Why is it possible to connect to a database without having given permission to this database

Hello!

I have XP pro with sql server 2005 express.

This is about the windows account ASPNET that is used by IIS. If I right 
click on this computer and select manage and  then select local users and 
groups. I click on item users and then select user ASPNET. When ASPNET is 
selected I right click and choose property. Here I choose member in and 
check that ASPNET doesn't belong to any group.

Now I start SQL Server Management Studio Express for SQL Server 2005.
I open up Security->Logins and check that ASPNET doesn't exist.

If I now write this url in the browser I can list all the customers from the 
customer table in the Northwind database
http://localhost/Northwind/customerdata.aspx

Now to my question how is it possible that the account ASPNET has access to 
SQL server when this account is not
listed in the Logins. This account ASPNET should not in any way have access 
to SQL Server.

Can somebody help me explain this strange thing ?
In some way this account ASPNET get access to SQL Server but can't 
understand how ?

Below is the complete web.config file listed.


**********Start web.config ***********
<?xml version="1.0"?>
<!-- 
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
 <appSettings/>
 <connectionStrings>
  <add name="NorthwindConnectionString" connectionString="Data 
Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True" 
providerName="System.Data.SqlClient"/>
 </connectionStrings>
 <system.web>
  <!-- 
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
  <compilation debug="true"/>
  <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
  <authentication mode="Windows"/>
  <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" 
defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
 </system.web>
</configuration>

//Tony


0
Tony
12/27/2009 10:06:55 PM
sqlserver.programming 1873 articles. 0 followers. Follow

13 Replies
867 Views

Similar Articles

[PageSpeed] 29

Tony
> SQL server when this account is not
> listed in the Logins. This account ASPNET should not in any way have 
> access to SQL Server.

Perhaps this account is a  member of group of Administrators on  that 
machine


"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:3UQZm.13970$U5.211704@newsb.telia.net...
> Hello!
>
> I have XP pro with sql server 2005 express.
>
> This is about the windows account ASPNET that is used by IIS. If I right 
> click on this computer and select manage and  then select local users and 
> groups. I click on item users and then select user ASPNET. When ASPNET is 
> selected I right click and choose property. Here I choose member in and 
> check that ASPNET doesn't belong to any group.
>
> Now I start SQL Server Management Studio Express for SQL Server 2005.
> I open up Security->Logins and check that ASPNET doesn't exist.
>
> If I now write this url in the browser I can list all the customers from 
> the customer table in the Northwind database
> http://localhost/Northwind/customerdata.aspx
>
> Now to my question how is it possible that the account ASPNET has access 
> to SQL server when this account is not
> listed in the Logins. This account ASPNET should not in any way have 
> access to SQL Server.
>
> Can somebody help me explain this strange thing ?
> In some way this account ASPNET get access to SQL Server but can't 
> understand how ?
>
> Below is the complete web.config file listed.
>
>
> **********Start web.config ***********
> <?xml version="1.0"?>
> <!-- 
>    Note: As an alternative to hand editing this file you can use the
>    web admin tool to configure settings for your application. Use
>    the Website->Asp.Net Configuration option in Visual Studio.
>    A full list of settings and comments can be found in
>    machine.config.comments usually located in
>    \Windows\Microsoft.Net\Framework\v2.x\Config
> -->
> <configuration>
> <appSettings/>
> <connectionStrings>
>  <add name="NorthwindConnectionString" connectionString="Data 
> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
> Security=True" providerName="System.Data.SqlClient"/>
> </connectionStrings>
> <system.web>
>  <!-- 
>            Set compilation debug="true" to insert debugging
>            symbols into the compiled page. Because this
>            affects performance, set this value to true only
>            during development.
>        -->
>  <compilation debug="true"/>
>  <!--
>            The <authentication> section enables configuration
>            of the security authentication mode used by
>            ASP.NET to identify an incoming user.
>        -->
>  <authentication mode="Windows"/>
>  <!--
>            The <customErrors> section enables configuration
>            of what to do if/when an unhandled error occurs
>            during the execution of a request. Specifically,
>            it enables developers to configure html error pages
>            to be displayed in place of a error stack trace.
>
>        <customErrors mode="RemoteOnly" 
> defaultRedirect="GenericErrorPage.htm">
>            <error statusCode="403" redirect="NoAccess.htm" />
>            <error statusCode="404" redirect="FileNotFound.htm" />
>        </customErrors>
>        -->
> </system.web>
> </configuration>
>
> //Tony
>
> 


0
Uri
12/28/2009 6:13:51 AM
I have tripple checked that the account ASPNET is not a member of any group.

But to help me find out more information about this kind of problem I did 
the following.
I started SQL Server Management Studio Express for SQL Server 2005 and
selected Security->Logins and right clicked and selected properies on item 
BUILTIN\Users.
In this dialog Logins Properties - BUILTIN\Users I clicked on Status in the 
section "Select a page" and set
the radio button  "permission to connect to database engine" to Deny.

When I now enter this url http://localhost/Northwind/customerdata.aspx
in the browser I get this error message Login failed for user 
'HEMPC\ASPNET'.

So because of having this kind of error message it seems to me that the 
account name ASPNET is
a member of the windows group Users even when I know that this ASPNET is not 
included in the group.

There is a one to one connection between the windows group Users and the SQL 
server group
BUILTIN\Users

So I checked again this users in My computer by right click on My computer 
and select manage
If I list all users that is a member of users I get these three
NT INSTANS \Autentiserade users (S-1-5-11)
NT INSTANS\INTERAKTIV (S-1-5-4)
SQLDebugger

So my question is still how can this account ASPNET be a member of the 
window group users ?


//Tony


"Uri Dimant" <urid@iscar.co.il> skrev i meddelandet 
news:uu%23utS4hKHA.4872@TK2MSFTNGP05.phx.gbl...
> Tony
>> SQL server when this account is not
>> listed in the Logins. This account ASPNET should not in any way have 
>> access to SQL Server.
>
> Perhaps this account is a  member of group of Administrators on  that 
> machine
>
>
> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
> news:3UQZm.13970$U5.211704@newsb.telia.net...
>> Hello!
>>
>> I have XP pro with sql server 2005 express.
>>
>> This is about the windows account ASPNET that is used by IIS. If I right 
>> click on this computer and select manage and  then select local users and 
>> groups. I click on item users and then select user ASPNET. When ASPNET is 
>> selected I right click and choose property. Here I choose member in and 
>> check that ASPNET doesn't belong to any group.
>>
>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>> I open up Security->Logins and check that ASPNET doesn't exist.
>>
>> If I now write this url in the browser I can list all the customers from 
>> the customer table in the Northwind database
>> http://localhost/Northwind/customerdata.aspx
>>
>> Now to my question how is it possible that the account ASPNET has access 
>> to SQL server when this account is not
>> listed in the Logins. This account ASPNET should not in any way have 
>> access to SQL Server.
>>
>> Can somebody help me explain this strange thing ?
>> In some way this account ASPNET get access to SQL Server but can't 
>> understand how ?
>>
>> Below is the complete web.config file listed.
>>
>>
>> **********Start web.config ***********
>> <?xml version="1.0"?>
>> <!-- 
>>    Note: As an alternative to hand editing this file you can use the
>>    web admin tool to configure settings for your application. Use
>>    the Website->Asp.Net Configuration option in Visual Studio.
>>    A full list of settings and comments can be found in
>>    machine.config.comments usually located in
>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>> -->
>> <configuration>
>> <appSettings/>
>> <connectionStrings>
>>  <add name="NorthwindConnectionString" connectionString="Data 
>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
>> Security=True" providerName="System.Data.SqlClient"/>
>> </connectionStrings>
>> <system.web>
>>  <!-- 
>>            Set compilation debug="true" to insert debugging
>>            symbols into the compiled page. Because this
>>            affects performance, set this value to true only
>>            during development.
>>        -->
>>  <compilation debug="true"/>
>>  <!--
>>            The <authentication> section enables configuration
>>            of the security authentication mode used by
>>            ASP.NET to identify an incoming user.
>>        -->
>>  <authentication mode="Windows"/>
>>  <!--
>>            The <customErrors> section enables configuration
>>            of what to do if/when an unhandled error occurs
>>            during the execution of a request. Specifically,
>>            it enables developers to configure html error pages
>>            to be displayed in place of a error stack trace.
>>
>>        <customErrors mode="RemoteOnly" 
>> defaultRedirect="GenericErrorPage.htm">
>>            <error statusCode="403" redirect="NoAccess.htm" />
>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>        </customErrors>
>>        -->
>> </system.web>
>> </configuration>
>>
>> //Tony
>>
>>
>
> 


0
Tony
12/28/2009 10:03:26 AM

"Tony Johansson" <johansson.andersson@telia.com> a �crit dans le message 
de groupe de discussion : On%Zm.13984$U5.212261@newsb.telia.net...

