Re: IIS7 Application Pool Identity on domain joined machine
On 8 January 2014 02:18, David Connors da...@connors.com wrote: I have an odd behaviour I've not noticed before. When deploying a bog standard ASP.NET + SQL Server app I create a database role and grant exec on all of the procs to that role. At the time of deployment I'll create a SQL Server login on the local box for IIS APPPOOL\App Pool Name and add it into that role. I have noticed that IIS7 doesn't appear to use the app pool identity when authenticating to SQL Server on a domain joined machine (even though IIS and SQL are ont he same box). ie. 1. App is set up with its own App Pool 2. Identity is set to ApplicationPoolIdentity 3. When connecting you get Login Failed for user CODIFY\MACHINENAME$ I work this way often on a domain joined Server 2008 R2 (IIS7.5) box with local SQL Server 2008 R2. I just did a SQL Trace and it does show IIS APPPOOL\account as the LoginName and account as the NTUserName. Interestingly, task manager shows w3wp.exe shows the user running as account - sans the IIS APPPOOL prefix. You state IIS7, not 7.5, so are you using Server 2008? What version of SQL Server are you using? The following might be relevant, and the resident Mr Schaefer has already weighed in. A local network trace is impossible but sniffing for any RPC/AD type traffic (port 88, 135, etc) might reveal something? http://forums.iis.net/t/1206862.aspx My original thought was that perhaps there's an SPN (MSSqlSvc/server for your box in AD and it's trying some dodgy Kerberos things. But I don't think it will try that with local accounts. machinename implies it's falling back to NetworkService? Typo somewhere? Exact same code on a non-domain-joined machine: 1. App is set up with its own App Pool 2. Identity is set to ApplicationPoolIdentity 3. When connecting you get Login Failed for user IIS APPPOOL\APP POOL NAME What's more perplexing is that in *both cases*, the w3p.exe is running at IIS APPPOOL\APP POOL NAME - which is what you expect. It just does this daft impersonation when the machine is domain joined... So must be the way the account is resolved inside SQL ? Latest sqlncli? David. David Connors da...@connors.com | M +61 417 189 363 Download my v-card: https://www.codify.com/cards/davidconnors Follow me on Twitter: https://www.twitter.com/davidconnors Connect with me on LinkedIn: http://au.linkedin.com/in/davidjohnconnors -- *Richard Carde* Phone: +44 7956 356 226
Point of sale hardware for testing
This is a bit off topic but I need to test some receipt printers for my app, specifically Epson TM-T88 series. Rather than buy one (they are around $500) does anyone know somewhere that sells second hand POS hardware. On eBay they seem to come with a lot of missing power supplies and I have to wait for auctions. This is one that looks ok in Brisbane which I will probably buy if I can't find one in Melbourne. Alternatively, does anyone have one I could borrow for a few days in Melbourne area. Regards Craig
RE: IIS7 Application Pool Identity on domain joined machine
Off the top of my head – does the application think it’s going to a non-local SQL Server (dunno why it would think that, but you never know). Then the app pool would be connecting as computername$ From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of David Connors Sent: Wednesday, 8 January 2014 1:18 PM To: ozDotNet Subject: IIS7 Application Pool Identity on domain joined machine I have an odd behaviour I've not noticed before. When deploying a bog standard ASP.NEThttp://ASP.NET + SQL Server app I create a database role and grant exec on all of the procs to that role. At the time of deployment I'll create a SQL Server login on the local box for IIS APPPOOL\App Pool Name and add it into that role. I have noticed that IIS7 doesn't appear to use the app pool identity when authenticating to SQL Server on a domain joined machine (even though IIS and SQL are ont he same box). ie. 1. App is set up with its own App Pool 2. Identity is set to ApplicationPoolIdentity 3. When connecting you get Login Failed for user CODIFY\MACHINENAME$ Exact same code on a non-domain-joined machine: 1. App is set up with its own App Pool 2. Identity is set to ApplicationPoolIdentity 3. When connecting you get Login Failed for user IIS APPPOOL\APP POOL NAME What's more perplexing is that in both cases, the w3p.exe is running at IIS APPPOOL\APP POOL NAME - which is what you expect. It just does this daft impersonation when the machine is domain joined... David. David Connors da...@connors.commailto:da...@connors.com | M +61 417 189 363 Download my v-card: https://www.codify.com/cards/davidconnors Follow me on Twitter: https://www.twitter.com/davidconnors Connect with me on LinkedIn: http://au.linkedin.com/in/davidjohnconnors
Re: Point of sale hardware for testing
Craig, In these situations, we normally borrow one from a relevant party. Eg the customer, the manufacturer or a reseller. Manufacturers and resellers usually have hardware reserved for this purpose. Just ask. We've always found them happy to help. David If we can hit that bullseye, the rest of the dominoes will fall like a house of cards... checkmate! -Zapp Brannigan, Futurama On 9 January 2014 09:00, Craig van Nieuwkerk crai...@gmail.com wrote: This is a bit off topic but I need to test some receipt printers for my app, specifically Epson TM-T88 series. Rather than buy one (they are around $500) does anyone know somewhere that sells second hand POS hardware. On eBay they seem to come with a lot of missing power supplies and I have to wait for auctions. This is one that looks ok in Brisbane which I will probably buy if I can't find one in Melbourne. Alternatively, does anyone have one I could borrow for a few days in Melbourne area. Regards Craig
Re: Point of sale hardware for testing
Thanks, I might try that. The users are in the UK but I might try and contact Epson locally. I did try and contact a coupler of hardware resellers but that basically said no. Craig On Thu, Jan 9, 2014 at 9:24 AM, David Richards ausdot...@davidsuniverse.com wrote: Craig, In these situations, we normally borrow one from a relevant party. Eg the customer, the manufacturer or a reseller. Manufacturers and resellers usually have hardware reserved for this purpose. Just ask. We've always found them happy to help. David If we can hit that bullseye, the rest of the dominoes will fall like a house of cards... checkmate! -Zapp Brannigan, Futurama On 9 January 2014 09:00, Craig van Nieuwkerk crai...@gmail.com wrote: This is a bit off topic but I need to test some receipt printers for my app, specifically Epson TM-T88 series. Rather than buy one (they are around $500) does anyone know somewhere that sells second hand POS hardware. On eBay they seem to come with a lot of missing power supplies and I have to wait for auctions. This is one that looks ok in Brisbane which I will probably buy if I can't find one in Melbourne. Alternatively, does anyone have one I could borrow for a few days in Melbourne area. Regards Craig
Re: Point of sale hardware for testing
Craig van Nieuwkerk wrote: This is a bit off topic but I need to test some receipt printers for my app, specifically Epson TM-T88 series. Rather than buy one (they are around $500) does anyone know somewhere that sells second hand POS hardware. On eBay they seem to come with a lot of missing power supplies and I have to wait for auctions. This is one that looks ok in Brisbane which I will probably buy if I can't find one in Melbourne. Alternatively, does anyone have one I could borrow for a few days in Melbourne area. Regards Craig Heya Craig, I can help you out with a loan, as I have a few lying around. I've also done a fair bit of development with these devices (including callbacks running low on paper, top-part-thing is open etc. They are a solid printer and I'd recommend them. PM me details if you are still looking. Cheers, -- Les Hughes l...@datarev.com.au