Related
I am attempting to connect my Bamboo instance to SQL Server, but I am unable to do so because of the error Login failed for user 'Bamboo'. Investigation into the log files shown in the location
C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\ERRORLOG
throws an error that I should not be getting at this stage of my attempted login. Server is configured for Windows authentication only. Currently able to login using same SQL Server credentials to access the database, just not via Bamboo.
The reason why this should not happen is because my server is already set up to do so, and I will list all of the steps that I have taken to prevent this error. In my localhost SQLEXPRESS server I have checked SQL Server and Windows Authentication mode. Once I restarted SQL Server, this worked as I was able to log in with the credentials that I added to a user called Bamboo.
The user I added is mapped to the database called BambooDatabase as a db_owner. The number of concurrent users is unlimited and I have tried disconnecting from SQL Server just to check if that was a problem, but still no difference. I added 2 more users with connect access and mapped to BambooDatabase.
I have went to the SQL Sever Configuration Manager and enabled TCP/IP and made sure that the IP addresses was pointing to 1433. And then configured my firewall to all access to 1433 as well. The fact that my error logs for SQL Server are appearing makes this seem that everything should be fine here. So with tested 3 users on SQL credentials everyone logged in successfully and all have the relevant permissions needed. All three gave the same error when trying to connect from Bamboo.
I am trying to connect to Bamboo like this:
Direct JDBC connection.
Driver class name: net.source.jtds.jdbc.Driver
Database URL: jdbc:jtds:sqlserver://localhost:1433;DatabaseName=BambooDatabase
User name: Bamboo
Password: SQL Server password
Checked overwrite existing data
Then once I click continue the log in error throws. Have I missed something here, I cannot see what I could do differently, I have tried to connect to SQL Server from Bamboo several different ways but have had no success. I am using SQL Server Express and the Bamboo version 5.11.3, I am testing upgrading from 5.11.3 to 5.15 with larges amounts of data which is why I am using that version.
Error from Bamboo is:
Error accessing database: java.sql.SQLException: Login failed for user 'Bamboo'.
Error from SQL logs is:
Login failed for user 'Bamboo' Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: 127.0.0.1]
Are you running Bamboo en SQLExpress on the same machine? If not, you should look into the remote access configuration.
In the SQL Sever Configuration Manager, make sure that you entered 1433 for the IPAll entry as well. And start the SQL Browser service for good measure, this is especially important when using a names instance, but going after the errorlog folder you copy/pasted, that's not the case.
For testing purposes, you might want to disable the firewall all together and reactivate is after you get the connection up.
Another thing to try if you're connecting on the same machine, is use the loopback address 127.0.0.1 instead of the localhost alias.
I'm having to support multiple database types for my tenant-enabled web application. Among others, I have successfully supported Microsoft's SQL Server, by using the net.sourceforge.jtds.jdbc.Driver class with a connection String like "jdbc:jtds:sqlserver://192.168.1.189:1433/ApplicationName". This works, but it requires that the user explicitly defines a user in the SQL Server instance and enables SQL Server authentication.
Now, inevitably, requirements changed, and we're supposed to support connecting to SQL Server via Windows Authentication. Evidently this requires some sort of change to the connection string, since the data base server must somehow be able to distinguish whether the credentials passed into the data base connection are for a user defined in the SQL Server installation or in the Windows OS. But what is it?
Acting on advice from the internet, if progressed as far as extending the connection string with ;useNTLMv2=true;domain=WORKGROUP. That seems to make the data base server aware that I want to authenticate as a Windows user, but the actual log-in fails with
The login is from an untrusted domain and cannot be used with Windows authentication. (code 18452, state 28000)
Now im my testing set-up, both the J2EE app and the SQL server instance are in fact on the same machine (although in production they may not be), and still this computer isn't trusted enough to log on to itself? Evidently I'm missing a big part of the puzzle here. What does one have to do to convince an SQL Server instance that the user who started it can in fact log on to it via JDBC?