> I have tripple checked that the account ASPNET is not a member of any 
> group.

Have a look here
http://support.microsoft.com/kb/317012/en-us

Did you try command line tools like "net group" and "net localgroup" ?

-- 
Fred
foleide@free.fr 

0
Fred
12/28/2009 10:22:21 AM
I read this article  http://support.microsoft.com/kb/317012/en-us and in one
place the article said that
The ASPNET account is created as a local account when you install ASP.NET.
The ASPNET account belongs only to the Users group on that computer.

From the beginning it did was a member in the Users group but just to learn
how this work I just
removed it. I can easy just add it back again.

But I mean if I remove the account name ASPNET it must be taken away from
that Users group.
As I mention if I check this it do has been removed from the Users group.

I do want to understand this so I hope somebody can help me explain how
ASPNET can be a member
of the users group when it has been removed from this group.

I did the command "net localgroup" and below is the result
C:\Program\Microsoft Visual Studio 8\VC>net localgroup

Alias f�r \\HEMPC

-------------------------------------------------------------------------------
*Administrat�rer
*Ansvariga f�r n�tverkskonfigurering
*Ansvariga f�r replikering
*Ansvariga f�r s�kerhetskopiering
*Anv�ndare
*Anv�ndare av fj�rrskrivbord
*Debugger Users
*G�ster
*HEMPC Admins
*HEMPC Authors
*HEMPC Browsers
*Hj�lptj�nster
*Privilegierade anv�ndare
*SQLServer2005MSSQLServerADHelperUser$HEMPC
*SQLServer2005MSSQLUser$HEMPC$SQLEXPRESS
*SQLServer2005SQLBrowserUser$HEMPC
*Testning
*VS Developers
Kommandot har utf�rts.

I also did the command net group and below is the result from  that command
C:\Program\Microsoft Visual Studio 8\VC>net group
This command can only be used on Windows-domaincontrollers. (This row is a
translation from my language)


//Tony


"Fred" <foleide@free.fr.invalid> skrev i meddelandet 
news:%23Hd8le6hKHA.1536@TK2MSFTNGP06.phx.gbl...
>
>
> "Tony Johansson" <johansson.andersson@telia.com> a �crit dans le message 
> de groupe de discussion : On%Zm.13984$U5.212261@newsb.telia.net...
>
>> I have tripple checked that the account ASPNET is not a member of any 
>> group.
>
> Have a look here
> http://support.microsoft.com/kb/317012/en-us
>
> Did you try command line tools like "net group" and "net localgroup" ?
>
> -- 
> Fred
> foleide@free.fr 


0
Tony
12/28/2009 11:20:27 AM
I don't know much about IIS but have you verified that it's not using *your* 
login credentials (maybe impersonation?) to access the SQL instance?  You 
might also try posting to one of the IIS groups, since this seems more 
likely an IIS issue than a SQL Server issue.  I say this because IIS is 
apparently passing some valid credentials ("Integrated Security=True") 
through to your SQL instance.  It may just be a simple setting in IIS 
Manager like (and keep in mind this is just a guess) ASP.NET Impersonation 
Settings, or something similar.

-- 
Thanks

Michael Coles
SQL Server MVP
Author, "Expert SQL Server 2008 Encryption" 
(http://www.apress.com/book/view/1430224649)
----------------

"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:3UQZm.13970$U5.211704@newsb.telia.net...
> Hello!
>
> I have XP pro with sql server 2005 express.
>
> This is about the windows account ASPNET that is used by IIS. If I right 
> click on this computer and select manage and  then select local users and 
> groups. I click on item users and then select user ASPNET. When ASPNET is 
> selected I right click and choose property. Here I choose member in and 
> check that ASPNET doesn't belong to any group.
>
> Now I start SQL Server Management Studio Express for SQL Server 2005.
> I open up Security->Logins and check that ASPNET doesn't exist.
>
> If I now write this url in the browser I can list all the customers from 
> the customer table in the Northwind database
> http://localhost/Northwind/customerdata.aspx
>
> Now to my question how is it possible that the account ASPNET has access 
> to SQL server when this account is not
> listed in the Logins. This account ASPNET should not in any way have 
> access to SQL Server.
>
> Can somebody help me explain this strange thing ?
> In some way this account ASPNET get access to SQL Server but can't 
> understand how ?
>
> Below is the complete web.config file listed.
>
>
> **********Start web.config ***********
> <?xml version="1.0"?>
> <!-- 
>    Note: As an alternative to hand editing this file you can use the
>    web admin tool to configure settings for your application. Use
>    the Website->Asp.Net Configuration option in Visual Studio.
>    A full list of settings and comments can be found in
>    machine.config.comments usually located in
>    \Windows\Microsoft.Net\Framework\v2.x\Config
> -->
> <configuration>
> <appSettings/>
> <connectionStrings>
>  <add name="NorthwindConnectionString" connectionString="Data 
> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
> Security=True" providerName="System.Data.SqlClient"/>
> </connectionStrings>
> <system.web>
>  <!-- 
>            Set compilation debug="true" to insert debugging
>            symbols into the compiled page. Because this
>            affects performance, set this value to true only
>            during development.
>        -->
>  <compilation debug="true"/>
>  <!--
>            The <authentication> section enables configuration
>            of the security authentication mode used by
>            ASP.NET to identify an incoming user.
>        -->
>  <authentication mode="Windows"/>
>  <!--
>            The <customErrors> section enables configuration
>            of what to do if/when an unhandled error occurs
>            during the execution of a request. Specifically,
>            it enables developers to configure html error pages
>            to be displayed in place of a error stack trace.
>
>        <customErrors mode="RemoteOnly" 
> defaultRedirect="GenericErrorPage.htm">
>            <error statusCode="403" redirect="NoAccess.htm" />
>            <error statusCode="404" redirect="FileNotFound.htm" />
>        </customErrors>
>        -->
> </system.web>
> </configuration>
>
> //Tony
>
> 

0
Michael
12/28/2009 1:13:08 PM
This is a very good idea.

Change the query in your web page to:

select USER_NAME(), CURRENT_USER;



and see what it says.



"Michael Coles" <admin@geocodenet.com> wrote in message 
news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>I don't know much about IIS but have you verified that it's not using 
>*your* login credentials (maybe impersonation?) to access the SQL instance? 
>You might also try posting to one of the IIS groups, since this seems more 
>likely an IIS issue than a SQL Server issue.  I say this because IIS is 
>apparently passing some valid credentials ("Integrated Security=True") 
>through to your SQL instance.  It may just be a simple setting in IIS 
>Manager like (and keep in mind this is just a guess) ASP.NET Impersonation 
>Settings, or something similar.
>
> -- 
> Thanks
>
> Michael Coles
> SQL Server MVP
> Author, "Expert SQL Server 2008 Encryption" 
> (http://www.apress.com/book/view/1430224649)
> ----------------
>
> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
> news:3UQZm.13970$U5.211704@newsb.telia.net...
>> Hello!
>>
>> I have XP pro with sql server 2005 express.
>>
>> This is about the windows account ASPNET that is used by IIS. If I right 
>> click on this computer and select manage and  then select local users and 
>> groups. I click on item users and then select user ASPNET. When ASPNET is 
>> selected I right click and choose property. Here I choose member in and 
>> check that ASPNET doesn't belong to any group.
>>
>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>> I open up Security->Logins and check that ASPNET doesn't exist.
>>
>> If I now write this url in the browser I can list all the customers from 
>> the customer table in the Northwind database
>> http://localhost/Northwind/customerdata.aspx
>>
>> Now to my question how is it possible that the account ASPNET has access 
>> to SQL server when this account is not
>> listed in the Logins. This account ASPNET should not in any way have 
>> access to SQL Server.
>>
>> Can somebody help me explain this strange thing ?
>> In some way this account ASPNET get access to SQL Server but can't 
>> understand how ?
>>
>> Below is the complete web.config file listed.
>>
>>
>> **********Start web.config ***********
>> <?xml version="1.0"?>
>> <!-- 
>>    Note: As an alternative to hand editing this file you can use the
>>    web admin tool to configure settings for your application. Use
>>    the Website->Asp.Net Configuration option in Visual Studio.
>>    A full list of settings and comments can be found in
>>    machine.config.comments usually located in
>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>> -->
>> <configuration>
>> <appSettings/>
>> <connectionStrings>
>>  <add name="NorthwindConnectionString" connectionString="Data 
>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
>> Security=True" providerName="System.Data.SqlClient"/>
>> </connectionStrings>
>> <system.web>
>>  <!-- 
>>            Set compilation debug="true" to insert debugging
>>            symbols into the compiled page. Because this
>>            affects performance, set this value to true only
>>            during development.
>>        -->
>>  <compilation debug="true"/>
>>  <!--
>>            The <authentication> section enables configuration
>>            of the security authentication mode used by
>>            ASP.NET to identify an incoming user.
>>        -->
>>  <authentication mode="Windows"/>
>>  <!--
>>            The <customErrors> section enables configuration
>>            of what to do if/when an unhandled error occurs
>>            during the execution of a request. Specifically,
>>            it enables developers to configure html error pages
>>            to be displayed in place of a error stack trace.
>>
>>        <customErrors mode="RemoteOnly" 
>> defaultRedirect="GenericErrorPage.htm">
>>            <error statusCode="403" redirect="NoAccess.htm" />
>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>        </customErrors>
>>        -->
>> </system.web>
>> </configuration>
>>
>> //Tony
>>
>>
> 


