How to handle error when login with different domain in windows authentication?
Jun 12, 2013 11:31 PM|getur.srikanth@gmail.com|LINK
My asp.net application deployed in domain aaa with Windows Authentication. User tried login with domain
bbb. It is not rejecting at login prompt window and It is throwing error while access SQL server.
Server Error in '/' Application.
Login failed for user 'bbb\user'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user
'bbb\user'.
Source Error:
Line 7: username = username.Substring(pos + 1)
Line 8:
Line 9: Clients = (From c In SGAEntities.Dim_Client
Line 10: Where c.App_Users_Clients.Any(Function(userclient) userclient.App_Users.Username = username And userclient.App_Users.RecordStatus = 1 And userclient.Access_Level = 1)
Line 11: Select c).ToList()
Source File: error Line: 9
Stack Trace:
Anonymous access is disabled in your IIS also your Web.config is blocking all Anonymous Users (<denyusers="?"/>)
But your <identity> property is set on the contrary. You are allowing an anonymous User to impersonate the main User (But you havent mentioned the credentials for 'Impersonation')
Where the Username and Password denote the resident User (Application Admin) account usually. This should be used when you want anonymous Users to impersonate this user and login using his rights. Change Impersonate to "false" if you want to block anonymous Users.
If some other User from another domain needs to access your application then use the below syntax.
Yours will be mostly this case as I can see the 'SqlException' occuring there. Follow the below steps,
1. Login to your Sql Management Studio and goto the Object Explorer->Security->Logins
2. There you can see a list of User types. Its another domain User so create an account for him there. Using his domain name like FFRWB01\Users etc.
3. After creating it access its properties and goto the 'User Mapping' section. After opening that you will see all the DBs getting listed in the right side.
4. Select all databases and below in the Database Role section select
'db_owner' and 'public' checkboxes. Note that this can be done by clicking a DB name and doing it, i.e., The currently clicked Db's properties only can be altered in the
Database Role section. Doing so grants the User from that domian the db_owner rights and he can access it without any issue.
Note:
Even if the Sql fix alone rectifies your issue it is advisable to change the IIS settings as mentioned above as it might cause issues in long term.
And always backup your IIS before modifying it.
Re: How to handle error when login with different domain in windows authentication?
Jun 13, 2013 10:12 AM|getur.srikanth@gmail.com|LINK
Changed Impersonate to "false". Getting different error.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Source Error:
Line 7: username = username.Substring(pos + 1)
Line 8:
Line 9: Clients = (From c In SGAEntities.Dim_Client
Line 10: Where c.App_Users_Clients.Any(Function(userclient) userclient.App_Users.Username = username And userclient.App_Users.RecordStatus = 1 And userclient.Access_Level = 1)
Line 11: Select c).ToList()
Member
18 Points
123 Posts
How to handle error when login with different domain in windows authentication?
Jun 12, 2013 11:31 PM|getur.srikanth@gmail.com|LINK
My asp.net application deployed in domain aaa with Windows Authentication. User tried login with domain bbb. It is not rejecting at login prompt window and It is throwing error while access SQL server.
Web.config
Anonymous access is not selected in IIS 7.0
How to stop user website access when he is trying to user different domain login? Stop at windows popup box itself.
Member
80 Points
25 Posts
Re: How to handle error when login with different domain in windows authentication?
Jun 13, 2013 03:57 AM|BharatRam|LINK
There might be 2 things blocking that user,
1. IIS
2. Sql Security stuff.
IIS:
Anonymous access is disabled in your IIS also your Web.config is blocking all Anonymous Users (<deny users = "?" />)
But your <identity> property is set on the contrary. You are allowing an anonymous User to impersonate the main User (But you havent mentioned the credentials for 'Impersonation')
An example for Impersonation would be,
Where the Username and Password denote the resident User (Application Admin) account usually. This should be used when you want anonymous Users to impersonate this user and login using his rights. Change Impersonate to "false" if you want to block anonymous Users.
If some other User from another domain needs to access your application then use the below syntax.
This means only users 'Rig' and 'James' will be allowed and all else will be rejected.
And you need to turn OFF your Windows Authentication, because thats not needed here.
For more information refer the link below, it contains a very nice explanation of these things.
http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx
SQL:
Yours will be mostly this case as I can see the 'SqlException' occuring there. Follow the below steps,
1. Login to your Sql Management Studio and goto the Object Explorer->Security->Logins
2. There you can see a list of User types. Its another domain User so create an account for him there. Using his domain name like FFRWB01\Users etc.
3. After creating it access its properties and goto the 'User Mapping' section. After opening that you will see all the DBs getting listed in the right side.
4. Select all databases and below in the Database Role section select 'db_owner' and 'public' checkboxes. Note that this can be done by clicking a DB name and doing it, i.e., The currently clicked Db's properties only can be altered in the Database Role section. Doing so grants the User from that domian the db_owner rights and he can access it without any issue.
Note:
Even if the Sql fix alone rectifies your issue it is advisable to change the IIS settings as mentioned above as it might cause issues in long term.
And always backup your IIS before modifying it.
IISSqlSecurity
Member
18 Points
123 Posts
Re: How to handle error when login with different domain in windows authentication?
Jun 13, 2013 10:12 AM|getur.srikanth@gmail.com|LINK
Changed Impersonate to "false". Getting different error.
DB connection string is
IISSqlSecurity
Member
80 Points
25 Posts
Re: How to handle error when login with different domain in windows authentication?
Jun 14, 2013 02:06 AM|BharatRam|LINK
Yes, now that user is fully anonymous. He does not have any right over your Dbs, so only you are getting the same 'SqlException'.
Follow the Sql section in my previous post. Give the user the mentioned rights.
IISSqlSecurity