I'm trying to make a new login in SSMS. I need it for the presistnase.xml in java jpa.
I click in security -> logins -> new login and I choose SQL Server Authentication.
I write user name and password.
Them i try to connect with the new login, and I get the following message:
TITLE: Connect to Server
------------------------------
Cannot connect to DESKTOP-MJ1GR85.
------------------------------
ADDITIONAL INFORMATION:
Login failed for user 'n'. (Microsoft SQL Server, Error: 18456)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=18456&LinkId=20476
there are two steps: create a user, then give that user a role in the selected database. eg:
-- create a user:
CREATE LOGIN myUserName WITH PASSWORD=N'newPassword', DEFAULT_DATABASE = MASTER,
DEFAULT_LANGUAGE = US_ENGLISH;
-- give that user access to the database, by allocating a role in the db:
ALTER ROLE [db_owner] ADD MEMBER [myUserName];
note: I wouldn't recommend a user name as short as n
Related
I created my first database (let's call it MyDB) on Azure and created a user that I want to use to query the DB from my applications. I only wanted to give that user db_datawriter and db_datareader because I think that is all this user needs to do from the application.
When I run this on MyDB:
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
I get this back:
db_accessadmin No members
db_backupoperator No members
db_datareader MyDBUser
db_datawriter MyDBUser
db_ddladmin No members
db_denydatareader No members
db_denydatawriter No members
db_owner dbo
db_securityadmin No members
public No members
so that seemed to work. The problem is - I have to give this user also Permission to connect to the DB in the first place, because when I try to connect to the server, I get this:
===================================
Cannot connect to abc.database.windows.net.
===================================
The server principal "MyDBUser" is not able to access the database "master" under the current security context.
Cannot open user default database. Login failed.
Login failed for user 'MyDBUser'. (.Net SqlClient Data Provider)
I think this is probably, because my new user can't connect to master DB, as the errormessage suggests. However, when I look at the properties of MyDB, "Connect" was granted for the user by dbo
How can I let my user connect to the Azure DB Instance, preferably with as less permission as possible, I would only like for him to select, update, insert etc. on MyDB
I tried to change default DB with this command, so I don't need to do anything on masterDB, but the stored procedure wasn't found:
Exec sp_defaultdb #loginame='MyDBUser', #defdb='MyDB'
Edit: That's how I created the Login / User in SSMS
First (on instance):
CREATE LOGIN MyDBUser
WITH PASSWORD = '******'
GO
Then (on MyDB):
CREATE USER MyDBUser
FOR LOGIN MyDBUser
WITH DEFAULT_SCHEMA = dbo
GO
-- Add user to the database owner role
EXEC sp_addrolemember N'db_datawriter', N'MyDBUser'
GO
You have created a LOGIN and then created a USER for the LOGIN but only in the database you want them to connect to but not in master.
SQL Azure Databases are contained databases, so there is no need to create a LOGIN; the databases use their own scoped credentials.
First DROP the USER and LOGIN you created. Connect to MyDB and DROP the user first:
DROP USER MyDBUser;
Then connect to master and DROP the LOGIN:
DROP LOGIN MyDBUser;
Now connect to MyDB again and CREATE the USER with the needed credentials:
CREATE USER MyDBUser WITH PASSWORD = N'Your Secure Password', DEFAULT_SCHEMA = N'dbo';
Then you can give it the needed database roles. Don't use sp_addrolemember; it has been deprecated for ~10 years.
ALTER ROLE db_datareader ADD MEMBER MyDBUser;
ALTER ROLE db_datawriter ADD MEMBER MyDBUser;
I've had a similar error message when connecting to Azure SQL DB with SSMS. The solution there was to identify the database, hence the message "access the database "master"". You probably have entered the DB server name already.
You do not mention how you are trying to connect to the DB, but in case of SSMS, enter the name of the database on the tab "Connection properties" (available behind the "Options>>>" button on "Connect to Server" screen).