0
Jay
12/28/2009 1:45:39 PM
Since you run http://localhost/Northwind/customerdata.aspx, it is obviously 
an ASP.NET application. An APS.NET application does not necessarily always 
run with MachineName\ASPNET account. It depends on how do you configure the 
IIS and the ASP.NET application. For example, if you could impersonate your 
ASP.NET so that the user's credential would be used as running account. 
There is also IIS that makes difference, depending on IIS5 (XP) or IIS6/7...

So, you need to firstly make it clear which account is used to run your 
ASP.NET application. It sounds like in your case ASPNET account isn't used. 
This is more ASP.NET issue, so I am not going to say more on this.

There is another possibility, which I am not sure if you may be aware or 
not, depending on your ASP.NET/SQL Express knowledge: if you are doing an 
ASP.NET project as learning by following an example of a book, the ASP.NET 
project may use SQL Server Express' USER INSTANCE. This simplifies SQL 
Server Express access configuration on on hand, but confuses and misleads 
beginners greatly on the other hand.


"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:3UQZm.13970$U5.211704@newsb.telia.net...
> Hello!
>
> I have XP pro with sql server 2005 express.
>
> This is about the windows account ASPNET that is used by IIS. If I right 
> click on this computer and select manage and  then select local users and 
> groups. I click on item users and then select user ASPNET. When ASPNET is 
> selected I right click and choose property. Here I choose member in and 
> check that ASPNET doesn't belong to any group.
>
> Now I start SQL Server Management Studio Express for SQL Server 2005.
> I open up Security->Logins and check that ASPNET doesn't exist.
>
> If I now write this url in the browser I can list all the customers from 
> the customer table in the Northwind database
> http://localhost/Northwind/customerdata.aspx
>
> Now to my question how is it possible that the account ASPNET has access 
> to SQL server when this account is not
> listed in the Logins. This account ASPNET should not in any way have 
> access to SQL Server.
>
> Can somebody help me explain this strange thing ?
> In some way this account ASPNET get access to SQL Server but can't 
> understand how ?
>
> Below is the complete web.config file listed.
>
>
> **********Start web.config ***********
> <?xml version="1.0"?>
> <!-- 
>    Note: As an alternative to hand editing this file you can use the
>    web admin tool to configure settings for your application. Use
>    the Website->Asp.Net Configuration option in Visual Studio.
>    A full list of settings and comments can be found in
>    machine.config.comments usually located in
>    \Windows\Microsoft.Net\Framework\v2.x\Config
> -->
> <configuration>
> <appSettings/>
> <connectionStrings>
>  <add name="NorthwindConnectionString" connectionString="Data 
> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
> Security=True" providerName="System.Data.SqlClient"/>
> </connectionStrings>
> <system.web>
>  <!-- 
>            Set compilation debug="true" to insert debugging
>            symbols into the compiled page. Because this
>            affects performance, set this value to true only
>            during development.
>        -->
>  <compilation debug="true"/>
>  <!--
>            The <authentication> section enables configuration
>            of the security authentication mode used by
>            ASP.NET to identify an incoming user.
>        -->
>  <authentication mode="Windows"/>
>  <!--
>            The <customErrors> section enables configuration
>            of what to do if/when an unhandled error occurs
>            during the execution of a request. Specifically,
>            it enables developers to configure html error pages
>            to be displayed in place of a error stack trace.
>
>        <customErrors mode="RemoteOnly" 
> defaultRedirect="GenericErrorPage.htm">
>            <error statusCode="403" redirect="NoAccess.htm" />
>            <error statusCode="404" redirect="FileNotFound.htm" />
>        </customErrors>
>        -->
> </system.web>
> </configuration>
>
> //Tony
>
> 

0
Norman
12/28/2009 2:33:48 PM
When enter this url in the browser
http://localhost/Northwind/customerdata.aspx
and check the result for this select USER_NAME(), CURRENT_USER; in the page
I get guest as the result

So how can account ASPNET be using guest to connect and use the Northwind 
database when
I use the IIS 5 which is used in XP.

If I run from VS and have this select USER_NAME(), CURRENT_USER
I get dbo.

So my question is how can account ASPNET be using guest to connect and use 
the Northwind database when
I use the IIS 5 which is used in XP.

//Tony


"Jay" <spam@nospam.org> skrev i meddelandet 
news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
> This is a very good idea.
>
> Change the query in your web page to:
>
> select USER_NAME(), CURRENT_USER;
>
>
>
> and see what it says.
>
>
>
> "Michael Coles" <admin@geocodenet.com> wrote in message 
> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>I don't know much about IIS but have you verified that it's not using 
>>*your* login credentials (maybe impersonation?) to access the SQL 
>>instance? You might also try posting to one of the IIS groups, since this 
>>seems more likely an IIS issue than a SQL Server issue.  I say this 
>>because IIS is apparently passing some valid credentials ("Integrated 
>>Security=True") through to your SQL instance.  It may just be a simple 
>>setting in IIS Manager like (and keep in mind this is just a guess) 
>>ASP.NET Impersonation Settings, or something similar.
>>
>> -- 
>> Thanks
>>
>> Michael Coles
>> SQL Server MVP
>> Author, "Expert SQL Server 2008 Encryption" 
>> (http://www.apress.com/book/view/1430224649)
>> ----------------
>>
>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>> Hello!
>>>
>>> I have XP pro with sql server 2005 express.
>>>
>>> This is about the windows account ASPNET that is used by IIS. If I right 
>>> click on this computer and select manage and  then select local users 
>>> and groups. I click on item users and then select user ASPNET. When 
>>> ASPNET is selected I right click and choose property. Here I choose 
>>> member in and check that ASPNET doesn't belong to any group.
>>>
>>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>
>>> If I now write this url in the browser I can list all the customers from 
>>> the customer table in the Northwind database
>>> http://localhost/Northwind/customerdata.aspx
>>>
>>> Now to my question how is it possible that the account ASPNET has access 
>>> to SQL server when this account is not
>>> listed in the Logins. This account ASPNET should not in any way have 
>>> access to SQL Server.
>>>
>>> Can somebody help me explain this strange thing ?
>>> In some way this account ASPNET get access to SQL Server but can't 
>>> understand how ?
>>>
>>> Below is the complete web.config file listed.
>>>
>>>
>>> **********Start web.config ***********
>>> <?xml version="1.0"?>
>>> <!-- 
>>>    Note: As an alternative to hand editing this file you can use the
>>>    web admin tool to configure settings for your application. Use
>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>    A full list of settings and comments can be found in
>>>    machine.config.comments usually located in
>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>> -->
>>> <configuration>
>>> <appSettings/>
>>> <connectionStrings>
>>>  <add name="NorthwindConnectionString" connectionString="Data 
>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
>>> Security=True" providerName="System.Data.SqlClient"/>
>>> </connectionStrings>
>>> <system.web>
>>>  <!-- 
>>>            Set compilation debug="true" to insert debugging
>>>            symbols into the compiled page. Because this
>>>            affects performance, set this value to true only
>>>            during development.
>>>        -->
>>>  <compilation debug="true"/>
>>>  <!--
>>>            The <authentication> section enables configuration
>>>            of the security authentication mode used by
>>>            ASP.NET to identify an incoming user.
>>>        -->
>>>  <authentication mode="Windows"/>
>>>  <!--
>>>            The <customErrors> section enables configuration
>>>            of what to do if/when an unhandled error occurs
>>>            during the execution of a request. Specifically,
>>>            it enables developers to configure html error pages
>>>            to be displayed in place of a error stack trace.
>>>
>>>        <customErrors mode="RemoteOnly" 
>>> defaultRedirect="GenericErrorPage.htm">
>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>        </customErrors>
>>>        -->
>>> </system.web>
>>> </configuration>
>>>
>>> //Tony
>>>
>>>
>>
>
> 


0
Tony
12/28/2009 5:27:05 PM
If you have a SQL Server login of "guest", then you should disable it. If 
you just have a schema for "guest", I have no frickin clue.

