Develop Reference

How to Delegate Credentials through double hop to SQL Server?

What I am trying to do:
We have a Task Scheduler that kicks off an EXE, which in the course of its runtime, will connect to SQL Server.
So that would be:
taskServer.myDomain triggers the Task Scheduler action
taskServer.myDomain exe runs locally
taskServer.myDomain initiates a connection to sqlServer.myDomain
The scheduled task is associated with a service account (svc_user) that is set to run with highest privilege, run whether the user is logged in or not, and store credentials for access to non-local resources.
The actual behavior
What we are seeing is the Task Scheduler is indeed running as svc_user. It triggers the EXE as expected, and the EXE is also running as svc_user. When the EXE initiates a connection to SQL Server, it errors on authentication.
Looking at the Event Viewer we can see the failure trying to initialize the connection to SQL
Exception Info: System.Data.SqlClient.SqlException
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(System.Data.ProviderBase.DbConnectionPoolIdentity, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SqlCredential, System.Object, System.String, System.Security.SecureString, Boolean, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SessionData, System.Data.ProviderBase.DbConnectionPool, System.String, Boolean, System.Data.SqlClient.SqlAuthenticationProviderManager)
And then looking at the SQL Server logs we can see the root of the issue
Logon,Unknown,Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.
The connection initialized by the EXE to SQL Server is trying to authenticate as ANONYMOUS LOGON.
What I have tried
Background
This issue popped up when our IT team started deploying a GPO lockdown in our environments. So in order to get to this point, we first had to add some GPO exceptions to allow the svc_user to:
log on locally
log on as batch job
Progress?
This is where we started being able to capture the ANONYMOUS LOGON error in SQL Server. From there we tried a handful of other GPO exceptions including
Allow Credential Save
Enable computer and user accounts to be trusted for delegation
The actual issue?
So it would appear that this is a double hop delegation issue. Which eventually led me here and then via the answer, here and here.
So I tried adding GPO policies to allow delegating fresh credentials using the WSMAN/* protocol + wildcard.
Two issues with this:
the Fresh credentials refer to prompted credentials while the EXE is running as a service during off-hours and inheriting the credentials from the TaskScheduler
the WSMAN protocol appears to be used for remote PowerShell sessions (via the original question in the serverfault post) and not SQL Service connections.
So, I added the protocol MSSQLSvc/* to the enabled delegation and tried all permutations of Fresh, Saved and Default delegation. (This was all done in Local Computer Policy -> Computer Configuration -> Administrative Templates -> system -> Credentials Delegation)
Where it gets weird
We have another server, otherServer.myDomain, which we setup with the same TaskSchedule. It is setup with the same GPO memberships, but seems to be able to successfully connect to SQL Server. AFAIK, the servers are identical as far as setup and configuration.
The Present
I have done a bit more digging into anywhere I could think that might offer clues as to how I can feed the credentials through or where they might be falling through. Including watching the traffic between the taskServer and the sqlServer as well as otherServer and sqlServer.
I was able to see NTLM challenges coming from the sqlServer to the taskServer/otherServer.
In the case of taskServer, the NTLM response only has a workstationString=taskServer
On otherServer, the NTLM response has workstationString=otherServer, domainString=myDomain, and userString=svc_user.
Question
What is the disconnect between hop 1 (task scheduler to EXE) and hop 2 (EXE to SQL on sqlServer)? And why does this behavior not match between taskServer and otherServer?

So I finally have an update/solution for this post.
The crux of the issue was a missing SPN. The short answer:
Add an SPN for sqlServer associated with the service account SQL services are running as (not the svc_user)
example: SetSPN -S MSSQLSvc/sqlServer.myDomain myDomain\svc_sql_user
Add another SPN like above but w/ the sql service port
example: SetSPN -S MSSQLSvc/sqlServer.myDomain:1433 myDomain\svc_sql_user
Set the SQL service user account to allow delegation like so

Connect to Progress database without knowing user and password

Setup: Progress 11.5 databases sitting on Linux (CentOS) server, with proenv available.
I'm trying to connect to Progress database through proenv and sqlexp. I'm unable to, since I don't know the user and password. There's no way I can obtain it from someone else, as nobody knows these credentials. I have root access on this server.
How can I connect to this database so that I can later create another account to use through ODBC?
What I've tried already is:
Being on root account, opening up proenv by
/dlcloc/dlc-11.5/bin/proenv
which brings up proenv, and then when I try
sqlexp -db rep -H localhost -S 2502 {-user ?? -password ??}
given that there's a db within
/dbloc/prod/rep/
with files like rep.db, rep.lg, rep.b1, rep.d1 and some other files avilable on localhost under port 2502 (confirmed through ps aux | grep rep)
I get an error even without user and password
Error: [DataDirect][OpenEdge JDBC Driver][OpenEdge] Access denied(Authorisation failed). (8933)
Which is obvious from my side, but there's no way to get user and password. How can I go around this given my environment to be able to establish a successfull connection?
Additional note: There's a special user called progressuser under which database is created, but impersonating that user from root as su progressuser and going through the same process yields the same results.

