e.g. the user Watson\User1 to access the application in the Server IIS?

This is because currently, there is a problem as follows:

Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'WATSON\User1'.

The error message was displayed when the user User1 wish to access one of the web application in server Jack11 IIS and that web application also do some retrieval of records from the database, which is installed in SQL Server 2008 Enterprise located in the same server Jack11.

Jack
  • 107
  • 1
  • 3

1 Answers1

1

You likely don't need to use impersonation, and in fact doing so will probably make things less secure (not least because you'd need to give each domain user rights over your SQL instance.

Run the application pool as the NetworkService or ApplicationPoolIdentity, don't use inheritance, and then either give your server's computer account (JACK1$) the necessary rights over the SQL instance, or enable SQL authentication and specify the username and password in the <ConnectionStrings> section of your web.config.

Chris McKeown
  • 7,128
  • 1
  • 17
  • 25
  • I do agree that your method will work but I would not know which user have do something in the web application when I specify the username and password in the `` since the SQL Server 2008 Profiler will not reflect the different user. Is there other way that I can still see which user have done something using the SQL Server 2008 Profiler given that I specify the username and password in the ``? – Jack Oct 04 '12 at 05:41
  • You're looking at the problem from the wrong end of the telescope, I think. If you have a web application and you want to know who made changes to what and when, then you need to include auditing logic in your application that gets recorded in your database. This might include having a `ModifiedBy` column in relevant tables, and changing your app to pass in the `WindowsPrincipal` of the authenticated user that made the call to modify that row. You may want to do it another way, but that's food for thought anyway. – Chris McKeown Oct 04 '12 at 07:53