Either way, you now know the user asp is using to access the system.

"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:JT5_m.14023$U5.212251@newsb.telia.net...
> When enter this url in the browser
> http://localhost/Northwind/customerdata.aspx
> and check the result for this select USER_NAME(), CURRENT_USER; in the 
> page
> I get guest as the result
>
> So how can account ASPNET be using guest to connect and use the Northwind 
> database when
> I use the IIS 5 which is used in XP.
>
> If I run from VS and have this select USER_NAME(), CURRENT_USER
> I get dbo.
>
> So my question is how can account ASPNET be using guest to connect and use 
> the Northwind database when
> I use the IIS 5 which is used in XP.
>
> //Tony
>
>
> "Jay" <spam@nospam.org> skrev i meddelandet 
> news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
>> This is a very good idea.
>>
>> Change the query in your web page to:
>>
>> select USER_NAME(), CURRENT_USER;
>>
>>
>>
>> and see what it says.
>>
>>
>>
>> "Michael Coles" <admin@geocodenet.com> wrote in message 
>> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>>I don't know much about IIS but have you verified that it's not using 
>>>*your* login credentials (maybe impersonation?) to access the SQL 
>>>instance? You might also try posting to one of the IIS groups, since this 
>>>seems more likely an IIS issue than a SQL Server issue.  I say this 
>>>because IIS is apparently passing some valid credentials ("Integrated 
>>>Security=True") through to your SQL instance.  It may just be a simple 
>>>setting in IIS Manager like (and keep in mind this is just a guess) 
>>>ASP.NET Impersonation Settings, or something similar.
>>>
>>> -- 
>>> Thanks
>>>
>>> Michael Coles
>>> SQL Server MVP
>>> Author, "Expert SQL Server 2008 Encryption" 
>>> (http://www.apress.com/book/view/1430224649)
>>> ----------------
>>>
>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
>>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>>> Hello!
>>>>
>>>> I have XP pro with sql server 2005 express.
>>>>
>>>> This is about the windows account ASPNET that is used by IIS. If I 
>>>> right click on this computer and select manage and  then select local 
>>>> users and groups. I click on item users and then select user ASPNET. 
>>>> When ASPNET is selected I right click and choose property. Here I 
>>>> choose member in and check that ASPNET doesn't belong to any group.
>>>>
>>>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>>
>>>> If I now write this url in the browser I can list all the customers 
>>>> from the customer table in the Northwind database
>>>> http://localhost/Northwind/customerdata.aspx
>>>>
>>>> Now to my question how is it possible that the account ASPNET has 
>>>> access to SQL server when this account is not
>>>> listed in the Logins. This account ASPNET should not in any way have 
>>>> access to SQL Server.
>>>>
>>>> Can somebody help me explain this strange thing ?
>>>> In some way this account ASPNET get access to SQL Server but can't 
>>>> understand how ?
>>>>
>>>> Below is the complete web.config file listed.
>>>>
>>>>
>>>> **********Start web.config ***********
>>>> <?xml version="1.0"?>
>>>> <!-- 
>>>>    Note: As an alternative to hand editing this file you can use the
>>>>    web admin tool to configure settings for your application. Use
>>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>>    A full list of settings and comments can be found in
>>>>    machine.config.comments usually located in
>>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>>> -->
>>>> <configuration>
>>>> <appSettings/>
>>>> <connectionStrings>
>>>>  <add name="NorthwindConnectionString" connectionString="Data 
>>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
>>>> Security=True" providerName="System.Data.SqlClient"/>
>>>> </connectionStrings>
>>>> <system.web>
>>>>  <!-- 
>>>>            Set compilation debug="true" to insert debugging
>>>>            symbols into the compiled page. Because this
>>>>            affects performance, set this value to true only
>>>>            during development.
>>>>        -->
>>>>  <compilation debug="true"/>
>>>>  <!--
>>>>            The <authentication> section enables configuration
>>>>            of the security authentication mode used by
>>>>            ASP.NET to identify an incoming user.
>>>>        -->
>>>>  <authentication mode="Windows"/>
>>>>  <!--
>>>>            The <customErrors> section enables configuration
>>>>            of what to do if/when an unhandled error occurs
>>>>            during the execution of a request. Specifically,
>>>>            it enables developers to configure html error pages
>>>>            to be displayed in place of a error stack trace.
>>>>
>>>>        <customErrors mode="RemoteOnly" 
>>>> defaultRedirect="GenericErrorPage.htm">
>>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>>        </customErrors>
>>>>        -->
>>>> </system.web>
>>>> </configuration>
>>>>
>>>> //Tony
>>>>
>>>>
>>>
>>
>>
>
> 


0
Jay
12/29/2009 3:36:42 AM
Both those functions returns the user name. We are more interested in the 
login name. Use for instance the SUSER_SNAME() function for that.

-- 
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://sqlblog.com/blogs/tibor_karaszi



