I have successfully created the Self Hosted Integration Runtime and it is showing up and running in ADF as well.
However when I try to create a linked service to connect to SQL database on the on prem system - I am getting the below error:
Cannot connect to SQL Database: '(localdb)\mssqllocaldb', Database: 'XXXX', User: 'XXXXX'.
Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access.
Cannot open database "XXXX" requested by the login. The login failed.
Login failed for user 'NT SERVICE\DIAHostService'., SqlErrorNumber=4060,Class=11,State=1..
The login failed. Login failed for user 'NT SERVICE\DIAHostService'.
This is not a firewall error this is an authentication error.
You have not granted that windows user account NT SERVICE\DIAHostService access to your database.
This issue is identical to this one, which has instructions on how to solve:
Login failed for user 'IIS APPPOOL\ASP.NET v4.0'
To select data from a table in SQL Server you need three things set up:
Network connectivity (this is fine for you, otherwise you'd get a network error)
The user account granted connect access to the server / db (this is what the error is complaining about - you need to do this)
The user account granted sufficient access to select from the table (you also need to do this)
Please do the below :
Allow outbound TCP communication on port 1433 for both the Windows firewall [
Windows-firewall-setup ] and the corporate firewall [ Ports-and-firewalls ]
Configure the firewall settings of the SQL Database to add the IP address of the self-hosted integration runtime machine to the list of allowed IP addresses.
SHIR setup reference
Related
I want to connect to SQL Server with Windows authentication and create a SQL Server user.
The error I get while doing this is:
Login failed for user 'PCNAME\UserName'. Reason: The account is disabled. (Microsoft SQL Server, Error: 18470)
I also get the following error when I try to connect with PsTools:
Unable to connect: Login failed for user 'NT AUTHORITY\SYSTEM'.
Reason: The account is disabled.
What kind of process should I provide to activate the NT AUTHORITY\SYSTEM user? Or how can I act?
Thank you in advance for your help.
Well, you are trying to connect while logged on as pcname\username. If this user is not created as a Windows user in SQL Server or is disabled in SQL Server, then you will not be able to connect. What you need to do is use an authorized account to created the windows authenticated user in pcname\username in SQL Server then you will be able to connect.
As for pcname\SYSTEM, this is a built in SID that is used by services. There is no reason you could not add this as a Windows authenticated user in SQL Server.
I am trying to connect to an Azure SQL database using SSMS. I know the credentials are correct but I keep getting the error message
Login failed for user xxxxxx
I am using SQL Server authentication and I have already added my client IP address to the server in Azure.
The error is an SQL server error, so your login request is reaching the database. It is therefore not a network problem.
There is therefore something wrong with the user account or related configuration. Things it could be:
SQL Server account authentication is not turned on (Only AD authentication by default)
The user is configured with a default database, that he does not have access to
Preface: SSIS packages are deployed on SQL server, say serv1, and in these packages connections are made,using windows authentication, to another SQL server, serv2. And
I am using windows authentication, a domain account, to login on serv1
This account also has login on serv2, although through different windows group
SPN are registered for both SQL server's service accounts and delegation is ON.
auth_scheme is kerberos. Although for service accounts NTLM is being used because network layer protocol is Shared memory. And for other domain accounts kerberos, TCP is being used.
While executing these packages, they fail with error message Login failed for user 'NT AUTHORITY\ ANONYMOUS LOGON'. All solutions to this scenario point to Double Hop problem. Everywhere the solution includes the steps mentioned above. Is there anything that I am missing here.
While you could probably figure out the kerberos issue, I generally avoid the issue altogether. Here are a few ways that you might address it:
Execute the package with SQL Agent under the sql agent service account, if the service account is a Group managed service account (GMSA) or an actual domain account. A login can be created for the account on the target server. GMSA accounts provide an extra level of security - more on that here: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
Execute the package with SQL Agent under a proxy account. This stores the credentials in SQL Server and is easier to do if you do not have the permissions to change the account for the sql agent service. More on setting up a proxy here: https://learn.microsoft.com/en-us/sql/ssms/agent/create-a-sql-server-agent-proxy?view=sql-server-ver15. Once the proxy account is created, you'll be able to select as an option in the sql agent job
You could change the connections to use SQL authentication, though the options above are preferred in terms of security. This would be an option if you do not have sql agent for some reason.
I have an IIS 7.0 server connecting to an SQL 2012 Database. On the SQL database I have added a number of linked servers and created a distributed partitioned view to consolidate data from the multiple linked servers. I have a common Windows account on the main server and the linked servers that is common to all (same password). Querying this view from SSMS on the SQL server works fine logged in as the common user. The application pool I am using uses this same user (also on the IIS server) to connect to the SQL server using Integrated Security. I have a simple query of SELECT SYSTEM_USER when run from IIS reports the common user. When trying to retrieve the data from the linked server view I get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. instead of the data in the view.