You could try accessing the database using the native 4GL broker. And possibly try this solution:
https://knowledgebase.progress.com/articles/Article/P9483
First run that proenv-script, it will set paths and environment variables.
Then identify on which port the 4GL broker runs. If you dont know: check your database log file (rep.lg). Look for something like:
[YYYY/MM/DD#HH:MM:SS.sss+TZ] P-XXXX T-YYYY I BROKER 0: (4262) Servicename (-S): NNNN.
The Ns will be your port. It might possibly be a service name to check in /etc/services
Then access the Progress Editor with a connected database:
pro -db rep -H <IP-address/domain name> -S <port number/service name>
You should see a rudimentary editor. To run something you press Ctrl+X or F1. To access the menu F3. To exit something F4.
Access the Menu using F3 and arrow-key your way to Tools -> Datadictionary. Now you should be able to follow the steps in the link provided above.
Perhaps its a good idea to make sure you have a valid backup before you start messing around with the users...

Block all connections to a database db2

I'm working on logs. I want to reproduce a log in which the application fails to connect to the server.
Currently the commands I'm using are
db2 force applications all
This closes all the connections and then one by one I deactivate each database using
db2 deactivate db "database_name"
What happens is that it temporary blocks the connections and after a minute my application is able to create the connection again, due to which I am not able to regenerate the log. Any Ideas how can I do this?

What you are looking for is QUIESCE.
By default users can connect to a database. It becomes active and internal in-memory data structures are initialized. When the last connection closes, the database becomes inactive. Activating a database puts and leaves them initialized and "ready to use".
Quiescing the database puts them into an administrative state. Regular users cannot connect. You can quiesce a single database or the entire instance. See the docs for some options to manage access to quiesced instances. The following forces all users off the current database and keeps them away:
db2 quiesce db immediate
If you want to produce a connection error for an app, there are other options. Have you ever tried to connect to a non-estisting port, Db2 not listening on it? Or revoke connect privilege for that user trying to connect.

There are several testing strategies that can be used, they involve disrupting the network connection between client and server:
Alter the IP routing table on the client to route the DB2 server address to a non-existent subnet
Use the connection via a proxy software that can be turned off, there is a special proxy ToxiProxy, which was designed for the purpose of testing network disruptions
Pull the Ethernet cable from the client machine, observe then plug it back in (I've done this)
This has the advantage of not disabling the DB2 server for other testing in progress.

Manually start Oracle Database

I have a Oracle DB in my computer, but when i have this DB my computer start very slowly. I decide to disable Oracle services in msconfig. I disable a follow services:
OracleMTSRecoveryService
OracleServiceXE
OracleXEClrAgent
OracleXETNSListener
But sometimes I need using a Oracle Database. I try run in windows admin tools in services. I run all Oracle services:
OracleJobScheduler
OracleMTSRecoveryService
OracleServiceXE
OracleXEClrAgent
OracleXETNSListener
All services have state set a running.
But when i run SQL Developer and try connect to my database i get this error:
An error was encountered performing the requested operation:
ORA-01033: ORACLE initialization or shutdown in progress
01033. 00000 - "ORACLE initialization or shutdown in progress" Cause: An attempt was made to log on while Oracle is being started up
or shutdown. Action: Wait a few minutes. Then retry the operation. Vendor code 1033
Why? How to correctly run database in manually case?

Login to sqlplus as SYSDBA (for instance with "sqlplus /as SYSDBA" on command line).
It probably says "connected to an idle instance". In that case , you can start the database with "startup".
Because you have been fiddling with the startup services there might be other steps to take. But based on your information anything can be wrong.

Oracle - multiple databases on one server, connect issue

I'm new in Oracle Database and so far I was using only MS SQL Server. I created two databases on my laptop (habit from MS), which is running Windows 8.
I stoped those two databases using SQL Plus and "shutdown normal" command. Before stoping those databases, I connected to them using "user/password#database_SID" syntax. After shutdown I can't choose which database I want to connect because when using "#Database_SID" I've got this error:
"ORA-12514: TNS:listener does not currently know of service requested in connect descriptor".
How can I define which database I want to connect whithout "#Database_SID" syntax?
Thanks a lot for help!

Locally on your machine, you use IPC - Inter Process Communication to login to your database in order to do administrative work. (startup, shutdown, mount, etc)
C:\>set ORACLE_SID=DB1
C:\>sqlplus / as sysdba -- make sure you are member of group "ORA_DBA"
SQL>startup
C:\>set ORACLE_SID=DB2
C:\>sqlplus / as sysdba
SQL>startup
ORA-12514 indicates the database has not registered with the listener because database status is shutdown
Note. The Windows Service OracleService<SID> can have status "Running", but the database can be stopped (shutdown)
There is no need to have two physical databases running on your laptop. Waste of resources. In Oracle terms you need two schemas.

Make sure the listener is running.
On Windows, Oracle seems to use the networking layer, even when connecting locally.