"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:JT5_m.14023$U5.212251@newsb.telia.net...
> When enter this url in the browser
> http://localhost/Northwind/customerdata.aspx
> and check the result for this select USER_NAME(), CURRENT_USER; in the 
> page
> I get guest as the result
>
> So how can account ASPNET be using guest to connect and use the Northwind 
> database when
> I use the IIS 5 which is used in XP.
>
> If I run from VS and have this select USER_NAME(), CURRENT_USER
> I get dbo.
>
> So my question is how can account ASPNET be using guest to connect and use 
> the Northwind database when
> I use the IIS 5 which is used in XP.
>
> //Tony
>
>
> "Jay" <spam@nospam.org> skrev i meddelandet 
> news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
>> This is a very good idea.
>>
>> Change the query in your web page to:
>>
>> select USER_NAME(), CURRENT_USER;
>>
>>
>>
>> and see what it says.
>>
>>
>>
>> "Michael Coles" <admin@geocodenet.com> wrote in message 
>> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>>I don't know much about IIS but have you verified that it's not using 
>>>*your* login credentials (maybe impersonation?) to access the SQL 
>>>instance? You might also try posting to one of the IIS groups, since this 
>>>seems more likely an IIS issue than a SQL Server issue.  I say this 
>>>because IIS is apparently passing some valid credentials ("Integrated 
>>>Security=True") through to your SQL instance.  It may just be a simple 
>>>setting in IIS Manager like (and keep in mind this is just a guess) 
>>>ASP.NET Impersonation Settings, or something similar.
>>>
>>> -- 
>>> Thanks
>>>
>>> Michael Coles
>>> SQL Server MVP
>>> Author, "Expert SQL Server 2008 Encryption" 
>>> (http://www.apress.com/book/view/1430224649)
>>> ----------------
>>>
>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
>>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>>> Hello!
>>>>
>>>> I have XP pro with sql server 2005 express.
>>>>
>>>> This is about the windows account ASPNET that is used by IIS. If I 
>>>> right click on this computer and select manage and  then select local 
>>>> users and groups. I click on item users and then select user ASPNET. 
>>>> When ASPNET is selected I right click and choose property. Here I 
>>>> choose member in and check that ASPNET doesn't belong to any group.
>>>>
>>>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>>
>>>> If I now write this url in the browser I can list all the customers 
>>>> from the customer table in the Northwind database
>>>> http://localhost/Northwind/customerdata.aspx
>>>>
>>>> Now to my question how is it possible that the account ASPNET has 
>>>> access to SQL server when this account is not
>>>> listed in the Logins. This account ASPNET should not in any way have 
>>>> access to SQL Server.
>>>>
>>>> Can somebody help me explain this strange thing ?
>>>> In some way this account ASPNET get access to SQL Server but can't 
>>>> understand how ?
>>>>
>>>> Below is the complete web.config file listed.
>>>>
>>>>
>>>> **********Start web.config ***********
>>>> <?xml version="1.0"?>
>>>> <!-- 
>>>>    Note: As an alternative to hand editing this file you can use the
>>>>    web admin tool to configure settings for your application. Use
>>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>>    A full list of settings and comments can be found in
>>>>    machine.config.comments usually located in
>>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>>> -->
>>>> <configuration>
>>>> <appSettings/>
>>>> <connectionStrings>
>>>>  <add name="NorthwindConnectionString" connectionString="Data 
>>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated 
>>>> Security=True" providerName="System.Data.SqlClient"/>
>>>> </connectionStrings>
>>>> <system.web>
>>>>  <!-- 
>>>>            Set compilation debug="true" to insert debugging
>>>>            symbols into the compiled page. Because this
>>>>            affects performance, set this value to true only
>>>>            during development.
>>>>        -->
>>>>  <compilation debug="true"/>
>>>>  <!--
>>>>            The <authentication> section enables configuration
>>>>            of the security authentication mode used by
>>>>            ASP.NET to identify an incoming user.
>>>>        -->
>>>>  <authentication mode="Windows"/>
>>>>  <!--
>>>>            The <customErrors> section enables configuration
>>>>            of what to do if/when an unhandled error occurs
>>>>            during the execution of a request. Specifically,
>>>>            it enables developers to configure html error pages
>>>>            to be displayed in place of a error stack trace.
>>>>
>>>>        <customErrors mode="RemoteOnly" 
>>>> defaultRedirect="GenericErrorPage.htm">
>>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>>        </customErrors>
>>>>        -->
>>>> </system.web>
>>>> </configuration>
>>>>
>>>> //Tony
>>>>
>>>>
>>>
>>
>>
>
> 
0
Tibor
12/29/2009 8:42:54 AM
When using IIS I get ASPNET from this SUSER_SNAME()
and when I used VisualStudio
I get my account Tony that I used to login to my machine.

//Tony


"Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> skrev i
meddelandet news:ua%23sWLGiKHA.3792@TK2MSFTNGP02.phx.gbl...
> Both those functions returns the user name. We are more interested in the
> login name. Use for instance the SUSER_SNAME() function for that.
>
> -- 
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://sqlblog.com/blogs/tibor_karaszi
>
>
>
> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
> news:JT5_m.14023$U5.212251@newsb.telia.net...
>> When enter this url in the browser
>> http://localhost/Northwind/customerdata.aspx
>> and check the result for this select USER_NAME(), CURRENT_USER; in the
>> page
>> I get guest as the result
>>
>> So how can account ASPNET be using guest to connect and use the Northwind
>> database when
>> I use the IIS 5 which is used in XP.
>>
>> If I run from VS and have this select USER_NAME(), CURRENT_USER
>> I get dbo.
>>
>> So my question is how can account ASPNET be using guest to connect and
>> use the Northwind database when
>> I use the IIS 5 which is used in XP.
>>
>> //Tony
>>
>>
>> "Jay" <spam@nospam.org> skrev i meddelandet
>> news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
>>> This is a very good idea.
>>>
>>> Change the query in your web page to:
>>>
>>> select USER_NAME(), CURRENT_USER;
>>>
>>>
>>>
>>> and see what it says.
>>>
>>>
>>>
>>> "Michael Coles" <admin@geocodenet.com> wrote in message
>>> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>>>I don't know much about IIS but have you verified that it's not using
>>>>*your* login credentials (maybe impersonation?) to access the SQL
>>>>instance? You might also try posting to one of the IIS groups, since
>>>>this seems more likely an IIS issue than a SQL Server issue.  I say this
>>>>because IIS is apparently passing some valid credentials ("Integrated
>>>>Security=True") through to your SQL instance.  It may just be a simple
>>>>setting in IIS Manager like (and keep in mind this is just a guess)
>>>>ASP.NET Impersonation Settings, or something similar.
>>>>
>>>> -- 
>>>> Thanks
>>>>
>>>> Michael Coles
>>>> SQL Server MVP
>>>> Author, "Expert SQL Server 2008 Encryption"
>>>> (http://www.apress.com/book/view/1430224649)
>>>> ----------------
>>>>
>>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
>>>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>>>> Hello!
>>>>>
>>>>> I have XP pro with sql server 2005 express.
>>>>>
>>>>> This is about the windows account ASPNET that is used by IIS. If I
>>>>> right click on this computer and select manage and  then select local
>>>>> users and groups. I click on item users and then select user ASPNET.
>>>>> When ASPNET is selected I right click and choose property. Here I
>>>>> choose member in and check that ASPNET doesn't belong to any group.
>>>>>
>>>>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>>>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>>>
>>>>> If I now write this url in the browser I can list all the customers
>>>>> from the customer table in the Northwind database
>>>>> http://localhost/Northwind/customerdata.aspx
>>>>>
>>>>> Now to my question how is it possible that the account ASPNET has
>>>>> access to SQL server when this account is not
>>>>> listed in the Logins. This account ASPNET should not in any way have
>>>>> access to SQL Server.
>>>>>
>>>>> Can somebody help me explain this strange thing ?
>>>>> In some way this account ASPNET get access to SQL Server but can't
>>>>> understand how ?
>>>>>
>>>>> Below is the complete web.config file listed.
>>>>>
>>>>>
>>>>> **********Start web.config ***********
>>>>> <?xml version="1.0"?>
>>>>> <!-- 
>>>>>    Note: As an alternative to hand editing this file you can use the
>>>>>    web admin tool to configure settings for your application. Use
>>>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>>>    A full list of settings and comments can be found in
>>>>>    machine.config.comments usually located in
>>>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>>>> -->
>>>>> <configuration>
>>>>> <appSettings/>
>>>>> <connectionStrings>
>>>>>  <add name="NorthwindConnectionString" connectionString="Data
>>>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated
>>>>> Security=True" providerName="System.Data.SqlClient"/>
>>>>> </connectionStrings>
>>>>> <system.web>
>>>>>  <!-- 
>>>>>            Set compilation debug="true" to insert debugging
>>>>>            symbols into the compiled page. Because this
>>>>>            affects performance, set this value to true only
>>>>>            during development.
>>>>>        -->
>>>>>  <compilation debug="true"/>
>>>>>  <!--
>>>>>            The <authentication> section enables configuration
>>>>>            of the security authentication mode used by
>>>>>            ASP.NET to identify an incoming user.
>>>>>        -->
>>>>>  <authentication mode="Windows"/>
>>>>>  <!--
>>>>>            The <customErrors> section enables configuration
>>>>>            of what to do if/when an unhandled error occurs
>>>>>            during the execution of a request. Specifically,
>>>>>            it enables developers to configure html error pages
>>>>>            to be displayed in place of a error stack trace.
>>>>>
>>>>>        <customErrors mode="RemoteOnly"
>>>>> defaultRedirect="GenericErrorPage.htm">
>>>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>>>        </customErrors>
>>>>>        -->
>>>>> </system.web>
>>>>> </configuration>
>>>>>
>>>>> //Tony
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>



