Do you know whether a SQL Server connection can be authenticated via Windows Authentication but using a not exclusively the Windows Identity/Windows User Name but also a DB login name?
That is, could an SQL Server database have a login that is mapped to a Windows ID so that when you request a database connection you can specify a user name but yet SQL Server knows to look at the Windows authentication ID and validate the login?
could an SQL Server database have a login that is mapped to a Windows ID so that when you request a database connection you can specify a user name but yet SQL Server knows to look at the Windows authentication ID and validate the login?
No. When you connect with Windows Integrated Authentication you'll be connected as a Windows Login, and for each database you execute statements as the user mapped to that Windows Login (or as dbo if the login is a member of the sysadmin server-level role or the Windows Login is the owner of the database).
You can grant that Windows Login or mapped user the privilege to impersonate some other login or user, but it requires a separate command to perform the impersonation (execute as user='someuser'.
Related
Is there a prohibition for using a Windows Group account (with users) and mapping them to a credential in SQL Server.
I was able to make this work with an Windows Login Account and I believe this will work well with SQL Accounts.
Running the following:
ALTER LOGIN [DOMAIN\GROUP_NAME] FROM WINDOWS
ADD CREDENTIAL [credentialname];
GO
I get the following error:
Cannot use parameter CREDENTIAL for a Windows login. error 15080
Adding a credential to a Login is used to give a Windows identity to a SQL Login for interacting with external resources, typically in CLR code or Linked Servers.
CREDENTIAL = credential_name The name of a credential to be mapped to
a SQL Server login. The credential must already exist in the server.
For more information, see Credentials. A credential cannot be mapped
to the sa login.
ALTER LOGIN
It's not intended, documented, or supported for Windows Logins of any kind, and doesn't actually work.
I need to connect to SQL Server using a Windows Authentication user by specifying username and password in the connection string.
Somehow I need to make a connection like this to work:
driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
url=jdbc:sqlserver://192.168.48.61\\sqlexpress2008r2;
databaseName=MyTestDatabase;integratedSecurity=true;
username=mydomain\eric;password=mypwd
Since the requirement seems odd I try to exlpain my scenario:
in my application the users are mapped to SQL Server users (either using sql authentication or windows authentication)
there is a Windows client to access the database from inside the LAN
i am writing a web application (Tomcat8 servlet) to access the database from internet: in this case i want the user to type domain\username and password in the login screen to log him in
The reason why i do this is because I need to test if the supplied domain\username and password are valid. After this check is done i will connect to the db with the sa user but assign to the logged in user the proper privileges (depending on he username).
Because of an architectural constraint I should test this by trying to conncet to the database using JDBC, so the idea is:
create the connection string for a windows authentication user
try to connect
if connection is esatabilished i assume user and password are correct.
So i need to create a JDBC connection string in which i use integrated security and i explictly define a username (DOMAIN\USER) and password. I did not find any example on how to perform this.
driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
url=jdbc:sqlserver://192.168.48.61\sqlexpress2008r2;
databaseName=MyTestDatabase;integratedSecurity=true;
username=mydomain\eric;password=mypwd
This will NEVER work.
So if there is a user abc\user1 in windows whom you want to allow
access to the database, then create a SQL Server login with exactly
same user name and password.
This will never work too.
You just cannot create SQL Server login (opposed to Windows login in this context) with "\", it will be recognized as Windows login and you'll get an error about invalid characters.
Trusted connection or Integrated security means that it's not a server that authenticates you, but it's Windows that does it.
So in no way can you pass Windows name and a password: your account should be verified by Windows and SQL Server will only trust these credentials.
I have an domain admin user group and I have added it to SQL Server security. My account is added to the group. But I am not able to log in to SQL Server.
If I add my domain account individually to SQL Server, I can login using my Windows account. Can I login into SQL Server via a user group so I do not have to add the each individual account?
Yes, you can. All that is required is to add the windows ad group to whatever role is appropriate to your configuration.
SQL Server supports three types of logins:
A local Windows user account or trusted domain account. SQL Server
relies on Windows to authenticate the Windows user accounts.
Windows group. Granting access to a Windows group grants access to
all Windows user logins that are members of the group.
SQL Server login. SQL Server stores both the username and a hash of
the password in the master database, by using internal authentication
methods to verify login attempts.