Edit
Since we have already sunk too much unsuccessful effort trying to integrate our web application with a full Microsoft infrastructure stack (SQL Server, Active Directory, Domain Name Service...), I have to restrict this question:
Does anyone know a way to access an SQL Server installation with a user account defined as a "Windows User" via JDBC form a J2EE application, without having to use Active Directory, a Windows machine running the web application and a proprietary DLL? The bounty is for any solution of that sub-problem. The entire problem is clearly too broad to be answered in one forum post.
I ran into the error
The login is from an untrusted domain and cannot be used with Windows
authentication
when a 2012 SQL Server DB instance was recently upgraded to 2016. In order to use AD based authentication with the JTDS driver and SQL Server 2016, it seems necessary to specify both the useNTLMv2=true and the domain=example.com suffix in order to establish a connection. The name of the domain is absolutely necessary and I confirmed that through testing. This is with JTDS driver version 1.3.1.
Example of a working connection string using AD based authentication to SQL Server 2016 DB with JTDS 1.3.1:
jdbc:jtds:sqlserver://sqlserver2016db.example.com/MY_DB_NAME;domain=example.com;prepareSQL=2;useNTLMv2=true
UPDATE
Recently (due to the pandemic lockdown), I found myself also having to connect to SQL Server using Windows authentication from a non-domain computer (over VPN). This can be accomplished by starting the Windows process initiating the SQL Server connection, e.g. Eclipse / Spring Tool Suite, with the following command:
C:\Windows\System32\runas.exe /netonly /user:domain\user "path_to_executable.exe"
Source: https://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/
In discovering that gem, I also discovered that encryption needed to be used. Here are the settings I'm using (in addition to now running the executable with /netonly and a domain account):
spring.datasource.url=jdbc:jtds:sqlserver://fqdn_of_server_including_domain/DBNAME;domain=mydomain;useNTLMv2=true;ssl=require;prepareSQL=2;
spring.datasource.username=domainaccountname_without_domain_prefix
spring.datasource.password=password
spring.datasource.testOnBorrow=true
spring.datasource.hikari.connection-test-query=SELECT 1
spring.jpa.database-platform=org.hibernate.dialect.SQLServerDialect
What you describe certainly appears to be feasible. I have SQL Server 2008 R2 Express running on a stand-alone server and I was able to connect using a Windows username/password on that server via jTDS 1.3.1 from a separate Windows machine and from an Xubuntu 14.04 box.
On the machine running SQL Server I created a Windows user named 'kilian'. In SQL Server itself I created a SQL Login for NT AUTHORITY\Authenticated Users. Then in the database (named 'myDb') I created a User named 'AuthenticatedUsers' for that SQL Login. Just to keep things simple I gave that user db_owner rights on the database.
There is no SQL Login for 'kilian' and no database User with that name.
Then, from the other two machines (the Windows workstation and the Xubuntu box) I just ran this:
package com.example.jtdstest;
import java.sql.*;
public class JtdsTestMain {
public static void main(String[] args) {
try (Connection con = DriverManager.getConnection(
"jdbc:jtds:sqlserver://192.168.1.137:52865/myDb" +
";domain=whatever",
"kilian",
"4theBounty")) {
try (Statement s = con.createStatement()) {
String sql = "SELECT LastName FROM Clients WHERE ID=1";
try (ResultSet rs = s.executeQuery(sql)) {
rs.next();
System.out.println(rs.getString("LastName"));
}
}
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
Additional notes:
I did not have to include useNTLMv2=true. I was able to connect with or without that parameter.
I did have to include domain= to tell the SQL Server not to use SQL authentication, but the actual value I supplied made no difference. (I literally used 'whatever', which was not the name of the server or the name of the workgroup to which it belongs.)
Alternative Method
The alternative solution is to utilize integrated security. This enables your application to connect to the database as the user in which the application is currently running as. This is enabled by adding integratedSecurity=true; into the connection string properties. If you run into any trouble, make sure the sqljdbc_auth.dll is accessible via classpath or within your app library.
