I can't get impersonation to work !

[Paulm]

Hi,

I've installed a Demo version 3.0.2 on a Windows 2003 member server which is alos running IIS6 and SQL Server 2000. In the installation process I selected custom option for the account so that users can have active directory authenticate their logins. However, I cannot login as I get "The Vault Server could not establish a connection to the database. Please check the server's log for detailed information. (FailDBConn). " Looking at the error log, I get the following error. Please help.

System Started
Version 3.0.2.2812
Cache Level = 1
DataBase Buffer Size (KB) = 256
LogFile Path = C:\WINDOWS\Temp\sgvault
Log Level = Quiet
Archive Log = Weekly
ReverseDNS Lookup = True
Maximum HTTP Request Length = 102400
Overwrite Log on Startup = False
Session Timeout = 4320
Active Directory Domain =
SGVault Working Directory = C:\WINDOWS\Temp
SGVault Server URL = http://puma.plc.liontrust.co.uk/VaultService
Identity = LIONTRUST\SGVault
----09/02/2005 17:57:44 --()-- Vault Failed to establish a connection to the database.
----09/02/2005 17:57:44 --()-- Login failed for user 'LIONTRUST\SGVault'.
----09/02/2005 17:57:44 --()-- Vault Failed to establish a connection to the database.
----09/02/2005 17:57:44 --()-- Login failed for user 'LIONTRUST\SGVault'.
----09/02/2005 17:57:44 --()-- The session information was not removed from the database. Please check sgvault.dbo.tblsessions within SQL Server. There may be orphaned sessions stored within the database. Error: FailDBConn
----09/02/2005 17:57:53 --192.168.0.204(192.168.0.204)--SSL Disabled Vault Failed to establish a connection to the database.
----09/02/2005 17:57:53 --192.168.0.204(192.168.0.204)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.
----09/02/2005 17:57:54 admin--192.168.0.204(192.168.0.204)--SSL Disabled Vault Failed to establish a connection to the database.
----09/02/2005 17:57:54 admin--192.168.0.204(192.168.0.204)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.

[jclausius]

You might want to try these steps:

1) Re-comment the identity impersonation section of web.config ( Use <!-- and -->
2) Assuming you created LIONTRUST\SGVault with the correct permissions, create a new Application Pool within IIS using the default values. On the identity tab, choose LIONTRUST\SGVault as the user.
3) Edit the properties of the VaultService vitual directory. Change the Application Pool to the new application pool created in step 2.
4) Restart IIS ( the Vault server ), and see if that let's you connect to the database.

[Paulm]

HI,

I tried the suggestion but now I get "Server was unable to process request. --> File or assembly name lqdwl7ud.dll, or one of its dependencies, was not found." error when I try to log in.

[jclausius]

That is odd. Is this similar to the problem here - http://support.sourcegear.com/viewtopic.php?t=3055

[Paulm]

Tried it, now same error but a different dll "Server was unable to process request. --> File or assembly name erjvuk4k.dll, or one of its dependencies, was not found."

As far as I can see I've gien the right permissions following the article in the knowledge base. All I want is for users to authenticate using AD to log into Vault. I gather I need to have this domain account impersonation to make that possible ?

[jclausius]

I took the original problem from "Vault Failed to establish a connection to the database". Has this problem gone away, and been changed to the "Server was unable to process request." error?

These errors are sometimes permissions related. Can you re-verify permissions. This time, take a look at this article - http://support.sourcegear.com/viewtopic.php?t=188. Instead of assigning rights to the %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService\VaultShadowFolder directory, double check all Group assignments / Security assignments match those found in this article.

[Guest]

Hi,

Ok, here is what’s going on:

Active Directory Windows 2003

SQL Server 2000, IIS 6.0 running on a Windows 2003 member server

1) Downloaded trial version of SGVault Version 3.0.2
2) Installed SGVault with Network Service Identity. Works fine! But I want to have Active Directory Integration so that we can save the trouble of having to log in every time we check in/check out code.
3) Created a Domain account following the procedures outlined in http://support.sourcegear.com/viewtopic.php?t=188.

4) Installed Server again this time with the Custom identity option and gave the domain account username/password. Finished install.
5) Cannot login. Failed to connect to database error.
6) Reinstalled server again using Network Service and then used the identity switcher tool.
7) Cannot login. Failed to connect to database error.
Followed advice to re-comment the web.config file and create new application pool and changed Identity to match the domain logon. Then configured the Vault service to use this application pool.
9) tried logging in and got weird server was unable to process request errors. Tried having the .net framework reregister with IIS.
10) Tried logging in and same errors about server unable to process request error with random dlls.
11) Is it possible at all to have Active Directory authentication ?? Has any body ever done it ?

