I want to run SQL Server queries on a Dynamics 365 database.
The administrators of the Dynamics database have enabled "TDS" for me - and now I can easily connect SSMS, using "Azure Active Directory - Password" authentication, and run SQL SELECTs against it. So far, so good!
But I also wish to create a Linked Server to the Dynamics database, and for this I understand that OLEDB is needed? Is that the correct approach?
Hoping so, I downloaded the latest OLEDB provider, MSOLEDBSQL19. My test query, using OLEDB, looks like this:
SELECT c.*
FROM OPENROWSET(
'msoledbsql19'
, 'Server={myServer};Database={myDatabase};UID={myUserId};Pwd={myPassword};Authentication=ActiveDirectoryPassword;'
, 'SELECT name FROM dbo.account;'
) c;
But this results in the following error:
Failed to authenticate the user 'myUserId' in Active Directory (Authentication option is 'ActiveDirectoryPassword').
Error code 0xCAA20002; state 10
AADSTS65002: Consent between first party application 'db465503-d247-463e-8a13-95889346b742' and first party resource '00000007-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
A search for "AADSTS65002" brings back "A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in https://portal.azure.com."
I have no knowledge of Azure AD and Dynamics, so this is all a little baffling to me - why would trying a Microsoft OLEDB driver be "reusing an App ID"?
Does a change need to be made at my end, in SSMS that is?
Or is the problem with the Azure/Dynamics configuration? If so I would need to pass details of the solution on to the people administering that.
Thanks for any assistance :)
I've get a fresh install of SQL Server 2012 and do not want to use integrated security. Instead I'd like to use SQL Server authentication, where I create logins in SQL server and assign passwords. However, this option doesn't seem to be available (see screen snapshot below). Every option available to me under "User Type" (other than those that aren't related to accounts at all) want me to map to existing Windows Domain accounts.
In the old days, I'd specify a desired login name and be prompted for a password to go along with it, and I'd be done. Now there's no option to specify a password--I'm forced to map my new login to an existing
windows domain account. Not what I want. What am I missing here? Thanks in advance.
** edit ** New screen snapshots added after RB's comment. I did indeed have an option disabled that would allow BOTH Windows and SQL Server authentication modes, but it's turned on now. After doing so and restarting SQL Server, it is NOT making a difference:
Here is what I am presented with when I try to create a new user. None of these options simply allow me to create a login and password in the context of SQL server (well, one allows creation of a login with no password at all... useless!) All others are linked to existing Windows logins. Ideas?
Let's do this in a way that doesn't require pictures and right-clicking.
CREATE LOGIN [yourUserName] WITH PASSWORD = 'someStrongPassword';
CREATE USER [yourUserName];
I have been trying to access liferay using my Active Directory account but i am not able to sign in, knowing that the users are imported successfully but it seems that liferay doesn't import the passwords. How can I solve this issue?
AD Environment: Windows Server 2012
Liferay 6.2
With LDAP you typically don't want to distribute your passwords all over - password management is on one side, e.g. on LDAP, and the password policy that applies there should carry on everywhere. When you change your password on LDAP, would you want to be able to log in to your portal with the old password? One positive aspect on having passwords in a separate system (like LDAP) is that they can't get loose should there be any security issue in your front end application (like Liferay, but by far not limited to it).
In fact, I prefer to add an SSO system, so that Liferay never even sees any password. Further, passwords are hopefully stored in a salted&hashed way, so that you can't "just get" them out of any system. Granted, during login without SSO, Liferay knows the password, but I'm actually happy when that's not written to the local database.
If you rely on your Liferay database to have your correct passwords, you should be changing your architecture. To me your description sounds like "yay, works as expected".
LDAP Authentication has been enabled.
Test LDAP Connection returns successful.
Test LDAP Users returns with a list of users.
Test LDAP Groups is successful as well.
I sign out of Test#Liferay.com and try logging in as on of the users returned from "Test LDAP Users."
Authentication fails.
Liferay throws authentication fails very quickly as if it did not even check against Active Directory.
Any suggestions? Thanks!
Liferay does not connect to LDAP to do authentication. It imports LDAP entities (user/groups) into it's own db. Only after import you can authenticate with user from LDAP (Liferay's copy of user).
How did you setup LDAP import setting? On startup? Periodically?
UPDATE:
Do you have errors in logs regarding ldap import?
Which version of Liferay do you use?
Do you have export to ldap enabled? (that never worked for me, meaning import failed because of export)
I also suffered with this problem before. I solved it now.
Do you enable the Export of LDAP. How you are doing the ldap configuration if you are using control panel-> Portal Setting then
You can check the search Filter of User portion and set objectClass=inetOrgPerson
Usually the best way to start troubleshooting these things is to get a network trace with something like WireShark and see what calls are being made as well as the corresponding replies.
I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.