0

We have many servers with a ASP.Net application installed. I'm trying to figure out a automatic way to connect to the sql server using Powershell.

They use a domain account to run the app pool. I have the code below to get the connection string from the app and the app pool identity to try to open a connection to sql.

However, when I run it in powershell, the sql login fails for, Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. I don't understand why. I confirmed the ASP.Net Application is using the App Pool Identity in SQL via sp_who2.

Output confirms that the invoke-command is using the App Pool Identity. I can't change the connectionstring per business policies. I want to only use .Net to connect to SQL because I know .Net framework 4.8 will be on all machines I use to run it.

I removed the code for getting the connection string and app pool identity from the sample below in hopes to allow more people to troubleshoot.

Just update the username, password, and server name below and try it out

$username = 'MyUsername'
$password = 'MyPassword'        
 
$ConnStr = 'Data Source=MyServer;Trusted_Connection=yes;'

$query = 'Select system_user, @@servername DBHostName,(SELECT login_time FROM sys.sysprocesses where spid=1)SQLUptime, @@version SQLVersion;'

$SQLPoshCmds = {
 $env:USERNAME
 $args[0]
    try{
      $SqlConnection = New-Object System.Data.SqlClient.SqlConnection
      $SqlConnection.ConnectionString = $args[0]

      $SqlCmd = New-Object System.Data.SqlClient.SqlCommand
      $SqlCmd.CommandText = $args[1]
      $SqlCmd.Connection = $SqlConnection 
      $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
      $SqlAdapter.SelectCommand = $SqlCmd 
      $SqlConnection.open()
      $DataSet = New-Object System.Data.DataSet
      $SqlAdapter.Fill($DataSet) 
      $DataSet.Tables|fl

    }
    Catch{
      $_
      # write "`r`n$($_.Exception)"
      # write $_.ScriptStackTrace
      # write $_.ErrorDetails
    }
    Finally{
      $SqlConnection.Close()
      $SqlConnection.Dispose()
    }
}

if($ConnStr.Contains('Trusted_Connection=yes;')){
    invoke-command -ArgumentList $ConnStr,$query -ComputerName '.' -ScriptBlock $SQLPoshCmds -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,(ConvertTo-SecureString -AsPlainText $password -Force))
}else{
    invoke-command -NoNewScope -ScriptBlock $SQLPoshCmds
}
Improve this question
9
  • Aside... you'll probably need to use master.sys.sysprocesses instead of sys.sysprocesses, depending on the default database specified on the connection (or the App Pool Identity user's default database if none is specified in the connection string). Also the user will need the VIEW SERVER STATE permission to see any sessions other than their own.
    – AlwaysLearning
    Commented Jul 29, 2022 at 0:46
  • Have you tried wrapping Invoke-Command in your own Impersonation Context?
    – AlwaysLearning
    Commented Jul 29, 2022 at 0:46
  • And would not the connection strings be in web config? I would certainly look at and check the connection strings in web config, since it's possible the code behind using a different connection then you are assuming
    – Albert D. Kallal
    Commented Jul 29, 2022 at 1:21
  • The running joke at my company whenever anyone sees "anonymous logon" is to yell "kerberos is broken". Of course it typically means double-hop is being denied because an SPN has not been registered (or more rarely, that delegation has been prohibited). I'm not a powershell person, but I notice your code has ComputerName '.' which would imply there is no double hop. But are you actually invoking on the local machine, or did you just put in the '.' to avoid any including any internal stuff in your SO question?
    – allmhuran
    Commented Jul 29, 2022 at 1:53
  • I think i'm going to try to replace trusted_connection=yes; with user id= and password= again. The first time i tried, it i got error something like login is not a sql account. Looking at some other code online, it seems i need to put 'Domain\user' instead of just 'user' I didn't prefix it with Domain\
    – VWP.CS
    Commented Jul 29, 2022 at 2:01
Related questions
5
Invoking Powershell via C# in a web application - issues with app pool identity
45
How to specify application pool identity user and password from PowerShell
51
Connect to SQL Server Database from PowerShell
Load 7 more related questions Show fewer related questions

0

Reset to default

Browse other questions tagged or ask your own question.