0
Tony
12/29/2009 12:56:25 PM
Then there is an account "ASPNET" visible in MS under Security/Logins for 
your instance.

"Tony Johansson" <johansson.andersson@telia.com> wrote in message 
news:Z%m_m.14043$U5.212726@newsb.telia.net...
> When using IIS I get ASPNET from this SUSER_SNAME()
> and when I used VisualStudio
> I get my account Tony that I used to login to my machine.
>
> //Tony
>
>
> "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> skrev i
> meddelandet news:ua%23sWLGiKHA.3792@TK2MSFTNGP02.phx.gbl...
>> Both those functions returns the user name. We are more interested in the
>> login name. Use for instance the SUSER_SNAME() function for that.
>>
>> -- 
>> Tibor Karaszi, SQL Server MVP
>> http://www.karaszi.com/sqlserver/default.asp
>> http://sqlblog.com/blogs/tibor_karaszi
>>
>>
>>
>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
>> news:JT5_m.14023$U5.212251@newsb.telia.net...
>>> When enter this url in the browser
>>> http://localhost/Northwind/customerdata.aspx
>>> and check the result for this select USER_NAME(), CURRENT_USER; in the
>>> page
>>> I get guest as the result
>>>
>>> So how can account ASPNET be using guest to connect and use the 
>>> Northwind
>>> database when
>>> I use the IIS 5 which is used in XP.
>>>
>>> If I run from VS and have this select USER_NAME(), CURRENT_USER
>>> I get dbo.
>>>
>>> So my question is how can account ASPNET be using guest to connect and
>>> use the Northwind database when
>>> I use the IIS 5 which is used in XP.
>>>
>>> //Tony
>>>
>>>
>>> "Jay" <spam@nospam.org> skrev i meddelandet
>>> news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
>>>> This is a very good idea.
>>>>
>>>> Change the query in your web page to:
>>>>
>>>> select USER_NAME(), CURRENT_USER;
>>>>
>>>>
>>>>
>>>> and see what it says.
>>>>
>>>>
>>>>
>>>> "Michael Coles" <admin@geocodenet.com> wrote in message
>>>> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>>>>I don't know much about IIS but have you verified that it's not using
>>>>>*your* login credentials (maybe impersonation?) to access the SQL
>>>>>instance? You might also try posting to one of the IIS groups, since
>>>>>this seems more likely an IIS issue than a SQL Server issue.  I say 
>>>>>this
>>>>>because IIS is apparently passing some valid credentials ("Integrated
>>>>>Security=True") through to your SQL instance.  It may just be a simple
>>>>>setting in IIS Manager like (and keep in mind this is just a guess)
>>>>>ASP.NET Impersonation Settings, or something similar.
>>>>>
>>>>> -- 
>>>>> Thanks
>>>>>
>>>>> Michael Coles
>>>>> SQL Server MVP
>>>>> Author, "Expert SQL Server 2008 Encryption"
>>>>> (http://www.apress.com/book/view/1430224649)
>>>>> ----------------
>>>>>
>>>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
>>>>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>>>>> Hello!
>>>>>>
>>>>>> I have XP pro with sql server 2005 express.
>>>>>>
>>>>>> This is about the windows account ASPNET that is used by IIS. If I
>>>>>> right click on this computer and select manage and  then select local
>>>>>> users and groups. I click on item users and then select user ASPNET.
>>>>>> When ASPNET is selected I right click and choose property. Here I
>>>>>> choose member in and check that ASPNET doesn't belong to any group.
>>>>>>
>>>>>> Now I start SQL Server Management Studio Express for SQL Server 2005.
>>>>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>>>>
>>>>>> If I now write this url in the browser I can list all the customers
>>>>>> from the customer table in the Northwind database
>>>>>> http://localhost/Northwind/customerdata.aspx
>>>>>>
>>>>>> Now to my question how is it possible that the account ASPNET has
>>>>>> access to SQL server when this account is not
>>>>>> listed in the Logins. This account ASPNET should not in any way have
>>>>>> access to SQL Server.
>>>>>>
>>>>>> Can somebody help me explain this strange thing ?
>>>>>> In some way this account ASPNET get access to SQL Server but can't
>>>>>> understand how ?
>>>>>>
>>>>>> Below is the complete web.config file listed.
>>>>>>
>>>>>>
>>>>>> **********Start web.config ***********
>>>>>> <?xml version="1.0"?>
>>>>>> <!-- 
>>>>>>    Note: As an alternative to hand editing this file you can use the
>>>>>>    web admin tool to configure settings for your application. Use
>>>>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>>>>    A full list of settings and comments can be found in
>>>>>>    machine.config.comments usually located in
>>>>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>>>>> -->
>>>>>> <configuration>
>>>>>> <appSettings/>
>>>>>> <connectionStrings>
>>>>>>  <add name="NorthwindConnectionString" connectionString="Data
>>>>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated
>>>>>> Security=True" providerName="System.Data.SqlClient"/>
>>>>>> </connectionStrings>
>>>>>> <system.web>
>>>>>>  <!-- 
>>>>>>            Set compilation debug="true" to insert debugging
>>>>>>            symbols into the compiled page. Because this
>>>>>>            affects performance, set this value to true only
>>>>>>            during development.
>>>>>>        -->
>>>>>>  <compilation debug="true"/>
>>>>>>  <!--
>>>>>>            The <authentication> section enables configuration
>>>>>>            of the security authentication mode used by
>>>>>>            ASP.NET to identify an incoming user.
>>>>>>        -->
>>>>>>  <authentication mode="Windows"/>
>>>>>>  <!--
>>>>>>            The <customErrors> section enables configuration
>>>>>>            of what to do if/when an unhandled error occurs
>>>>>>            during the execution of a request. Specifically,
>>>>>>            it enables developers to configure html error pages
>>>>>>            to be displayed in place of a error stack trace.
>>>>>>
>>>>>>        <customErrors mode="RemoteOnly"
>>>>>> defaultRedirect="GenericErrorPage.htm">
>>>>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>>>>        </customErrors>
>>>>>>        -->
>>>>>> </system.web>
>>>>>> </configuration>
>>>>>>
>>>>>> //Tony
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>
>
> 


0
Jay
12/29/2009 4:59:15 PM
.... or a Windows group of which ASPNET is member of (assuming we're talking 
about a Windows connection here).

-- 
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://sqlblog.com/blogs/tibor_karaszi



