Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

PRB: 80004005 ConnectionOpen (CreateFile()) Error Accessing SQL


View products that this article applies to.

Symptoms

When you try to open a connection to a Microsoft SQL Server database from an Active Server Pages (ASP) page, you get the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][dbnmpntw]ConnectionOpen
(CreateFile()).

NOTE: This article assumes SQL Server is using standard security.

↑ Back to the top


Cause

Microsoft Windows NT Server is denying access to the SQL Server. This error can be caused by the way Users, Groups, Rights, and Permissions are configured. Specifically, Microsoft Internet Information Server (IIS) does not have permissions to open a Named Pipe connection to the SQL Server.

↑ Back to the top


Resolution

If the ASP page was accessed anonymously, then the Windows NT/SQL Server computer needs to be able to authenticate the anonymous logon account. To do this use one of the following methods:
  • Duplicate the anonymous account as a local account on the Windows NT/SQL Server computer with an identical name and password. To determine which account is used by IIS, open the WWW Properties dialog in the Internet Service Manager. The default account used is IUSR_<machinename>
  • Change the anonymous user on the IIS computer to be a domain account so that the Windows NT/SQL computer can verify this account against the domain controller. To change which account is used, open the WWW Properties dialog box in the Internet Service Manager. Change the Anonymous Logon Username and password. Make sure the Username refers to a domain account (for example, Northamerica\JohnSmith).
If the ASP page requires authentication and any of the following is true, the error involves a Windows NT delegation issue where the security credentials are lost:
  • The ASP page was accessed using Windows NT Challenge/Response, and SQL is on a different computer.
  • The SQL Server is on the same computer as IIS and the server name is specified as opposed to selecting Local.
  • The DSN has the "Trusted Connection" check box selected, and the SQL computer is set up to use Named Pipes.
To resolve this, use one of the following methods:
  • If IIS and SQL are on the same computer, select (local) instead of the server name, when you create the DSN. Also, ensure that "trusted connection" is not selected.
  • If IIS and SQL are on separate computers, ensure that TCP/IP sockets are used to access the Windows NT/SQL computer. When Named Pipes are used to access the SQL Server, IIS tries to impersonate the authenticated user, but it does not have the ability to prove its identity. By using TCP/IP sockets, the connection between SQL and IIS is not authenticated. To enable TCP/IP sockets, run the SQL Server Setup program and select TCP/IP sockets under the Change Network Support option. You may also need to run the SQL Client Configuration Utility on the IIS computer and change the Net Library from Named Pipes to TCP/IP sockets. To start the SQL Client Configuration Utility, follow these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type cliconfg.exe, then click OK.
  • You can also avoid this delegation issue by choosing to authenticate via Basic (Clear Text). This will give IIS the information needed to impersonate the authenticated user to the SQL Server. Be aware that with this authentication method, passwords are transmitted across the network, and could be stolen. To change to Basic authentication, open the WWW Properties dialog box from the Internet Service Manager, and select Basic (Clear Text), and clear the Windows NT Challenge Response check box.

↑ Back to the top


Status

This is by design.

↑ Back to the top


More information

When you authenticate a user with Windows NT Challenge Response, the user needs the Access this Computer from Network right. When you authenticate a user with Basic (Clear Text), the user needs the Log on Locally right.

To set these rights:
  1. Open User Manager.
  2. Select User Rights from the Policies menu.
  3. Select which right you want to change from the drop-down menu, then select which users or groups have this right.

↑ Back to the top


References

For additional information, please see the following articles in the Microsoft Knowledge Base:
166029 PRB: Cannot Open File Unknown Using Access

174811 FILE: Authentication and Security for Internet Developers
For the latest Knowledge Base articles and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site:

↑ Back to the top


Keywords: kbsecurity, kbaspobj, kbcode, kbdatabase, kberrmsg, kbprb, KB175671

↑ Back to the top

Article Info
Article ID : 175671
Revision : 7
Created on : 5/2/2006
Published on : 5/2/2006
Exists online : False
Views : 577