I'm logged in as sa on my local SQL Server 14.0.1000.169 database and I'm trying to run the following script:
CREATE USER [myuser] FOR LOGIN [myuser] WITH DEFAULT_SCHEMA=[dbo]
GO
I get the following result:
Msg 15007, Level 16, State 1, Line 1
myuser is not a valid login or you do not have permission
I double-checked and myuser doesn't exist and dbo does exist, any idea what's wrong?
Before Creating a User you must first create a global Login.
under Security -> Logins -> NewLogin
Or
First connect to the server and switch to the master database. In master create a login and then add a user for that login to the master database.
CREATE LOGIN [MyLogin] WITH password='xxxxxxxxx'
GO
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
Once the login exists you can add them as a User under a particular
database.
I try (for the first time) to create a user account on my SQL Azure database.
I have read in some blogs that I have to create these command lines
CREATE LOGIN login_name WITH PASSWORD = 'strong_password';
CREATE USER 'user_name' FOR LOGIN 'login_name';
And then
USE [Database];
GO
GRANT CONNECT TO login_name;
But, when I try to connect with this new account on my database, I have the message error 916
The server principal "login_name is not able to access the database "master" under the current security context.
I don't understand because the don't create my new user for the master but for a specific database in my SQL Azure environment (I have 5 databases in my SQL Azure by the way)
If you have any idea to help me, thanks in advance
When first logging in, unless a database is specified in the connection string, a login connects to its default database. If the database is not specified in the CREATE LOGIN statement, the system default of master is used.
To fix this, use this for your CREATE LOGIN:
CREATE LOGIN login_name WITH PASSWORD = 'strong_password',
DEFAULT_DATABASE = MyDatabase;
When I log in to azure portal select my SQL Database -> Tools -> QueryEditor and enter:
ALTER USER MyUser WITH Password = '**********'
I get the error:
Failed to execute query. Error: The parameter PASSWORD cannot be
provided for users that cannot authenticate in a database.
I've created the user in Visual Studio Database Project in MyUser.sql (Build Action=Build):
CREATE USER [My_User] WITHOUT LOGIN WITH DEFAULT_SCHEMA=[dbo];
Why I'm getting the message?
Is it possible to create the User in Database Project so that I will specify the password later (not is source code)?
Your user is not a contained database user that can be authenticated by database. This is because you did not create it with syntax
CREATE USER user_name WITH PASSWORD = 'strong_password';
What you've created is a "traditional" user without login, in "traditional" model user cannot have a password, only the corresponding login can. But your user has no corresponding login as it was created without login, so you cannot change a password at all.
Here you can find more detailes about contained database urers: Contained Database Users
After running these commands against an Azure SQL Server (in SSMS or using a command line utility):
-- run in the master table to create the login
CREATE LOGIN SusanDBA with password= 'U$3r---Pa55W0rd!!'
-- run against AnotherDB (not the master db)
CREATE USER SusanDBA from LOGIN SusanDBA
SusanDBA can login to open a connection to the AnotherDB but cannot execute the Alter Login command to change the password. This reportedly has to be done against the master database. But we don't want the user to connect to the master db for security reasons.
The command
Alter Login SusanDBA
with PASSWORD = 'U$3r---Pa55W0rd!!---'
OLD_PASSWORD='U$3r---Pa55W0rd!!'
Gets the response
Msg 5001, Level 16, State 3, Line 1 User must be in the master
database.
An administrator with appropriate master privileges can change the password but that kind of defeats the purpose: the administrator now knows the user's password.
Constraints:
- We are not in a position to use AD in this case so its SQL Authentication.
- We would like to use a command prompt utility like SQLCMD.
Correct syntax on March 2021
ALTER LOGIN [login] WITH PASSWORD='XXX' OLD_PASSWORD='NNN';
ALTER USER userName WITH PASSWORD='newPassword' OLD_PASSWORD='oldPassword';
also reference:
https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-user-transact-sql?view=sql-server-ver15