RE: IUsr can not login
From: Bill Hollinshead [MS] (billhol@online.microsoft.com)
Date: 11/19/02
- Next message: John Cobb: "logon failure with SQL Server 2K"
- Previous message: Ron Talmage: "Re: Frustrated :("
- In reply to: Kami Razvan: "IUsr can not login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: billhol@online.microsoft.com ("Bill Hollinshead [MS]") Date: Tue, 19 Nov 2002 22:34:21 GMT
Hi Kami,
I too am not sure what the IIS lockdown tool does (I am a SQL Server
person, not an IIS expert <g>), but that SQL Server error message indicates
that IUSR_SERVER does not exist *within* SQL Server as an NT Account name
that had been assigned (by the SQL Server DBA) permission to login into SQL
Server (i.e., the error cannot be avoided by changing file attributes to
SQL Server's data files). You can determine which NT accounts can login to
SQL Server by connecting to that SQL Server via Query Analyzer, and running
sp_helplogins. These accounts are stored within master...sysxlogins.
Amongst the NT account names will be the account/group that (I believe) IIS
*was* using to connect to SQL Server.
Many IIS users follow the "Use an Appropriate Web Server Authentication
Method" references in
http://support.microsoft.com/default.aspx?scid=KB;EN-US;313077, or
http://support.microsoft.com/default.aspx?scid=KB;EN-US;169377 or
http://support.microsoft.com/default.aspx?scid=KB;EN-US;247931. There are a
lot of choices - so you may need to contact the web-site's developer (to
determine how IIS was previously connecting).
I feel very uncomfortable suggesting that you run sp_grantlogin on
IUSR_SERVER (isn't that an anonymous account?) because that action could
open your database/server to a huge security hole (i.e., I believe that
would allow anonymous IIS access to SQL Server). Instead, I think it better
to determine what NT or SQL Server security account was originally being
using to connect to SQL Server (from IIS). That account will be in
sp_helplogins (and/or within the above KB articles). You can then configure
IIS to once again connect with that original account.
In addition, even if you were to sp_grantlogin for a new NT account (such
as IUSR_SERVER), you would still need to add that login as a user to every
relevant database, and you would still need to assign object level
permissions (within SQL Server). This could potentially be a daunting task,
and yet (because IIS was working before) this account must already exist
within SQL Server and must already have the correct object level
permissions. Thus I think it better to identify the account which should be
used to connect from IIS, and then to reconfigure IIS to once again use
that same account (thus saving you a potentially large amount of SQL Server
work and testing).
I can find an IIS resource if you need help configuring IIS to connect to
SQL Server, but you may get a faster response by posting to the IIS
newsgroups.
Thanks,
Bill Hollinshead
Microsoft, SQL Server
This posting is provided "AS IS" with no warranties, and confers no
rights. Subscribe to MSDN & use http://msdn.microsoft.com/newsgroups.
- Next message: John Cobb: "logon failure with SQL Server 2K"
- Previous message: Ron Talmage: "Re: Frustrated :("
- In reply to: Kami Razvan: "IUsr can not login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