"Jay" <spam@nospam.org> wrote in message 
news:eTk33gKiKHA.1460@TK2MSFTNGP06.phx.gbl...
> Then there is an account "ASPNET" visible in MS under Security/Logins for 
> your instance.
>
> "Tony Johansson" <johansson.andersson@telia.com> wrote in message 
> news:Z%m_m.14043$U5.212726@newsb.telia.net...
>> When using IIS I get ASPNET from this SUSER_SNAME()
>> and when I used VisualStudio
>> I get my account Tony that I used to login to my machine.
>>
>> //Tony
>>
>>
>> "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> skrev 
>> i
>> meddelandet news:ua%23sWLGiKHA.3792@TK2MSFTNGP02.phx.gbl...
>>> Both those functions returns the user name. We are more interested in 
>>> the
>>> login name. Use for instance the SUSER_SNAME() function for that.
>>>
>>> -- 
>>> Tibor Karaszi, SQL Server MVP
>>> http://www.karaszi.com/sqlserver/default.asp
>>> http://sqlblog.com/blogs/tibor_karaszi
>>>
>>>
>>>
>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
>>> news:JT5_m.14023$U5.212251@newsb.telia.net...
>>>> When enter this url in the browser
>>>> http://localhost/Northwind/customerdata.aspx
>>>> and check the result for this select USER_NAME(), CURRENT_USER; in the
>>>> page
>>>> I get guest as the result
>>>>
>>>> So how can account ASPNET be using guest to connect and use the 
>>>> Northwind
>>>> database when
>>>> I use the IIS 5 which is used in XP.
>>>>
>>>> If I run from VS and have this select USER_NAME(), CURRENT_USER
>>>> I get dbo.
>>>>
>>>> So my question is how can account ASPNET be using guest to connect and
>>>> use the Northwind database when
>>>> I use the IIS 5 which is used in XP.
>>>>
>>>> //Tony
>>>>
>>>>
>>>> "Jay" <spam@nospam.org> skrev i meddelandet
>>>> news:OscjCQ8hKHA.1456@TK2MSFTNGP06.phx.gbl...
>>>>> This is a very good idea.
>>>>>
>>>>> Change the query in your web page to:
>>>>>
>>>>> select USER_NAME(), CURRENT_USER;
>>>>>
>>>>>
>>>>>
>>>>> and see what it says.
>>>>>
>>>>>
>>>>>
>>>>> "Michael Coles" <admin@geocodenet.com> wrote in message
>>>>> news:9EAE441E-63C0-4FA2-8B75-13F3AC026326@microsoft.com...
>>>>>>I don't know much about IIS but have you verified that it's not using
>>>>>>*your* login credentials (maybe impersonation?) to access the SQL
>>>>>>instance? You might also try posting to one of the IIS groups, since
>>>>>>this seems more likely an IIS issue than a SQL Server issue.  I say 
>>>>>>this
>>>>>>because IIS is apparently passing some valid credentials ("Integrated
>>>>>>Security=True") through to your SQL instance.  It may just be a simple
>>>>>>setting in IIS Manager like (and keep in mind this is just a guess)
>>>>>>ASP.NET Impersonation Settings, or something similar.
>>>>>>
>>>>>> -- 
>>>>>> Thanks
>>>>>>
>>>>>> Michael Coles
>>>>>> SQL Server MVP
>>>>>> Author, "Expert SQL Server 2008 Encryption"
>>>>>> (http://www.apress.com/book/view/1430224649)
>>>>>> ----------------
>>>>>>
>>>>>> "Tony Johansson" <johansson.andersson@telia.com> wrote in message
>>>>>> news:3UQZm.13970$U5.211704@newsb.telia.net...
>>>>>>> Hello!
>>>>>>>
>>>>>>> I have XP pro with sql server 2005 express.
>>>>>>>
>>>>>>> This is about the windows account ASPNET that is used by IIS. If I
>>>>>>> right click on this computer and select manage and  then select 
>>>>>>> local
>>>>>>> users and groups. I click on item users and then select user ASPNET.
>>>>>>> When ASPNET is selected I right click and choose property. Here I
>>>>>>> choose member in and check that ASPNET doesn't belong to any group.
>>>>>>>
>>>>>>> Now I start SQL Server Management Studio Express for SQL Server 
>>>>>>> 2005.
>>>>>>> I open up Security->Logins and check that ASPNET doesn't exist.
>>>>>>>
>>>>>>> If I now write this url in the browser I can list all the customers
>>>>>>> from the customer table in the Northwind database
>>>>>>> http://localhost/Northwind/customerdata.aspx
>>>>>>>
>>>>>>> Now to my question how is it possible that the account ASPNET has
>>>>>>> access to SQL server when this account is not
>>>>>>> listed in the Logins. This account ASPNET should not in any way have
>>>>>>> access to SQL Server.
>>>>>>>
>>>>>>> Can somebody help me explain this strange thing ?
>>>>>>> In some way this account ASPNET get access to SQL Server but can't
>>>>>>> understand how ?
>>>>>>>
>>>>>>> Below is the complete web.config file listed.
>>>>>>>
>>>>>>>
>>>>>>> **********Start web.config ***********
>>>>>>> <?xml version="1.0"?>
>>>>>>> <!-- 
>>>>>>>    Note: As an alternative to hand editing this file you can use the
>>>>>>>    web admin tool to configure settings for your application. Use
>>>>>>>    the Website->Asp.Net Configuration option in Visual Studio.
>>>>>>>    A full list of settings and comments can be found in
>>>>>>>    machine.config.comments usually located in
>>>>>>>    \Windows\Microsoft.Net\Framework\v2.x\Config
>>>>>>> -->
>>>>>>> <configuration>
>>>>>>> <appSettings/>
>>>>>>> <connectionStrings>
>>>>>>>  <add name="NorthwindConnectionString" connectionString="Data
>>>>>>> Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated
>>>>>>> Security=True" providerName="System.Data.SqlClient"/>
>>>>>>> </connectionStrings>
>>>>>>> <system.web>
>>>>>>>  <!-- 
>>>>>>>            Set compilation debug="true" to insert debugging
>>>>>>>            symbols into the compiled page. Because this
>>>>>>>            affects performance, set this value to true only
>>>>>>>            during development.
>>>>>>>        -->
>>>>>>>  <compilation debug="true"/>
>>>>>>>  <!--
>>>>>>>            The <authentication> section enables configuration
>>>>>>>            of the security authentication mode used by
>>>>>>>            ASP.NET to identify an incoming user.
>>>>>>>        -->
>>>>>>>  <authentication mode="Windows"/>
>>>>>>>  <!--
>>>>>>>            The <customErrors> section enables configuration
>>>>>>>            of what to do if/when an unhandled error occurs
>>>>>>>            during the execution of a request. Specifically,
>>>>>>>            it enables developers to configure html error pages
>>>>>>>            to be displayed in place of a error stack trace.
>>>>>>>
>>>>>>>        <customErrors mode="RemoteOnly"
>>>>>>> defaultRedirect="GenericErrorPage.htm">
>>>>>>>            <error statusCode="403" redirect="NoAccess.htm" />
>>>>>>>            <error statusCode="404" redirect="FileNotFound.htm" />
>>>>>>>        </customErrors>
>>>>>>>        -->
>>>>>>> </system.web>
>>>>>>> </configuration>
>>>>>>>
>>>>>>> //Tony
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>>
>>
>
> 
0
Tibor
12/29/2009 5:22:24 PM
Reply:

Similar Artilces:

Any reason CurrentDb.TableDefs(0).Connect returns empty sting in Access 2007?
I use the function below to return the server or database name for various uses. However, now that we've switched to 2007 the line CurrentDb.TableDefs(0).Connect which used to return the connection string is returning an empty string. Any ideas? Thanks, Jeremy Function GetConnectionProperty(ServerOrDatabase As String) As String ' Returns name of connected server if "Server" passed in. ' Retuns name of connected Database if "Database" passed in. Dim sConnectionString As String Dim aConnectionPieces() As String Dim sConnectionPiece As String Dim i As ...

How to draw .jpegs without flicker?
Hi all, I am making a program that draws various points and lines over a ~150KB .jpg image of a world map. A Screenshot can be found here: http://www.geocities.com/vitplanocka/Clipboard02.gif I use the GDI+ library for drawing. The problem is that the display flickers terribly when the position of the points on the map is altered, because the map is being redrawn from scratch every time. I have tried to solve the problem by drawing the image to an off-screen device context and then displaying it and I also tried double-buffering described on Codeguru, but neither seemed to make any speed d...

Computer to phone line connectivity
Is there a program or software on a dial-up internet connection that will stay on-line while somebody is trying to make an incoming call? or can I use the same telephone line while i'm surfing the internet? ...

"Can't Create Backup FIle. Save [filename] Without Backp?
I get the following message every so often when running Excel 2003 under Win XP: "Can't create backup file. Save [finename] without backup?" I respond: "OK" "Your changes could not be saved to [filename] because of a sharing violation. Try saving to a different file." I respond: "OK". It presents me with the standard window allowing me to enter a new filename, which I do, then press OK. Then I get: "Do you want to save the changes you made to [fileename]? I respond: "Yes" "Document not saved." This is VERY annoying. I am t...

Remote host drop the connection
Hello I have exch2003 and windows2000 with four routing group connected with hub topology style each routing group has one exch2003. from one site routing group connector mail are not reaching to hub routing group site and are stuck in queue and then it will create unreachable queue on that routing group server. I we see the status of connector in state container it is saying unreachable. Even though I can ping by name, FQDN and IP from both sides and even telnet 25 port from both sites working no problem. What could be the problem Nagori ...

Highlighting a cell
I would like to highlight a cell for data entry, but I do not want the color to print. Is there a way to acheive this in Excel 2000. Thanks Sandi <File>, <PageSetup>, <Sheet>tab, Under Print, check the "Black & White" box. HTH, RD ==================================================== Please keep all correspondence within the NewsGroup, so that all may benefit! ==================================================== "Sandi" <ssteines@abprocess.com> wrote in message news:00c601c376eb$2b9a9910$a301280a@phx.gbl... I would like to highlight a ce...

Mailbox Permissions #5
Hi I recently migrated mailboxes from 5.5 to E2003. There was multiple mailboxes owned by one account. This account was a service account for SQL and was a member of domain admins. The Ex2003 wizard created seperate accounts for these mailboxes. What are the required permissions so that the original SQL service account can access these mailbox. or pointers to articles. Thanks ARaji "Raji Arulambalam" <rajia@ebopdotgovt.nz> wrote: >I recently migrated mailboxes from 5.5 to E2003. There was multiple >mailboxes owned by one account. This account was a service accoun...

"Don't have appropriate permission" to send/receive
Let me add my complaint to the chorus of others I've seen on this newsgroup. Frequent readers will recall the symptoms: On Win XP Home, I can send/receive email using Outlook just fine, but my wife and kids cannot. They can send/receive test emails from Outlook's Tools->Email Accounts... (o) View or Change Account ... [Test Account Settings], but they get "You don't have appropriate permission to perform this operation" when they click on the Send/Receive button. We all have "computer administrator" privileges. I tried creating a new profile, as Mark Joh...