Security Note
You're probably already aware, but just have to say make sure not to grant access to "Authenticated Users" to your database as previously suggested as part of the demonstration. Identify which user account your application runs as and grant access to only that specific user in your database server.
Sources / Additional Info
MSDN Doc on JDBC Connection String Configuration (http://technet.microsoft.com/en-us/library/ms378428(v=sql.110).aspx)
The main problem is the windows authentication with a full java solution (no DLL). So you could use one of the libs below:
NTLM authentication: http://ioplex.com/jespa.html
spring based Kerberos authentication: http://projects.spring.io/spring-security-kerberos/
another integrated windows auth lib is SPNEGO (don't know much about this one)
So once your app is authenticated with one of the lib above, your JDBC should run fine using "integratedSecurity=true;" and if needed "authenticationScheme=JavaKerberos".
Firstly you should write the jdbc connection like this:
String url ="jdbc:sqlserver://PC01\inst01;databaseName=DB01;integratedSecurity=true";
then
you need to enable the SQL Server TCP/IP Protocol in Sql Server Configuration Manager app. You can see the protocol in SQL Server Network Configuration.
I can see two possibilities,
1. You are using a local system account which the server won't understand
In this case, switch to a domain account.
Windows authentication has different credential requirements and you might not be meeting those.
In this case try changing the password to match the requirements.
It is very well possible that both are happening.
see this other SO post that describes how to connect to a SQL Server with Windows Authentication from a Linux machine through JDBC
This is my NiFi setup for jTDS driver:
Database Connection URL: jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name
I didn't need to add useNTLMv2=true, but most people need to, so if it doesn't work you can try also:
jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name;useNTLMv2=true
Database Driver Class Name: net.sourceforge.jtds.jdbc.Driver
Database User: domain_user_name (**without** #domain)
Password: domain_password
Validation query: select 1
One of the possible reasons for this error to appear is when you configure you data source to use windows authentication and SQL Server is using Extended Protection mode together with SSL (i'm not sure if SSL is required though). This mode requires the client to send additional information - signed service principal name (SPN) and channel binding token (CBT). See more information about Extended Protection Mode here. Currently both JTDS JDBC and Microsoft JDBC drivers do not support this mode. I couldn't find an official statement from JTDS, but there is an open ticket for Microsoft drivers.
In order to configure Extended Protection mode, go to SQL Server Configuration Manager, select properties on SQL Server Network Configuration -> Protocols for %your instance% and change Extended Protection option.
I am trying to host a SQL server database, but whenever I try to connect to it I get this error:
The login is from an untrusted domain and cannot be used with Windows
authentication
I am connecting through Matlab using the following command:
conn = database('Clinical_Data','DoyleLab07\Acc','','com.microsoft.sqlserver.jdbc.SQLServerDriver','jdbc:sqlserver://DOYLELAB07\SQLEXPRESS:54287;database=Clinical_Data;integratedSecurity=true;').
Connecting to the database using matlab worked fine as long as I was using matlab on the computer which I was using to host the server. However, when I use another computer and the same Matlab command I get the error I showed above.
When I look under control panel\system. I notice that no domain is listed on my host PC or the PC I am using to connect to the host, but both computers are in the same workgroup. Would I be able to fix my problem by creating a domain and adding the foreign PC and the host to that domain? If so, how can this be accomplished?
Any suggestions will be very much appreciated.
Thank you for reading my post.
Getting rid of Integrated Security=true worked for me.
In order to use Windows Authentication one of two things needs to be true:
You are executing from the same machine as the database server.
You have an Active Directory environment and the user the application is executing under (usually the logged in user) has rights to connect to that database.
If neither of those are true you have to do one of two things:
Establish a Windows Domain Controller, connect all of the relevant machines to that controller, then fix SQL server to use domain accounts; OR,
Change SQL server to use both Windows and SQL Server accounts.
By FAR the easiest way is to change SQL Server to use both Windows and SQL server accounts. Then you just need to create a sql server user on the DB server and change your connection string to do that.
Best case option 1 will take a full day of installation and configuration. Option 2 ought to take about 5 minutes.