[jclausius]

Is it possible at all to have Active Directory authentication ?? Has any body ever done it ?

Yes. Besides our own in-house testing, there are numerous people on these forums who are using AD to authenticate the password of the user configured in Vault. Please note, AD authentication is just that - authentication. Users must still be added to Vault throught the Admin Tool.

However, there is something else going on here. The assembly dll error suggests some other problem. So, before getting to the steps to configure AD, the server must be running correctly, and configured to use an Windows account that has access to the domain for authentication.

Let's take a look where you are at:

1) On the server, do you get the normal "start" page when browsing to - http://localhost/vaultservice

2) On the server, what do you see when you browse to - http://localhost/vaultservice/vaultservice.asmx

3) Finally, ( again from the server ) can you log in using the admin account when attempting to see things through the web interface - http://localhost/vaultservice/vaultweb/login.aspx

[jclausius]

I gather I need to have this domain account impersonation to make that possible?

Yes. By default, ( on Win 2003 ), the Network_Service account is configured as the identity for Vault Service's Application Pool.

Basically, this account does not have sufficient priviledges to get to an AD server for authentication, so a Custom .Net account must be build / configured as the identity.

[jeremy_sg]

Often, some problems with impersonation can be solved by making sure that the impersonated account is in the IIS_WPG group in windows, which will make sure that it has full access to the temp directories it needs. Both the installer and identity switcher are supposed to do this, as well as give the account permissions to the database. Can you use the button below this post to email me your vault_install.log file which is in the %TEMP% directory of the user who did the install. Maybe that will give some hints as to why this is giving so much trouble.

-Jeremy

[Paulm]

Hi,

Thanks for your help so far.

Ok, I’m starting again from scratch. I’ve uninstalled Vault and the database. I have an account on the domain who is a member of the domain users group. On the local Policy of the Vault\SQL Server I have given this user rights to Access this computer from the network, Log on as a batch job, log on as a service. Since it is a member of the domain users group, it can log on locally.

1)I have logged in locally as this user on the vault server so that a profile with Application Data is created.

2) The account (SGVault) has full access to its own Application directory.

3) The account has:

Full Control : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files

Read & Execute : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

Read : %WINDIR%\assembly

Full Control : C:\Documents and Settings\SGVault\Application Data

Full Control : C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

4) Installing Vault server…Selected option for custom identity and type the Domain\Account and Password. Selected option for Windows Authentication and the setup program created the database and assigned the permissions to NTFS files. Installing Vault on Default Website. Install was successful. Here is the install summary:

OK
Configuring your new Vault Installation
Requesting Vault Admin user password...OK
Connecting to the SQL Server...OK
Verifying the SQL Server requirements...OK
Checking for an existing Vault database...Not found.
Creating a new Vault database on PUMA...
Creating the SourceGear Vault database...OK
Upgrading SourceGear Vault database...OK
Creating SourceGear Vault stored procedures...OK
Adding Data to SourceGear Vault database...OK
Adding the admin user...OK
Giving LIONTRUST\SGVault access to the Vault database...OK
Creating Default Repository...OK
Checking permissions on local folders...OK
Adding permissions for temporary asp.net files...
Ok
Updating Vault Configuration...OK
Looking for websites on this machine...
Looking for websites on this machine...
Found website - 'Default Web Site'
Found website - 'Microsoft SharePoint Administration'
You chose to put Vault on website: 'IIS://LocalHost/W3SVC/1/Root'
Creating the Virtual Directory, VaultService...OK
Creating the Virtual Directory, VaultShadowFolder...OK
Updating Vault.Config with Server URL...OK
Updating Shadow Folder Configuration...OK
Creating the Vault Server Home Page...OK
Your Vault Server has been successfully configured.

5) No checking if IIS_WPG on the vault server has the domain account …Yes

6) Now checking permissions on C:\Inetpub\wwwroot\VaultService – account has Full Controll

7) Now checking permissions on C:\Inetpub\wwwroot\VaultService\VaultShadowFolder – account has full control

Now checking Enterprise Manager…dbo and the domain account is created in the database and is in the dbo role group.

9) Now checking http://puma/vaultservice/ - I get a page with “Vault Home Page
puma.plc.liontrust.co.uk Server Installation
Version 3.0.2.2812 Installed 10 February 2005” Looks OK

10) Now checking http://puma/vaultservice/vaultservice.asmx - I get list of services (getobjectlabels etc etc ) Looks OK

11) Now checking http://puma/vaultservice/vaultweb/login.aspx - I get a login page.

12) Attempt to login using Admin – “Login Failed”

13) I have not changed the application pool identity. Looking at VaultAppPool – identity is Network Service.

14) Change it to the domain account identity.

15) Stop Start IIS

16) Attempt Login – Login failed

17) Changed back the VaultAppPool identity to network service.

