I'm using Django and mssql-django backend to connect to SQL Server.
No problems to connect to SQL Server when using sql login. But, when I try to connect using AD user, I get exception:
django.db.utils.InterfaceError:
('28000', "[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]
Login failed for user 'DOMAIN\\myuser'. (18456) (SQLDriverConnect);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0);
[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'DOMAIN\\myuser'. (18456);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0)")
My database settings in settings.py are:
DATABASES = {
'default': {
'ENGINE': 'mssql',
'NAME': os.environ.get('DB_NAME', 'djangodb'),
'USER': os.environ.get('USER', 'DOMAIN\myuser'),
'PASSWORD': os.environ.get('USER_PASS', 'mypass'),
'HOST': os.environ.get('HOST', 'server.blabla.net'),
'PORT': '',
'OPTIONS': {
'driver': 'ODBC Driver 17 for SQL Server',
},
},
}
What I am doing wrong?
Active Directory (AD) users can't be specified as the USER in the connection string if attempting to authenticate using Windows Authentication (Trusted Connection/Integrated Security [SSPI])
It is possible to authenticate using this method but you would need to use Kerberos to authenticate against AD in order to receive the appropriate credentials that the driver can use to authenticate with.
In your Django DATABASES options specify, please note the Encrypt=yes option may not be necessary for your instance, but if using the 18 Driver, I find it is necessary, especially if using an unencrypted connection.
"OPTIONS": {
"driver": "ODBC Driver 18 for SQL Server",
"extra_params": "Encrypt=yes;Trusted_Connection=yes",
},
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
A system administrator can deploy an application to run as a service that uses Kerberos Authentication to connect to SQL Server.
You first need to configure Kerberos on the client and then ensure that the application can use the Kerberos credential of the default principal.
Ensure that you use kinit or PAM (Pluggable Authentication Module) to obtain and cache the TGT for the principal that the connection uses, via one of the following methods:
Run kinit, passing in a principal name and password.
Run kinit, passing in a principal name and a location of a keytab file that contains the principal's key created by ktutil.
Ensure that the login to the system was done using the Kerberos PAM (Pluggable Authentication Module).
When an application runs as a service, because Kerberos credentials expire by design, renew the credentials to ensure continued service availability. The ODBC driver does not renew credentials itself; ensure that there is a cron job or script that periodically runs to renew the credentials before their expiration. To avoid requiring the password for each renewal, you can use a keytab file.
Also of interest would be looking at the source code in mssql-django, which will give more insight into what options are selected when connecting to a SQL Server instance. mssql-django: base.py
Check this related SO question: Connection string using Windows Authentication
Related
I want my normal (role public) user123 (SQL Auth, not PAD, not sysadmin) to login to SQL Server 2019 (Developer version).
I have SQL Server and Windows Authentication mode.
I have protocols in SQL Server Network Configuration enabled
(TCP/IP, Local Machine, Named Pipes).
App connecting to DB is written in Visual Studio cpp, with SQLDriverConnect() function.
And I still get this error:
Login failed for user 'user123'. Reason: Login-based server access validation failed with an infrastructure error. Login lacks connect endpoint permission. [CLIENT: 127.0.0.1]
Error: 18456, Severity: 14, State: 149.
When I give user123 sysadmin role, then he connects. But I don't want him to be sysadmin. In fact, I want two separate application to connect to the database with user123 credentials as standard public user. But actually even one application can't connect.
There's a list of permissions:
List of DB permissions
Any help and suggestions highly appreciated.
SOLUTION FOUND: Port in SQLDriverConnect() function shall be 1433 (default SQL instance) not 1434 (DAC Connection), with proper permission for public role on particular database (Connect, Select, Insert, etc.).
From the error message and the screenshot, I suspect that you might be connecting to the DAC rather than to the main SQL instance.
Please recheck your connection string in the application - or test using SSSMS
I am trying to query MS SQL Server from a client with below connection string.
connStr='Driver={SQL Server};Server=Svr1;Database=testDB;User Id=DOMAIN1\User1;Password=test123;'
When I logged in to the client as a domain user, say DOMAIN1\User2 it works fine.
But in production environment, my script will be running as a service under admin account. Hence, when I try to execute the same script when logged in as local admin in same client machine, I get the below error
pyodbc.InterfaceError: ('28000', '[28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. (18452) (SQLDriverConnect); [28000] [Microsoft][ODBC SQL Server Driver]Invalid connection string attribute (0); [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. (18452); [28000] [Microsoft][ODBC SQL Server Driver]Invalid connection string attribute (0)')
When I search for this error, many of the solutions are related to password expiry cases. Is there some attribute I can add to connection string to make this query work? I tried adding IntegratedSecurity=False, but it didn't work.
I am trying to access SQL Server 14.0.2027.2 using Python PyODBC module.
I am trying to access a SQL Server hosted on an EC2 instance from my local system. Though I am able to access it within the server using SQL Server authentication, username and password, I am not able to do the same from my local system.
The only change I am doing while accessing it from my local system is to replace the server name with its public DNS.
On the server: ServerName\SQLEXPRESS
On the local system: DNS\SQLEXPRESS,1433
I have also opened the port 1433 in the inbound rules of AWS and in windows firewall as well.
The exact error is as follows:
Login failed for user 'sa' (Microsoft SQL Server: Error 18456)
Any help/discussion to resolve this would be really appreciated.
When I attempt to connect to my local, default SQL Server instance via SQL Management studio using Windows Authentication, I successfully connect when I use Server Name "localhost", but fail when I use Server Name "127.0.0.1". With login auditing enabled for both failed and successful logins, I see that the successful logins are recorded as:
Login succeeded for user 'AzureAD\RealUsername'. Connection made using Integrated Authentication. [CLIENT: < local machine >]
And the failed logins are recorded as:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1]
Possibly relevant:
I can connect using the ip address if I use SQL Server authentication (since I am forcing it to use an existing login).
There is no entry in my hosts file for "localhost", and when I ping localhost it does resolve to 127.0.0.1.
The SQL instance uses port 1433.
The issue, with very little variation, persists when connecting via SQL Management Studio, a .NET web app running in a local IIS instance, or via UDL file on my desktop.
Here is my question: Why would changing only the server value ('localhost' vs '127.0.0.1') change the identity used when connecting?
I have recently installed SQL Server 2016 on Amazon EC2 instance so I can start developing various SSIS / SSRS applications.
I have enabled Remote connections, opened port 1433 in the security group and windows firewall, and created a user 'myuser123' who is enabled and and allowed SQL Server and Windows Authentication within the server properties.
I am trying to login using this connection
ec2-1-2-3-4.eu-west-1.compute.amazonaws.com\MSSQLSERVER,1433
SQL Server Authentication
username: myuser123
password: #########
The error message I am getting looks to be a user authentication error.
Cannot connect to ec2-1-2-3-4.eu-west-1.compute.amazonaws.com\MSSQLSERVER,1433
Additional Information
Login failed for user 'myuser123'. (Microsoft SQL Server, Error 18456)
However when I Remote Desktop to the EC2 Instance and try to log in locally using the same username / password I don't have any problem.
Do you have any idea why this may be?
Thanks
M