If your SQL Server is on one domain controller and you are trying to connect to it from another domain controller then you will get this error when
IntegratedSecurity = true;
This will happen even if you include a valid SQL Server username and password in your connection string as they will automatically be over-written with your windows login and password. Integrated security means simply - use your windows credentials for login verification to SQL Server. So, if you are logged in to a different domain controller then it will fail. In the case where you are on two different domain controllers then you have no choice but to use
IntegratedSecurity = false;
Now, when Integrated security is false SQL Server will use the SQL Server login and password provided in your connection string. For this to work, the SQL Server instance has to have its authentication mode configured to mixed mode, being, SQL Server and Windows Authentication mode.
To verify or change this setting in SQL Server you can open the SQL Server Management Studio and right-click on your server name and then select Properties. On the pop-up that appears select Security and you will see where to alter this setting if you need to.
I've had this same issue when using DNS aliases and hosts files to connect to a machine using a different domain name.
Say you have a SQL server called sql1 on mydomain.com - which is an Active Directory domain - and you also have a DNS zone for mydomain.net, and - for consistency - you set up a DNS alias (CNAME) record for database.mydomain.net --> sql1.mydomain.com
You'll be able to connect to sql1.mydomain.com using Windows integrated security, but won't be able to connect to database.mydomain.net even though it's the same server because the domain name doesn't match your AD domain.
This error message can also occur if the account you are using to access the SQL server is locked out by the domain.
I was facing the issue while connecting to SQL Always On Listener. Disabling the loop back check resolved the issue.
Edit the registry using regedit. (Start –> Run > Regedit )
Navigate to: HKLM\System\CurrentControlSet\Control\LSA
Add a DWORD value called “DisableLoopbackCheck”
Set this value to 1
https://blog.sqlauthority.com/2017/04/18/sql-server-login-failed-login-untrusted-domain-cannot-used-windows-authentication/
Why not use a SQL Server account and pass both the user name and password?
Here is the reason why.
In short, it looks like you have an authentication issue.
The problem with workgroups is there is no common Access Control List like Active Directory (AD). If you are using ODBC or JDBC, the wrong credentials are passed.
Even if you create a local windows account (LWA) on the machine (SE) that has SQL Express installed (SE\LWA), the credentials that will be passed from your client machine (CM) will be CM\LWA.
As mentioned here, you might need to disable the loopback
Loopback check can be removed by adding a registry entry as follows:
Edit the registry using regedit. (Start –> Run > Regedit )
Navigate to: HKLM\System\CurrentControlSet\Control\LSA
Add a DWORD value called “DisableLoopbackCheck” Set this value to 1
If you using windows authentication make sure that password of the user hasn't expired. An expired password can explain this error. This was the problem in my case.
Same Error with Connection String in Visual Studio dev environment
Our development database server was recently given a self-signed certificate so it automatically became untrusted. This resulted in the login error cited above. I added TrustServerCertificate=True to my connection string and it works now.
"Server=TheServerAddress; Database=TheDataBase; User Id=TheUsername; Password=ThePassword; TrustServerCertificate=True"
NOTE: This certificate configuration is not recommended for production environments.
In my case the Aliases within SQL Native Client 11.0 Configuration were pointing to invalid server/IP. Once updated it worked correctly.
To check:
1. Start "SQL Server Configuration Manager"
2. Navigate to "SQL Native Client 11.0 Configuration" and then "Aliases"
3. Ensure "Alias Name" and "Server" match correctly for TCP/IP
Following worked for me to get access from another machine to SQL Server using Windows Authentication. This approach may be useful only in development/test environment. E.g. you need to update password manually once you change it on your working machine.
On machine with SQL Server go to Control Panel and add new Windows User with same username and password as is on your working machine. Then create SQL Server login for this user:
CREATE LOGIN [SQLSERVERHOST\myuser] FROM WINDOWS;
Now you can use this login for Windows Authentication.
If you receive error 'The login is from an untrusted domain', this may mean that you changed password on your working machine and now need to update password on SQL Server machine.