Read more here MSDN SQL Authentication
And this article has step by step with screen shots: Step By Step
You can use Windows Authentication Mode, first you need to make sure that the user's identity is verified by Windows then SQL Server validates the account name and password using the Windows principal token in the operating system.
Read more: https://msdn.microsoft.com/en-us/library/ms144284.aspx
The requirement is to find which OS user logs in to a SQL Server database whenever the login is Windows Authentication or SQL Server authentication. Need to know WHO (AD account on the client PC) used which db account logged into SQL Server with what application.
The problem is I could not get the client's OS username when a SQL Server authentication user logs in.
For example, I used my AD account Domain name on a laptop, laptop123. Domain name is Stackoverflow, username is developer1, started Microsoft SQL Server Management Studio, connected with DB account (SQL Server authentication) ERPAPPUSER. I need to record the domain user Stackoverflow/developer1.
I can easily get the information that user ERPAPPUSER logged in from laptop123 using Microsoft SQL Server Management Studio.
I created a database logon trigger and could get the client username, hostname, logon time, application name and so on, but could not get the client OS username.
CREATE TRIGGER DB_ServerLogon
ON ALL SERVER
WITH EXECUTE AS 'sa'
FOR LOGON
AS
BEGIN
INSERT INTO audit_history.dbo.db_logon_history
SELECT
ORIGINAL_DB_NAME(),
ORIGINAL_LOGIN(),
##SPID,GETDATE(),
HOST_NAME(),
APP_NAME()
END
GO
Many thanks!
-- Added 'WITH EXECUTE AS 'as' ', otherwise for all users who don't have access to the db_logon_history will not be able to login.
Short answer is no, it is not possible.
Long answer, SQL Server supports 2 security modes. These are a) "Windows Authenitcation mode" and b) "Mixed Mode" - which is "SQL Server and Windows Authentication Mode". This second mode means that you can log in with a SQL Server login or a Windows Account. The Windows Account would be the same as in (a) above. Now when you log in with Windows it is a trusted connection, so you have to have the Windows Account/Group authorized to access your SQL Server instance. The connection is authentication against a token which is created when the user logs in to windows. This token is passed to SQL Server and can thus be parsed to return the information that you have described above. However when you log on with SQL Server Mode you are not logging on with a domain account and thus no domain account is passed to SQL Server. Rather you log in with a SQL Server native account that is running in the context of the server. Now, you could be logging on with any sort of device, not just a windows client. If you wish to pass the client details to SQL Server when using SQL Server mode, you have to pass it as a parameter from the front end. i.e. using a stored procedure or similar. (Good question by the way. and well asked.)
I'm trying to connect to a local SQL Server database but it gives me this error:
Login failed for user 'DOMAIN\Username'.
When I open SQL server and look in the Security\Logins folder then I do see the user DOMAIN\Username. This is also the user that I use to login into Windows with.
My connection string looks like this:
<add name="ServerConfiguration"
connectionString="server=localhost; database=BN_Configuration;
Integrated Security=false; User ID=DOMAIN\Username; Password=123456;"
providerName="System.Data.SqlClient" />
Anyone any idea why I can't login with these credentials?
--
Note I wish to authenticate with a user that exists in the SQL Server database. So I do NOT want to do Windows authentication with Integrated Security set to false.
It looks like you are using a Windows credential as SQL Server credential. Try integrated security = true, and not to specify user ID and password.
In your connection string Integrated Security=false is saying user ID and password are specified in the connection for an account that exists in SQL Server but is NOT a domain user. When Integrated Security=true, the current Windows account credentials are used for authentication. If it's an application it will use the user who is currently logged in, and for a web application it all depends on how your application pool is set up.
You are mixing up the definitions by saying ``Integrated Security=false` but passing domain credentials which is not possible.
Using a domain account
Set Integrated Security=true
Remove the user id and password sections.
Map the domain account in SQL Server making sure to set Windows authentication
If it's a web application, make sure your application pool is set to run under that domain account.
Using a SQL Server Account
Set Integrated Security=false
Create a SQL login, making sure it uses SQL Server authentication
Set the User ID and Password properties of your connection string to be the same details you created above.
Note: Final point, make sure the user also has access to the database you are connecting to (in your case BN_Configuration).