locked
Deploying DataService on IIS 7 RRS feed

  • Question

  • Hi,
     
    I've created a data Service and want to deploy on IIS7.
    I've created the virtual directory on my IIS 7 localhost on my Vista.
    And have successfully browse the service.

    But when I execute the client, I've got an error.

    My client code looks like the following:

    Public Sub Retrieve()

    Dim ctx As NorthwindEntities

    Try

    ctx = New NorthwindEntities(New Uri("http://localhost/ADOEF/WebDataService.svc/"))

    ctx.MergeOption = MergeOption.AppendOnly

    Dim q = From c In ctx.Customers Where c.City = "London" Order By c.CompanyName Select c

    For Each cust In q

    Debug.WriteLine(cust.CompanyName)

    Next

    Catch ex As Exception

    Debug.WriteLine(ex.ToString)

    Finally

    If ctx IsNot Nothing Then ctx = Nothing

    End Try

    End Sub

    The exception occurs when the code execute the LINQ statement.


    Thomas Perdana
    Wednesday, February 11, 2009 5:38 PM

Answers

  • Hi Thomas,

    Let me clarify one detail about Phani's comment about double-hop:

    If you want the NT user identity to flow from the client to the Data Services server and then from there to the database, then this is certainly a double-hop scenario and it's somewhat involved to get it working (this actually doesn't have much to do with Data Services, but it's about how NT auth works).

    On the other hand, if what you want is to use integrated auth such that you don't have credentials hardcoded in the Data Services server, but for all the requests you'll use the same NT user to connect to SQL Server, then things are easier. What you can do is create a domain user and then have the Data Service web app for your service run under that NT identity (I think you configure this at the app pool level). Once you have that done, on the SQL Server side create a login for that NT identity and grant the permissions you need it to have. At this point you should be able to use integrated auth again.

    Pablo Castro
    Software Architect
    Microsoft Corporation
    http://blogs.msdn.com/pablo

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 13, 2009 10:02 PM
    Moderator

All replies

  • Hi thomas perdana

    Could you post the exception including any inner exception please. 

    Daniel Portella - http://undocnet.blogspot.com - This posting is provided "AS IS" with no warranties, and confers no rights. If this post is answered your question please mark as the answer and if it is helpful do like wise.
    Thursday, February 12, 2009 12:46 AM
  • The error messsage is:

    System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: <?xml version="1.0" encoding="utf-8" standalone="yes"?>

    <error xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <code></code>

    <message xml:lang="en-US">An error occurred while processing this request.</message>

    </error>

    at System.Data.Services.Client.QueryAsyncResult.Execute(MemoryStream requestContent)

    at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, Uri requestUri)

    --- End of inner exception stack trace ---

    at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, Uri requestUri)

    at System.Data.Services.Client.DataServiceQuery`1.Execute()

    at System.Data.Services.Client.DataServiceQuery`1.GetEnumerator()

    at DataSvcClient.Retrieve() in C:\Visual Studio 2008\Projects\DataSvcClient\DataSvcClient\CRUD.vb:line ...




    I also fail when executing HTTP query like the following:

    http://localhost/ADOEF/WebDataService.svc/Customers


    Thomas Perdana
    Thursday, February 12, 2009 1:24 AM
  • Hi thomas perdana

    Seems to me that the verbose errors settings is not turned on could you turn on the config.UseVerboseErrors = true; on the data service and repost the error message please?

    also you would suggest for you to override the method " protected override void HandleException(HandleExceptionArgs args)" if you attached to the service put a break point there so you will be able to see the error message as is raised on the server.

    Thank you in advance

    Daniel Portella - http://undocnet.blogspot.com - This posting is provided "AS IS" with no warranties, and confers no rights. If this post is answered your question please mark as the answer and if it is helpful do like wise.
    Thursday, February 12, 2009 9:40 AM
  •  <message>Cannot open database "Northwind" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.</message>
    Thomas Perdana
    Thursday, February 12, 2009 4:58 PM
  • that is your answer Thomas make sure that your service can connect to the database.

    You are using integrated authentication try using a sql server login instead.

    Daniel Portella - http://undocnet.blogspot.com - This posting is provided "AS IS" with no warranties, and confers no rights. If this post is answered your question please mark as the answer and if it is helpful do like wise.
    Thursday, February 12, 2009 11:09 PM
  • OK. Would you be so kind to let me know the correct steps for deploying my service to IIS 7 so that it can connect to SQL Server 2005 using Integrated Authentication.

