The error "Login failed for user 'NT AUTHORITY\IUSR'" in ASP.NET and SQL Server 2008

Justin R. picture Justin R. · Aug 13, 2009 · Viewed 72.6k times · Source

My ASP.NET v3.5 web application is throwing the following exception when it attempts to open a connection to a SQL Server 2008 database:

System.Data.SqlClient.SqlException: Cannot open database "MyDbName" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\IUSR'.

The thing is, I've added NT AUTHORITY\IUSR to the server's list of logins, and to the database's list of users. For the server, I've granted the user the Public role, and for the database I've granted db_datareader permissions.

I've also granted the same for NT AUTHORITY\NETWORK SERVICE, which is the identity that the application pool is running under.

The web application is hosted by IIS7, if that makes a difference. The problem repros when the DB and IIS are on the same physical machine as well.

Answer

Dave Markle picture Dave Markle · Aug 13, 2009

The trick here is that NT AUTHORITY\NETWORK SERVICE actually appears to the database as DOMAINNAME\MACHINENAME$ (note the $ sign!). That is, when you cross the machine boundary from your web server to the SQL Server, SQL Server sees the machine account if you use the NETWORK SERVICE or LOCAL SYSTEM accounts. If you use any other non-domain account, SQL Server will not receive your credentials.

I'm a bit puzzled by your error message. Truth be told, I don't think that when the DB is on another box, you'll see anything other than Login Failed for NT AUTHORITY\ANONYMOUS LOGON.

IUSR is used for anonymous websites, and can't pass over the wire to SQL Server. You may find a way for it to work if you're doing everything on the same machine, but I'd never know because I'd never do it that way... ;-)