tags:

views:

149

answers:

2
Q: 

How to configure website guest access?

I finished creating my C#/SQL web application in VS 2008 on an XP Pro OS. It builds and executes successfully. Using the same code, I developed a website in VS 2008. Although this website builds and executes successfully, when I deploy it from my computer, it does not display the data grid. I think this is because the internet user does not have access to my SQL database.

So I read up on configuring SQL securables, trusted accounts vs. impersonation, etc. But I still don't have a real good handle on all this. I have tried both anonymous access with customer user logins specified in IIS Web Site properties, as well as disabling anonymous access. I am using same computer to host website (IIS), storing SQL Server and databases, and storing VS 2008.

Right now my goal is to just get this website to work from the internet. It resolves to the current page and everything appears except for this gridview which allows the user to choose which table from my Adventureworks database they want to append to. I noticed that the same image appears from IIS6 Manager window as what appears on the internet. And I am using Integrated instead of Windows account. I'm using IIS 5.1 with the default aspnet_wp.exe process.

You can view it at URL:

http://sqlmagic.net/Default.aspx

What type of authentication and user access do you recommend for me to give minimal but sufficient access to internet users for appending new data to existing tables on my database? And do you have any URL's you could recommend to me to look at regarding this? I have googled and read alot of URL's but I've not found that many helpful ones for an XP OS.

Also, I have the following connection string in my web.config file:

<add name="***" connectionString="Data Source=.;AttachDbFilename=&quot;C:\Program Files\Microsoft SQL Server\***\DATA\AdventureWorks_Data.mdf&quot;;Integrated Security=True;Connect Timeout=30;User Instance=False"
  providerName="System.Data.SqlClient" />

Is this correct or do I need "User ID" and "Password"? And right now I have Authentication Mode = Windows. Should this be Forms or something else?

I got rid of the Failure Audit error from Event Manager now. However, the GridView still doesn't display on the URL above. Right now I am using IUSR_ as my anonymous user access name. Is this the correct account to use?

GridView displays now in IIS6 Manager, but not in this URL. Since I no longer receive errors in event manager, how can I diagnose cause of missing GridView? Also, why does it take so long for this website to finish loading on my website URL, but only one second when viewing it from IIS Manager?

+2  A: 

Using integrated security means that connections to SQL Server are made by the user id under which the requesting process is run. In this case, it's the user that IIS runs under.

It works in VS 2008 because you're using the "debug" server and, as such, it is connecting as you. When you publish to IIS, it's running as an unprivileged system account -- or it should be.

The easiest solution is to turn off integrated security and create a user that can connect to the database using SQL Server authentication. The alternate solution is to determine the windows user id that IIS is running as and allow that user the ability to connect to the database with the least amount of privileges possible.

And the "Authentication Mode" question isn't really relevant to connecting to SQL Server unless you're doing impersonation. Impersonation allows the IIS process/worker thread to run as the user making the web request. Since you're not doing impersonation, it's moot.

andymeadows  2009-08-17 04:11:48
Very helpful answer, Andy. Yes, I want to turn off integrated security then. So do I need to select Windows authentication instead? And then do I create a new login user and grant it read/write access to this database? I don't want to use impersonation; I would prefer to use trusted. While your answer points me in a definite direction, could you provide me with further details as far as what items/elements to modify?
salvationishere  2009-08-17 04:19:16
Windows Authentication and Forms Authentication have NOTHING to do with access to your database. If you're going to use trusted then you need to grant the user under which the IIS worker processes run access to your database. See http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx and I hope your pain tolerance is high. Once you determine the identity, create a login for that user in your database. May need to download SQL Server Management Studio Express if you can't do this within VS. Sorry, but I don't have a dev environment handy atm.
andymeadows  2009-08-17 04:40:34
Thank you for these links, Andy. So if u r saying that authentication has nothing to do with database access, then what r u saying are the causes? And to correct the description of my problem, I'm actually using IIS 5.1 with the default aspnet_wp.exe process.
salvationishere  2009-08-17 10:15:28
There are two authentication mechanisms at play. User authentication between the browser and IIS and authentication between IIS and SQL Server. Forms and Windows Authentication handle the User Authentication piece. IIS will try and connect to SQL server using the Identity of the App Pool if you connect as trusted. If you're doing impersonation, it will try and connect as the authenticated user or the user specified in the impersonation config section. Read http://idunno.org/articles/276.aspx and see if this clears it up. If not, I'll try and elaborate more.
andymeadows  2009-08-17 18:23:35
Andy, I tried your suggestions. I understand authentication better, thanks to you! But the link you sent me discusses impersonation which I do not want to do. And I don't think IIS 5.1 supports App Pools or at least I don't know how to configure App Pools in it. Please see above description for latest status: my website is working now in IIS, but not in the web browser!
salvationishere  2009-08-19 03:33:21
IIS 5.1 runs as ASPNET by default. See http://forums.asp.net/t/1450645.aspx for some more information.Honestly, at this point I'd need to see source to discern why it's so slow to load. If it's only the initial load, it's the process being loaded. If it's every load then I would guess it's the connection between the app and the database.
andymeadows  2009-08-19 19:05:28
+1  A: 

When I was trying to get to grips with these concepts, it was useful for me to remember that it's not the user of the web application that connects with the database, it's the process of the web application, running under IIS.

When a user authenticates to the web app, it just means that the app understands who the user is.

When the user does something which requires database access, the IIS process connects to the DB, it can either connect as the ASPNET user, or you can ask it to impersonate a different account.

Personally I prefer to create a user account specifically for the task of connecting to the DB and then setting IIS to impersonate this account. I think this is preferable to giving the ASPNET user access to the database.

JustABitOfCode  2009-08-17 15:33:14
I like what u r saying. I got my website working correctly now in IIS but not on internet. And no Failure Audits any more in event log. Do you know why this would be? And why it takes so long to load from the web browser?
salvationishere  2009-08-18 01:58:33

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?