Just adding my suggestion for a resolution, I had a copy of a VM server for developing and testing, I created the database on that with 'sa' having ownership on the db.
I then restored the database onto the live VM server but I was getting the same error mentioned even though the data was still returning correctly. I looked up the 'sa' user mappings and could see it wasn't mapped to the database when I tried to apply the mapping I got a another error "Fix: Cannot use the special principal ‘sa’. Microsoft SQL Server, Error: 15405". so I ran this instead
ALTER AUTHORIZATION ON DATABASE::dbname TO sa
I rechecked the user mappings and it was now assigned to my db and it fixed a lot of access issues for me.
Joining a WORKGROUP then rejoining the domain fixed this issue for me.
I got this error while using Virtual Box VM's. The issue started to happen when I moved the VM files to a new drive location or computer.
Hope this helps the VM folks.
We now use a privileged account management solution that changes our passwords regularly. I ended up receiving this error after my password was changed. Closing and re-opening SSMS with the new password resolved my issue.
I started to get this error when i tried to login to SSMS using 'windows Authentication'. This started to happen after i renamed the Windows SQL server. I tried everything to resolve this error and in my particular case changing the machine names in the 'hosts' file to reflect the name SQL server name change resolved the issue. C:\Windows\System32\Drivers\etc\hosts
I had this problem because we where using a DNS name from an old server, ponting to a new server. Using the newserver\inst1 address, worked. both newserver\inst1 and oldserver\inst1 pointed to the same IP.
Yet another thing to check:We had our nightly QA restore job stop working all of a sudden after another developer remoted into the QA server and tried to start the restore job during the middle of the day, which subsequently failed with the "untrusted domain" message. Somehow the server pointed to be the job's maintenance plan was (changed?) using the ip address, instead of the local machine's name. Upon replacing with the machine name the issue was resolved.
TLDR: Changing the DNS server to the loop back address worked for me.
I am working in VirtualBox and had setup two Windows Server 2016 instances. Server A is configure as a Domain Controller and Server B as an SQL Server. After adding Server B to the domain I cold not connect to with Management Studio from Server A. I was getting the "The login is from an untrusted domain and cannot be used with Windows authentication".
My initial configuration had the server getting its IP from the VirtualBox DHCP server.
I changed this to use static IP and entered the 127.0.0.1 address in the Primary DNS and this worked for me.
Hope this helps someone passing by.
I enabled Trust Server Certificate in the Connection Properties and it worked for me
You might find out that you have more than one connection string, and you forgot to change the other one to Integrated Security to false. It happened to me. This answer might help someone.
I was focusing on the web config and the access rights, after a long hustle i remembered that I have another connection string in one of my classes for the emails, I had to change the connection string on the class to use the web config one.
i removed Integrated Security=true and Trusted_Connection=True both of them , worked for me..
In .net Core also you may get this error if Trusted_Connection=True;
Is set. Sample setting in appsettings.json
ConnectionStrings": {
"DefaultConnection": "Server=serverName; Database=DbName; uid=userId; pwd=password; MultipleActiveResultSets=true"
},
Sometime SSMS hang and close all of sudden ,then you get below error when you reconnect to SSMS
i) The Login is From an Untrusted Domain and Cannot be Used with Windows Authentication
OR
ii) The target principal name is incorrect .Cannot generate SSPI context.
In both cases RESTART YOUR MACHINE.
I also had a similar error but then I realised I just had changed the password for my system which caused this error.
To resolve it , I simply logged out of the current session and logged in again and this time
Please Use This Connection URL It's Work Fine
"Data Source=Your IP Address;Initial Catalog = DatabaseName;User ID =sa;Password =your PassWord;TrustServerCertificate=True"
Example : "Data Source=192.168.150.122;Initial Catalog=StudentDb;User ID=sa; PassWord=123;TrustServerCertificate=True"
If you have two servers on the same domain (eg. APP and DB), you can also use Windows Authentication between the app and MSSQL by setting up local users on both machines that match (same username and password). If you don't have the passwords matched up, it can throw this error.
