Re: Which account on SQL 2005 web sync via https

A few points you may need to be aware of:

The Default Domain and Realm fields in the IIS Directory Security section of
the Virtual Folder/Site you are using to host replisapi.dll must be set to
the System Name of the system you are running IIS on.

I'm led to believe from your post that the system you are hosting IIS on is
not a member of the domain that SQL Server is running on. Web Replication was
intentionally designed with the idea that IIS can be running on a seperate
system to the one hosting the Database engine. replisapi.dll uses the SQL
Native Client to establish a connection to the database engine.

The following should give you an overview of the permissions required for
the local account you specify for the connection to operate under - pay
special attention to the NTFS section:

----
Web Service Extension 'SQL Server' will be enabled with the following options:

Add 'C:\Inetpub\wwwroot\replication\replisapi.dll' to the enabled file list
of the Web Service Extension.

'WEBREPL, Kyle' will get the following NTFS permission:

'Read & Write' on physical path 'C:\Inetpub\wwwroot\replication'.
'Read & Execute' on the ISAPI DLL
'C:\Inetpub\wwwroot\replication\replisapi.dll'.
'Read' on share physical path '\\servername\replication'.
'Read' on the share '\\servername\replication'.

------

The access denied message you are receiving is not for access to
replisapi.dll - to get just "Access Denied" in black letters in a browser
means that the ISAPI extension already has permission to execute, but the
principal it is executing under cannot access the SQL server or the folder
hosting your snapshot.

Read the section entitled "Web Synchronization" at the bottoms of the
following:

http://msdn.microsoft.com/en-us/library/ms147881.aspx

It leads me to believe that the Basic Authentication user and password are
passed in clear text via the extension to the domain hosting the SQL Server;
which implies that the same credentials are used to access the database. The
words "Because of the limitations of Windows impersonation..." should be of
particular interest to you.

Good luck.

"gstar" wrote:

Thanx Kyle, that is exactly my issue though, I cant add an account
that doesnt exist!...


Well - to take a stab in the dark on this one, it seems the account you are
using to invoke replisapi.dll does not have with sufficient privileges.

Correct, it doesnt have privileges because its not in the same
domain..


Be sure to use only basic authentication, and ensure that the login you're
using has
permission to access the UNC file share you are using to expose your snapshot.

Same as above, how can I gove an IIS users access privileges on a sql
server in a different domain?

In my experience, the Replicator Authentication Group only has sufficient
permissions when you are running in a domain environment.

Although its very bad security practice in your case, circa the manual, we
used an Administrators Group member over a secure connection.

Again as above..I need to fins out how others have added a non domain
account to the snapshot folder. Sorry if I have misread, but have you
achieved this in the same environment? If so could you maybe explain
just the process of how you setup your accounts in IIS & SQL and then
assigned them to snapshot folder?

Thanx again..

G


.

Relevant Pages

  • Re: Intranet Security
    ... Can you post every object that is assigned any permission on ... Microsoft MVP - Windows Security ... I have also tried moving the files to a folder on the IIS server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Newbie needs code pages for SQL Server 2000 access from asp.net page using vb.net
    ... It would make more sense if the error message described that permission was ... I am not sure what user to add where in IIS ... >> passing SQL server the account used to run the website. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: "DATA" Directory
    ... I created this new Virtual Site in IIS AFTER I upgraded to BETA 2. ... > certain IIS's virtual folder or the page in it dosn't grant "Read" ... > permission to the client visitors. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Webserver - multiple domains using same IP address?
    ... must set the permission to the folder on IIS and not using Windows Explorer? ... >> But can I setup a second internet web site or only an intranet web site? ...
    (microsoft.public.inetserver.iis)
  • Re: dts and access db
    ... How can I setup permission for sa account under \\server\data folder? ... The service account for SQL Server ... >>already opened exclusively by another user, or you need permission to view ...
    (microsoft.public.sqlserver.dts)
Quantcast