    Thanks.
    Thomas Perdana
    Friday, February 13, 2009 12:36 AM
  • Hi Thomas,
     Is the Database located on the same machine as the IIS Web Server?
     If not , then I think you are looking at a double-hop scenario.
     Take a look at this article for details about the authentication procedure that IIS follows :

    http://support.microsoft.com/kb/264921

    and this article talks about how to troubleshoot issues with Kerberos Authentication .

    http://support.microsoft.com/kb/326985


    DelegConfig is a great tool that helps accurately diagnose Kerberos Authentication failures , you can download it from here :
    http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

    Phani Raj Astoria
    Friday, February 13, 2009 4:15 PM
    Moderator
  • Hi Thomas,

    Let me clarify one detail about Phani's comment about double-hop:

    If you want the NT user identity to flow from the client to the Data Services server and then from there to the database, then this is certainly a double-hop scenario and it's somewhat involved to get it working (this actually doesn't have much to do with Data Services, but it's about how NT auth works).

    On the other hand, if what you want is to use integrated auth such that you don't have credentials hardcoded in the Data Services server, but for all the requests you'll use the same NT user to connect to SQL Server, then things are easier. What you can do is create a domain user and then have the Data Service web app for your service run under that NT identity (I think you configure this at the app pool level). Once you have that done, on the SQL Server side create a login for that NT identity and grant the permissions you need it to have. At this point you should be able to use integrated auth again.

    Pablo Castro
    Software Architect
    Microsoft Corporation
    http://blogs.msdn.com/pablo

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 13, 2009 10:02 PM
    Moderator
  • Hi Phani,

    The SQL Server 2005 is located on my Vista machine along with the IIS 7 Web Server.


    Thomas Perdana
    Sunday, February 15, 2009 9:34 PM
  • Hi Pablo,

    I tried what you recommended about configuring IIS 7 and SQL Server 2005.
    However, I've got an 

    IIS 7.0 Detailed Error - 500.0 - Internal Server Error


    Thomas Perdana
    Sunday, February 15, 2009 10:04 PM
  • Hi Thomas,

    It's likely that you still have authentication issues. A simple way of separating sources of trouble would be to add a simple asp.net page and use your Northwind model to query some data and render it in the web page. Since you'll be using the same model and the same connection string, you can separate Data Services-specific issues from general SQL authentication issues. Debugging asp.net pages is also more straightforward, so we're likely to get to the root of the issue quicker.

    Pablo Castro
    Software Architect
    Microsoft Corporation
    http://blogs.msdn.com/pablo

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, February 16, 2009 8:08 AM
    Moderator
  • I suggest you get any errors output into the Application event log and put here too. what user account is your web application running under IIS? (Application pool identity)
    Daniel Portella - http://undocnet.blogspot.com - This posting is provided "AS IS" with no warranties, and confers no rights. If this post is answered your question please mark as the answer and if it is helpful do like wise.
    Monday, February 16, 2009 10:50 AM
  • Thomas Perdana said:

     <message>Cannot open database "Northwind" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.</message>


    Thomas Perdana



    I got same error when moving from dev server to IIS7 (among others) - even on same box.  You don't run into any of this on the VS Cassini dev server because everything is running under context of local account and your login has access to db.   The IIS default appPool is runing under NetWorkService machine account.  The Connection is trying to login to database as NetWorkService and at least needs read or read/write permissions.  You need a sql account login for NetWorkService with permissions.  The site appPool can run under other logins, but in either case, you still need a respective login in sql.  In my experience on my local vista, it did not seem to matter what my ASP.Net Impersonation was set at, I always needed NetWorkService login at DB.  Still working on verifying this for myself as I got lost in config changes testing this out.

    On the Deployment front, that is a good question.  To get a simple end user deployments requires at least: iis site create with perms, sql deploy or verify, db create and records deploy, any accounts created with correct permissions, etc, etc.  The IIS7 Web package Tool helps a Dev, but is not really and end-user deployment solution.  Doing all these steps in manual code is deep.  There needs to be an easier way to deploy a Service to an end user with a simple setup package.  Maybe it exists and I have not found it. 

    You need:
    1) NetworkService Login (at the server level) to sql with at least "public".
    2) User Account (at database level) that maps #1 Login to access rights (i.e. db_datareader, and db_datawriter) in your database.
    3) Ref: http://msdn.microsoft.com/en-us/library/ms998292.aspx

    Note, it is not recommended by MS to use asp impersonation, because is does not allow connection pooling which can effect perf and you have increased overhead in user admin on the sql side.  If you use 1 account (i.e. the NetworkService or other) then you only have 1 account at the sql server to admin and can focus on its permissions and handle any other custom application rights inside your application service.
    Sunday, February 22, 2009 2:31 AM