18) SGVault.log :
----10/02/2005 16:04:20 sgvaultsystem--()--
System Started
Version 3.0.2.2812
Cache Level = 1
DataBase Buffer Size (KB) = 256
LogFile Path = C:\WINDOWS\Temp\sgvault
Log Level = Quiet
Archive Log = Weekly
ReverseDNS Lookup = True
Maximum HTTP Request Length = 102400
Overwrite Log on Startup = False
Session Timeout = 4320
Active Directory Domain =
SGVault Working Directory = C:\WINDOWS\Temp
SGVault Server URL = http://puma.plc.liontrust.co.uk/VaultService
Identity = LIONTRUST\SGVault
----10/02/2005 16:04:21 --()-- Vault Failed to establish a connection to the database.
----10/02/2005 16:04:21 --()-- Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:04:21 --()-- Vault Failed to establish a connection to the database.
----10/02/2005 16:04:21 --()-- Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:04:21 --()-- The session information was not removed from the database. Please check sgvault.dbo.tblsessions within SQL Server. There may be orphaned sessions stored within the database. Error: FailDBConn
----10/02/2005 16:05:40 --192.168.0.204(192.168.0.204)--SSL Disabled Vault Failed to establish a connection to the database.
----10/02/2005 16:05:40 --192.168.0.204(192.168.0.204)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:06:17 admin--192.168.0.204(192.168.0.204)--SSL Disabled Vault Failed to establish a connection to the database.
----10/02/2005 16:06:17 admin--192.168.0.204(192.168.0.204)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:06:43 --puma.plc.liontrust.co.uk(192.168.0.79)--SSL Disabled Vault Failed to establish a connection to the database.
----10/02/2005 16:06:43 --puma.plc.liontrust.co.uk(192.168.0.79)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:06:51 --puma.plc.liontrust.co.uk(127.0.0.1)--SSL Disabled Vault Failed to establish a connection to the database.
----10/02/2005 16:06:51 --puma.plc.liontrust.co.uk(127.0.0.1)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.
----10/02/2005 16:06:57 admin--puma.plc.liontrust.co.uk(127.0.0.1)--SSL Disabled Vault Failed to establish a connection to the database.
----10/02/2005 16:06:57 admin--puma.plc.liontrust.co.uk(127.0.0.1)--SSL Disabled Login failed for user 'LIONTRUST\SGVault'.

[jeremy_sg]

So at the moment, the problem is that the LIONTRUST\SGVault account doesn't have access to the sgvault database. Can you use Enterprise Manager to verify that the account should have db_owner and access to the sgvault database?

[jclausius]

OK. Now that vault to seems to be running correctly for the default stuff, the database access needs to be granted. Usually this is done within the installer.

Assuming the SQL Server is also on the same LIONTRUST domain, the following script will give LIONTRUST\SGVault access to the database. If the database server is not on a domain, we'll have to tackle this another way.

Code: Select all

IF ( NOT EXISTS (SELECT sid FROM master..syslogins WHERE name = 'LIONTRUST\SGVault'))
	sp_grantlogin = 'LIONTRUST\SGVault'
GO

USE sgvault
GO

IF ( NOT EXISTS (SELECT * from sgvault.dbo.sysusers WHERE name = 'LIONTRUST\SGVault'))
	sp_grantdbaccess 'LIONTRUST\SGVault'

sp_addrolemember 'db_owner', 'LIONTRUST\SGVault'
sp_addrolemember 'public', 'LIONTRUST\SGVault'
GO

Let me know if you need more assistance with this. If not, please let me know if all of this ran correctly against your database.

[Paulm]

Hi,

Liontrust\SGVault is in the Public and dbo group. This should mean that it has access right ?

I ran the script but got the following errors. Syntax errors ?

Server: Msg 170, Level 15, State 1, Line 2
Line 2: Incorrect syntax near 'sp_grantlogin'.
Server: Msg 170, Level 15, State 1, Line 3
Line 3: Incorrect syntax near 'sp_grantdbaccess'.

[jclausius]

Typos...

Sorry about that -

Code: Select all

IF ( NOT EXISTS (SELECT sid FROM master..syslogins WHERE name = 'LIONTRUST\SGVault'))
   sp_grantlogin 'LIONTRUST\SGVault' 
GO

USE sgvault
GO

IF ( NOT EXISTS (SELECT * from sgvault.dbo.sysusers WHERE name = 'LIONTRUST\SGVault'))
   sp_grantdbaccess 'LIONTRUST\SGVault' ,  'LIONTRUST\SGVault'

sp_addrolemember 'db_owner', 'LIONTRUST\SGVault'
sp_addrolemember 'public', 'LIONTRUST\SGVault'
GO