locked
How to handle error when login with different domain in windows authentication? RRS feed

  • Question

  • User645293055 posted

    My asp.net application deployed in domain aaa with Windows Authentication. User tried login with domain bbb. It is not rejecting at login prompt window and It is throwing error while access SQL server.

    Server Error in '/' Application.
        Login failed for user 'bbb\user'.
        Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
        Exception Details: System.Data.SqlClient.SqlException: Login failed for user
    'bbb\user'.
    
        Source Error:
    
        Line 7:          username = username.Substring(pos + 1)
        Line 8:
        Line 9:          Clients = (From c In SGAEntities.Dim_Client
        Line 10:                    Where c.App_Users_Clients.Any(Function(userclient) userclient.App_Users.Username = username And userclient.App_Users.RecordStatus = 1 And userclient.Access_Level = 1)
        Line 11:                     Select c).ToList()
    
    
        Source File: error   Line: 9
    
        Stack Trace:

    Web.config

    <authentication mode="Windows"/>
    <authorization>
      <deny users = "?" />
    </authorization>
    <identity impersonate="true"/>
    

    Anonymous access is not selected in IIS 7.0 

    How to stop user website access when he is trying to user different domain login? Stop at windows popup box itself.

    Wednesday, June 12, 2013 11:31 PM

Answers

  • User-671185724 posted

    There might be 2 things blocking that user,

    1. IIS
    2. Sql Security stuff.

    IIS:

    Anonymous access is disabled in your IIS also your Web.config is blocking all Anonymous Users (<deny users = "?" />)

    But your <identity> property is set on the contrary. You are allowing an anonymous User to impersonate the main User (But you havent mentioned the credentials for 'Impersonation')

    An example for Impersonation would be,

    <identity impersonate="true" userName="XFRWBD01\user1" password="ee" />

    Where the Username and Password denote the resident User (Application Admin) account usually. This should be used when you want anonymous Users to impersonate this user and login using his rights. Change Impersonate to "false" if you want to block anonymous Users.

    If some other User from another domain needs to access your application then use the below syntax.

    <authorization>
      <allow users="Rig,James" />
      <deny users="*" />
    </authorization>

    This means only users 'Rig' and 'James' will be allowed and all else will be rejected.

    And you need to turn OFF your Windows Authentication, because thats not needed here.

    For more information refer the link below, it contains a very nice explanation of these things.

    http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx


    SQL:

    Yours will be mostly this case as I can see the 'SqlException' occuring there. Follow the below steps,

    1. Login to your Sql Management Studio and goto the Object Explorer->Security->Logins

    2. There you can see a list of User types. Its another domain User so create an account for him there. Using his domain name like FFRWB01\Users etc.

    3. After creating it access its properties and goto the 'User Mapping' section. After opening that you will see all the DBs getting listed in the right side.

    4. Select all databases and below in the Database Role section select 'db_owner' and 'public' checkboxes. Note that this can be done by clicking a DB name and doing it, i.e., The currently clicked Db's properties only can be altered in the Database Role section. Doing so grants the User from that domian the db_owner rights and he can access it without any issue.


    Note:

    Even if the Sql fix alone rectifies your issue it is advisable to change the IIS settings as mentioned above as it might cause issues in long term.
    And always backup your IIS before modifying it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, June 13, 2013 3:57 AM

All replies

  • User-671185724 posted

    There might be 2 things blocking that user,

    1. IIS
    2. Sql Security stuff.

    IIS:

    Anonymous access is disabled in your IIS also your Web.config is blocking all Anonymous Users (<deny users = "?" />)

    But your <identity> property is set on the contrary. You are allowing an anonymous User to impersonate the main User (But you havent mentioned the credentials for 'Impersonation')

    An example for Impersonation would be,

    <identity impersonate="true" userName="XFRWBD01\user1" password="ee" />

    Where the Username and Password denote the resident User (Application Admin) account usually. This should be used when you want anonymous Users to impersonate this user and login using his rights. Change Impersonate to "false" if you want to block anonymous Users.

    If some other User from another domain needs to access your application then use the below syntax.

    <authorization>
      <allow users="Rig,James" />
      <deny users="*" />
    </authorization>

    This means only users 'Rig' and 'James' will be allowed and all else will be rejected.

    And you need to turn OFF your Windows Authentication, because thats not needed here.

    For more information refer the link below, it contains a very nice explanation of these things.

    http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx


    SQL:

    Yours will be mostly this case as I can see the 'SqlException' occuring there. Follow the below steps,

    1. Login to your Sql Management Studio and goto the Object Explorer->Security->Logins

    2. There you can see a list of User types. Its another domain User so create an account for him there. Using his domain name like FFRWB01\Users etc.

    3. After creating it access its properties and goto the 'User Mapping' section. After opening that you will see all the DBs getting listed in the right side.

    4. Select all databases and below in the Database Role section select 'db_owner' and 'public' checkboxes. Note that this can be done by clicking a DB name and doing it, i.e., The currently clicked Db's properties only can be altered in the Database Role section. Doing so grants the User from that domian the db_owner rights and he can access it without any issue.


    Note:

    Even if the Sql fix alone rectifies your issue it is advisable to change the IIS settings as mentioned above as it might cause issues in long term.
    And always backup your IIS before modifying it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, June 13, 2013 3:57 AM
  • User645293055 posted

    Changed Impersonate to "false". Getting different error. 

     Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
    Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    
    Source Error:
    
    
    Line 7:          username = username.Substring(pos + 1)
    Line 8:          
    Line 9:          Clients = (From c In SGAEntities.Dim_Client
    Line 10:                    Where c.App_Users_Clients.Any(Function(userclient) userclient.App_Users.Username = username And userclient.App_Users.RecordStatus = 1 And userclient.Access_Level = 1)
    Line 11:                     Select c).ToList()
    

    DB connection string is 

     <add name="Entities" connectionString="metadata=res://*/Data.csdl|res://*/Data.ssdl|res://*/Data.msl;provider=System.Data.SqlClient;provider connection string='data source=server;initial catalog=database;Trusted_Connection=Yes;multipleactiveresultsets=True;App=EntityFramework'" providerName="System.Data.EntityClient" />




    Thursday, June 13, 2013 10:12 AM
  • User-671185724 posted

    Yes, now that user is fully anonymous. He does not have any right over your Dbs, so only you are getting the same 'SqlException'.

    Follow the Sql section in my previous post. Give the user the mentioned rights.

    Friday, June 14, 2013 2:06 AM