Login failed for user IIS APPPOOL\WebExploit

Question

I use Windows Authentication against Active Directory in my ASP.NET MVC website. I am now trying to deploy the site to test, but the problem is that I keep getting the following exception at login:

Cannot open database "PrincipalServerDB" requested by the login. The login failed. Login failed for user 'IIS APPPOOL\WebExploit'.

I have followed this tutorial to deploy to test : https://learn.microsoft.com/en-us/aspnet/web-forms/overview/deployment/visual-studio-web-deployment/deploying-to-iis

And I use authentication as described here : http://tech.trailmax.info/2016/03/using-owin-and-active-directory-to-authenticate-users-in-asp-net-mvc-5-application/ that uses OWIN authentication.

I am conscious that my question lacks understanding, but it is because I don't understand what's going on . I have tried following the steps as described in this post https://stackoverflow.com/a/7698316/4714502 but I had already done a Grant.sql script to grant access as follows :

    IF NOT EXISTS (SELECT name FROM sys.server_principals WHERE name = 'IIS APPPOOL\DefaultAppPool')
BEGIN
    CREATE LOGIN [IIS APPPOOL\DefaultAppPool] 
      FROM WINDOWS WITH DEFAULT_DATABASE=[master], 
      DEFAULT_LANGUAGE=[us_english]
    END
    GO
    CREATE USER [WebExploitUser] 
      FOR LOGIN [IIS APPPOOL\DefaultAppPool]
    GO
    EXEC sp_addrolemember 'db_owner', 'WebExploitUser'
    GO

In the first tutorial they say :

When the application runs in IIS on your development computer, the application accesses the database by using the default application pool's credentials. However, by default, the application pool identity does not have permission to open the databases. So you have to run a script to grant that permission. In this section you create the script that you'll run later to make sure that the application can open the databases when it runs in IIS.

That means it's the application that has the rights right? Not the actual user? Don't know how to solve this...

If I look into SSMS, in my PrincipalServerDB properties, authorizations show WebExploitUser as defined.

Here is my Application Pool in IIS:

'Démarré' means started in French.

Can you check in IIS which user is used to run the Application Pool? It looks like it's the `IIS APPPOOL\WebExploit`. If so, that's the problem, because you have given the `IIS APPPOOL\DefaultAppPool` account access to the database. If not, there's something else not configured correctly. — Jan_V, Sep 15 '17 at 09:26
@Jan_V I have both in my app pool. I have actually tried to run the grant script with `IIS APPPOOL\DefaultAppPool` and `IIS APPPOOL\WebExploit`. I'll add a screenshot of my app pool in IIS — Flexabust Bergson, Sep 15 '17 at 09:34

sepupic · Accepted Answer · 2017-09-15T09:56:28.543

3

If you executed the code you've posted as it is, you created the user in master database, not in your user database. So you should create it in user database and drop it from master.

So you need to execute the following code:

use PrincipalServerDB;
create user [IIS APPPOOL\WebExploit] from login [IIS APPPOOL\WebExploit];
EXEC sp_addrolemember 'db_owner', 'IIS APPPOOL\WebExploit';

edited Sep 15 '17 at 09:56

answered Sep 15 '17 at 09:37

sepupic

8,409
1
9
20

Ok, can I do this directly in SSMS? – Flexabust Bergson Sep 15 '17 at 09:41
1

I updated my answer with your code to make the user db_owner of that db – sepupic Sep 15 '17 at 09:44
It's still not working, I don't get it... I dropped user to create again and execute the stored procedure, but I still don't have access – Flexabust Bergson Sep 15 '17 at 09:48
1

My code was for IIS APPPOOL\DefaultAppPool while you have the error for IIS APPPOOL\WebExploit. I updated my answer – sepupic Sep 15 '17 at 09:57

Login failed for user IIS APPPOOL\WebExploit

1 Answers1