Following was working for me. hope this helps you
<add name="getconn" connectionString="Data Source=servername;Initial Catalog=DBName;Persist Security Info=True;User ID=sa;Password=***" />
I've been trying to connect to SQL Server using SQL Server Management Studio to no avail.
This is what the error says:
Cannot connect to .\HAMED.
ADDITIONAL INFORMATION:
Login failed for user 'HAMED'. (Microsoft SQL Server, Error: 18456)
I have an instance of SQL Server by the name of Hamed which is run in Network Sevice mode. I'm using Windows 7.
I'm guessing you didn't grant yourself SQL admin during the install, but are you sure the DB instance is "HAMED"? That sounds like the machine name. Try connecting to .\sqlexpress
Do you remember the SA password? If so, you can add yourself by logging in with that account. Otherwise, you'll have to jump through some hoops and loops to get yourself added.
If you forgot to add yourself to the SQL admin group, read this article:
http://blogs.ameriteach.com/chris-randall/2009/12/11/sql-server-2008-forgot-to-add-an-administrator-account.html
It looks like you're trying to use "SQL Server Authentication" in the login dialog in SSMS, but the user that you're trying to use is a Windows user/administrator? If so, the fix should be as simple as choosing "Windows Authentication" in the drop-down.
UPDATE: looks like I jumped the gun - this sql server forum thread lists lots of possible issues, including permissions issues, orphan users, etc.
sa... the answer was sa.
I had set the administrative password but didn't know the username to go with it. Very nube, I know, you can hit me with it later.
When I installed SQL it asked me to set administrative password - right now SSMS can login.
Under users I see 1\cory (1 is my machine name - I'm trying a numbering scheme). But if I type that in it fails with the error. SQL says "no, that's an NT login, I can't use those".
Under the users list SQL does in fact show the user as Windows authentication but as I said - for some reason I can't connect using Windows authentication. The connection times out.
I'll just add a direct user name here.
All this is to do the MSVA courses for SQL certification. First exam: get sql SSMS to work.
I am trying to connect to SQL Server 2008 from a remote server using 'sa' username and its password (I can log in normally with this username and password from my own computer - so "SQL Server and Windows authentication mode" is chosen).
In the SQL Server log file on my computer I see this error:
Login failed for user 'sa'. Reason: An attempt to login using SQL
authentication failed. Server is configured for Windows authentication
only.
I thought it might be a remote connection problem, so I checked that the remote connection in the properties is enabled, in the configuration manager I enabled TCP/IP and Shared Pipes and restarted the service afterwards and I created a firewall rule for port 1433. I also tried to turn off the firewall in case that it is being blocked somehow, but I got the same error.
How this error appears only when accessing SQL Server from a remote server?
How can I fix it?
From the SQL Server management studio, right click on your server (after connect) in the Object Explorer window and choose Properties.
On Security item, make sure that SQL Server And Windows Authentication mode is selected.
The most obvious solution for me seems to allow SQL Server authentication on the server if it's really necessary to use sa for access (what it should not normally).
To answer the "why" we need more information. Which program do you use to access the server. Is the connection string really identical for both accesses?
Just guessing: From your local machine you use integrated security=true somehow (which causes user and password to be ignored), and your local windows user is allowed to access the server. From remote you use integrated security=false so that you can't logon using user/password, as the server is configured to only accept Windows authentication.
I had the exact same problem today. I was not able to connect to SQL server remotely using username/password, but it worked with windows authentication, and logging in locally also worked.
The reason it didn't work here was that I was using a password that was too short on the sa user. Apparently it does enforce password policy if logging on locally, but remote connections are blocked.
You can either change the password to a longer/more complex one, or disable the password policy enforcement for the sa user.
Short how-to:
In SQL Server Management Studio, open Security -> Logins, find "sa" -> Properties -> Change password or uncheck this box:
In my situation, I have SQL Server 2008 and SQL Server 2012 installed. So, in server name field, I need a concrete name (for example: 10.141.133.125\SQLServer2012). That's it!
Hope this useful for you!