Corrupt Database??
I am getting the following errors every night. Source: ESE Event ID: 217 Information Store (10452) First Storage Group: Error (-1018) during backup of a database (file D:\Program Files\Exchsrvr\mdbdata\priv1.edb). The database will be unable to restore. Source: ESE Event ID: 474 Information Store (10452) First Storage Group: The database page read from the file "D:\Program Files\Exchsrvr\mdbdata\priv1.edb" at offset 8376082432 (0x00000001f340e000) (database page 2044941 (0x1F340D)) for 4096 (0x00001000) bytes failed verification due to a page checksum mismatch. The ...

Unexpected VSS error (30218) when restoring database to new instan
I am attempting to restore databases backed up by DPM 2007 to a new test server running the same version of SQL 2005 that the production system runs. After running though the recovery console and selecting the test server and the destination, DPM starts to restore and almost immediately produces an error, "Operation failed because DPM encountered and unexpected VSS error (30218)" Searching on this error I was asked to look at the application logs on the destination server for the issue but could find no issues logged on either the destination or DPM servers. I applie...

Mailbox move adds Deny Permission
Hi, Got a really weird problem, that we noticed after moving mailboxes from an older Exchange, to an Exchange Cluster. We have a helpdesk mailbox that the tech team accesses. Once it was moved, we could no longer gain access to it. Looking at the Helpdesk permissions (Exchange Advanced tab) I noticed that the Administrator, Domain Admins, Exchange Admins, etc. all have full control attributes (Greyed out), but now there is a DENY permission as well (Full Mailbox Access). I didn't add that permission....and cannot remove it...seems to be inherited from somewhere...but have no i...

Opening Access Database file
I am trying to open my access database file on my home computer but i get a message that i will not be able to make changes to it. Is there a way to work around it. By the way i had been using this file with GeoMedia. If any wizard can guide me in the right direction i will be thankful to him or her. Thanks, NED I'm not sure what GeoMedia is, but if you copied the file to your PC from elsewhere, the read-only attribute may be set. Try this ... Using either 'My Computer' or 'Windows Explorer', navigate to the folder that contains your MDB. Right-click the MDB and...

connect to a unix/linux and ftp files ??
I would like to connect to a server (192.168.1.112) or linux.mydomain.com and grab some files in a directory. Any files with a .ceb extension. I would then like to ftp them to an area on my C:\ drive. Is this possible with vbscript? How could I accomplish something like this? thanks I'm also trying to do something similar (get, put, delete, rename, move files on FTP server using VBScript) and I found the following which is written in VB6. If someone knows how to adapt this to work as VBScript, that would be great. Do you simply remove all instances of "Private" and &...

PCCharge over internet connection
We are starting to setup our PCCharge Payment Server to handle the credit card processing from RMS. Our store will have a permanent TCP/IP internet connection, and each machine can connect to the internet. Can PCCharge be used over the internet via TCP/IP, or does it require a dial-up modem connection? We may setup a dialup connection as a backup measure, but I dont' want to use it for our main connection. Bill Yater The Worth Collection byater@worthltd.com PCCharge can be used to over the internet connection. The use of the dialup as a backup depends on the provider. We use a dial...

Visio 2003 How to darken expansion timeline connecting lines?
When I create a expansion timeline,the dotted lines which connect the expansion timeline to the primary timeline are so pale that they can barely be seen when the drawing is printed out. I can not figure out how to make them darker. Any help would be appreciated. Select the expanded timeline shape. Then go to Edit > Open Expanded Timeline to open the group edit window. Select the dashed lines you want to format and make any changes you want. Then close the edit window. -- Mark Nelson Office Graphics - Visio Microsoft Corporation This posting is provided "AS IS" with no...

Connecting to internet link in email
I've just started receiving the following message when trying to connect to a url that's included in a received email message in Outlook 2002: This operation has been cancelled due to restrictions on this computer. Please contact your system administrator. I've recently installed Activesync and an iPAQ PDA and also mNOTES software to sync with Lotus Notes. Some additional PDA apps but nothing else of significance. I can't figure out where the option settings might be that's preventing me from linking to the internet from Outlook. Can anyone help? OL2002: Er...

External users will use only smtp/pop3 connection to Exchange Serv
External users will use only smtp/pop3 connection to Exchange Server. I dont won't create AD users with mailboxes. Are there any other ways to resolve this problem? On Thu, 8 Dec 2005 22:44:01 -0800, "Slava" <Slava@discussions.microsoft.com> wrote: >External users will use only smtp/pop3 connection to Exchange Server. Fine, that's perfectly OK. > >I dont won't create AD users with mailboxes. Oh yes you will. No AD account = No Mailbox. No Mailbox = No access to the server. > >Are there any other ways to resolve this problem? What problem? ...

Permission to add email address to user
We have a setup with a root domain called sun.local (SUN) and a child domain called ki.sun.local (KI). The forest and both domains are in Windows 2003 functional level. The SUN domain has an Exchange 2003 server running in native mode. In the SUN domain the user sunadmin is Enterprise Admin, Domain Admin and Exchange Full Administrator. In the KI domain the user kiadmin is Domain Admin. kiadmin had been made Exchange View Only Admin on the Exchange organization. We would like kiadmin to be able to create and administer new users in the KI domain and everything seems to work fine except ...

Make Excel Database from HTML
Hello. Im new here and I kinda know some about Excel but I have a problem. I need to make an Excel Database from an HTML file and I dont know how to get about doing it. The website is simple w/ one graphic at the top and just links going down... I dont know if Im posting in the right place but... Thanks, Nick -- NTL1991 ------------------------------------------------------------------------ NTL1991's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=29081 View this thread: http://www.excelforum.com/showthread.php?threadid=488078 No One? Nic -- NTL199 ---...

Public Folder Permissions Trusted Domains
Setup: We have a 4 separate 2000 active directory domains on the same network. One of the servers runs exchange 2000 and hosts the mail for all domains. There are trusts setup between the exchange server domain and each of the other three domains. Mail works fine, we have duplicate accounts on the exchange server for the mailboxes. Here's the problem: There are public folders that we need to add author permissions to for users that login to the other domains, not the exchange server domain. A user in any domain can add a public folder, and then they have the permnissions as owner, b...

Edit Template and have connected workbooks updated automatically?
When I make changes to a custom Template the changes are not reflected in any workbooks that are based on the Template. Is this usual and are there any ways to have these changes update to the workbooks automatically ? Thanks Michael Jones ...

Remote Server did not respond to a connection attempt
My exchange 2003 has been working until 1/25/2005 when it suddenly began to queue up email with the information that 'The remote server did not respond to a connection attempt.' I've reviewed my settings (which haven't changed) and checked to see if I have been put on a spam list (not). Any help in this would be appreciated. Thanks. Dan FYI: It was also on this day that Active Sync began to fail with a 3005 error. OMA and OWA as well as RPC over HTTP continue to work. Hope this additional info helps. Thanks "Dan Slaby" <dslaby3@comcast.net> wrote in...

Possible to disable scheduling in service activities?
Hi all, Our company is using service activities for RMA merchandise. Our goal is to create a case and then open a service activity within it that we can assign to the RMA dept (queue) when merchandise is coming back or being shipped out. I've been customizing the form to suit our needs, but I realized that the scheduling portion is mandatory. I thought I could just move those fields to another tab and just hide them, but when we try to submit a new service activity, it automatically displays that tab and requires the info... How can I disable the scheduling fields? Thanks, ...

Accept incoming network connections?"
Version: 2008 Operating System: Mac OS X 10.5 (Leopard) Processor: Intel How can I stop a pop-up window from asking: "Do you want the application Microsoft Excel (or PPT, Word etc) to accept incoming network connections?" I have gone into the Firewall settings and adjusted them, but the question keeps repeating! This is a new install of MS Office 2008. Thanks... Which software is generating the error? Microsoft Office applications should NOT be accepting incoming network connections! The answer should be "no" :-) If a Microsoft Application needs a network connection,...

Creating a summary page without blank lines
I have a project where I need to determine if the billing for supplemental charges for employees matches what is actually deducted from the employee's pay check. I just started this position and what I am working with is a separate spreadsheet for each month's bill. What I have done so far is to create a spreadsheet with a tab for each month that just has the supplemental information being billed for in the left most columns and what was deducted from each paycheck in the columns to the right, a tab that lists employee names and employee numbers, and a summary page that lists...