Help appreciated
This is basically what is happening: If you are running Active Directory, this is the famous "double-hop" problem. Double-hop is a term used to describe Microsoft's method of maintaining Kerberos authentication credentials over two or more connections. You must configure Kerberos delegation on the AD account running the application pool so that it can forward credentials to the SQL 2012 database server. You configure this on the Delegation tab of the AD account. Without Kerberos delegation, the AD credentials are not forwarded and instead local credentials are sent by the IIS server and get denied by the SQL server. Since the SQL Server doesn't understand the local credentials of the IIS 7 server it denies it as an anonymous logon attempt. The link I provided describes the resolution to this problem in full detail and explains how to expand it out to other servers. Note that if you are not using Active Directory and only local authentication then NTLM is being used and NTLM credentials cannot be delegated off the system so authentication to the SQL server will be in the form of anonymous authentication.
MSSQL Server is in the "abc" domain and have mixed mode authentication.
I am connecting from the machine which is not in domain or in a domain "xyz" but with in the same network using MSSQL Jdbc driver 2.0. I have logged in as admin or account in xyz domain.
It works fine using following url for connection for "sa" or SQL Mode Authentication.
jdbc:sqlserver://%DB_IP%:%DB_PORT%;SelectMethod=cursor;DatabaseName=dbname
It doesn't work For window authentication using credential "MSSQLDomain\username" i.e "abc\username", using following url
jdbc:sqlserver://%DB_IP%:%DB_PORT%;SelectMethod=cursor;integratedSecurity=true;DatabaseName=dbname;
Gives following error.
Login failed for user ''. The user is not associated with a trusted
SQL Server connection.
I have tried adding property Trusted_Connection=Yes to url, but still gives same error.
I don't want to map the drive of the SQL Server. I am able to access the any shared folder of the SQL Server Machine by providing "MSSQLDomain\username" and password.
It works fine for both authentication mode, if both machine is in same domain.
If I am using jtDS Driver from the machine which is not in domain or in "xyz" domain within same network i.e same subnet, it works fine.
This is the deliberate and correct behaviour of Windows Authentication.
It is because the Domain from which you are connecting from, is not the same Windows Domain as the one where your SQL Server instance resides.
I believe there are methods for bridging the Domains so to speak, however they require custom and tricky implementation. You also will have to configure a trust relationship between the domains.
The following thread contains discussions which you will likely find useful.
http://sql-server-performance.com/Community/forums/p/24601/137574.aspx
Changing the login credentials might help,
use SQL authentication instead of nt authentication
https://support.microsoft.com/en-us/kb/555332
Symptoms
After you install Microsoft SQL Server 2014, SQL Server 2012, SQL Server 2008, SQL Server 2005, or SQL Server 2000 and you try to connect to the server that is running SQL Server, you receive one of the following error messages:
Login failed for user '%.*ls'. The login is a SQL Server login and cannot be used with Windows Authentication.%.*ls
Login failed for user ''. The user is not associated with a trusted SQL Server connection. (Microsoft SQL Server, Error: 18452)
Login failed for user ''. (Microsoft SQL Server, Error: 18456)
Resolution
This problem occurs if the user tries to log in with credentials that cannot be validated. This problem can occur in the following scenarios:
Scenario 1:
The login may be a SQL Server login but the server only accepts Windows Authentication
To resolve this issue, configure SQL Server in Mixed Authentication Mode.
Scenario 2:
You are trying to connect by using SQL Server Authentication but the login used does not exist on SQL Server
To resolve this issue, verify that the SQL Server login exists. For more information, see Create a login in SQL Server Books Online.
Scenario 3:
The login may use Windows Authentication but the login is an unrecognized Windows principal
An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain. To resolve this issue, verify that you are logged in to the correct domain.
I have been involved with making a SQL server connection cross to domains like that, and it is exceptionally painful. In order to use credentials from another domain, the domain where you are assigning the permissions has to trust the domain, where the account is coming from. IT Pro's are generally VERY reluctant to trust another domain in this manner, and for good reason, so if this trust relationship has not been established it might not be very likely to convince the admins to do this.
Once you have the trust relationship established, you will probably need to register the SPN's for your SQL server in Active Directory, and assign delegation permissions. This type of environment is very difficult to setup, troubleshoot and maintain.
I hope that there is some other way that you can do this, because it sounds like you are headed for a very difficult scenario.
Hope it helps
Rihan