错误"用户登录失败'NT AUTHORITY \\ IUSR'"在ASP.NET和SQL Server 2008
当它试图打开到SQL Server的连接我的ASP.NET v3.5的Web应用程序抛出以下异常2008数据库:
My ASP.NET v3.5 web application is throwing the following exception when it attempts to open a connection to a SQL Server 2008 database:
System.Data.SqlClient.SqlException:
无法打开数据库MyDbName
登录所请求。登录
失败。用户登录失败'NT
AUTHORITY \\ IUSR。
System.Data.SqlClient.SqlException: Cannot open database "MyDbName" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\IUSR'.
问题是,我已经添加了 NT AUTHORITY \\ IUSR 到服务器的登录列表和用户的数据库的列表。对于服务器,我已经授予该用户的公共角色,并为数据库,我理所当然的db_datareader 权限。
The thing is, I've added NT AUTHORITY\IUSR to the the server's list of logins, and to the database's list of users. For the server, I've granted the user the Public role, and for the database I've granted db_datareader permissions.
我也给予同样为 NT AUTHORITY \\ NETWORK SERVICE ,这是应用程序池下运行的身份。
I've also granted the same for NT AUTHORITY\NETWORK SERVICE, which is the identity that the application pool is running under.
Web应用程序通过IIS7托管,如果有差别。问题repros当DB和IIS位于同一物理机上也是如此。
The web application is hosted by IIS7, if that makes a difference. The problem repros when the DB and IIS are on the same physical machine as well.
这里的诀窍是, NT AUTHORITY \\ NETWORK SERVICE 居然出现在数据库域名\\计算机名$ (注意 $ 签字!)。也就是说,当你穿越从Web服务器到SQL Server的机器边界时,SQL Server看到了计算机帐户,如果您使用 NETWORK SERVICE 或本地系统帐户。如果您使用任何其他非域帐户时,SQL Server将不会收到您的凭据。
The trick here is that NT AUTHORITY\NETWORK SERVICE actually appears to the database as DOMAINNAME\MACHINENAME$ (note the $ sign!). That is, when you cross the machine boundary from your web server to the SQL Server, SQL Server sees the machine account if you use the NETWORK SERVICE or LOCAL SYSTEM accounts. If you use any other non-domain account, SQL Server will not receive your credentials.
我有点被你的错误消息感到不解。说实话,我不认为当DB是在另一台电脑,你会看到比之外的任何登录失败NT AUTHORITY \\ ANONYMOUS登录。
I'm a bit puzzled by your error message. Truth be told, I don't think that when the DB is on another box, you'll see anything other than Login Failed for NT AUTHORITY\ANONYMOUS LOGON.
IUSR 用于匿名网站,而不能越过线到SQL Server。你可以找到它,如果你在同一台机器上做的一切工作的一种方式,但我永远不会知道,因为我从来没有这样做的...; - )
IUSR is used for anonymous websites, and can't pass over the wire to SQL Server. You may find a way for it to work if you're doing everything on the same machine, but I'd never know because I'd never do it that way... ;-)