SQL Server MS, change user for Windows Authentication - sql-server

I'm using a VPN to access a remote SQL Server. Normally I would run SSMS on my machine and use SQL Server Login for access. However, this server is set up to allow in only a particular user using Windows Authentication. I can access the DB by RDPing to that server and using SSMS on that machine, but is there any other way to do it from SSMS on my local machine?

Simplest way:
open up a command line window - cmd.exe
do the following: runas /user:<domain>\<alias> cmd.exe
enter your password when prompted
do the following: ssms.exe
it should now launch SSMS.exe under the account in #2 above.

Related

Accessing SQL Server remotely using Windows Authentication

I have setup SQLExpress on a Windows 10 PC and trying to access it via another PC.
I also configured my setup using this guide.
I was able to connect using SQL Server Authentication.
However, when I tried connecting using Windows Authentication, I received the following message:
The login is from an untrusted domain and cannot be used with integrated authentication.
Is there a step I might have missed?
You may need to launch your SSMS under a different set of credentials (runas) in order for it to connect via windows authentication. One way to do this is to create a simple batch file (or shortcut) to do so.
Create a batch file on your desktop and name it something like:
AltSsms.bat
Add the following line to the AltSsms.bat file:
runas.exe /netonly /user:{domain}\{username} "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe"
Be sure to replace {domain} and {username} with the actual values expected by the remote computer, and provide the full path to your local SSMS installation. I've provided my SSMS path for reference.
Save the updates to the batch file and then double-click it to open it. You should be prompted to enter the password for the {domain}\{username} you specified in the batch file.
Once SSMS loads (and assuming you've entered proper credentials), attempt to connect to the SQL Server instance with Windows Authentication. I've had to do this with several SSIS setups.

PSExec to execute sql scripts in SQL server of Remote machine

How to create a batch file to connect to Remote desktop and launch Microsoft Sql server and run some scripts.
I tried creating a batch file to connect to using
#ECHO OFF
mstsc /v:"SERVERNAME"
But i was not able to pass username and password
Can anyone advise on this.
EDIT
psexec \\remotemachine-u username -p password ipconfig
Above one connects me to the remote machine and prints its Ip details.
Now I am trying to execute SQL script which is in D:\ of remote machine to execute in Microsoft SQL server (connection) in the remote machine.
Is that possible.
You can use MSTSC to create the connection, with credentials (be sure to check the box that says "Allow me to Save Credentials"), then save that information to an .RDP file
After you should be able to launch:
mstsc "MyConnectionFile.rdp"
In the connection configuration, there is also a tab: "Programs / Start the following programs on connection", which should get your scripts going.
In general, the issue is to set up everything via the GUI, save it to an RDP file, and use that file in the future.

Connect to SQL Server on a different domain via JDBC

From Windows using SQL Server Management Studio (SSMS), I can only connect to a SQL Server on a different domain as follows:
C:\> runas /netonly /user:differentDomainName\aUserName "C:\Program Files (x86
)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe -S anIpAddress"
How can I accomplish this connection via JDBC? I've tried using the following connection string with Microsoft's sqljdbc 4.2 driver:
jdbc:sqlserver://anIpAddress:1433;database=MAIN;user=differentDomainName\\aUserName;password=pass
I receive the following error:
com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'differentDomainName\aUserName'
This is the same error that I receive if I start SSMS without using runas and typed differentDomainName\aUserName for Login name in the "Connect to Server" dialog box of SSMS 2012.
Additional Information: The JDBC connection will be established within a application running on Linux. So, running the application using runas is not an option unfortunately.
Another attempt:
I've also tried to use jTDS 1.3.1 with the following connection string:
jdbc:jtds:sqlserver://anIpAddress:1433;databaseName=MAIN;domain=differentDomainName;user=aUserName;password=pass
since aUserName is set up only for Windows authentication. Unfortunately, this produces the following exception:
o.a.tomcat.jdbc.pool.ConnectionPool : Unable to create initial connections of pool.
Followed by
java.sql.SQLException: I/O Error: DB server closed connection.
Permission information: I'm unable to modify anything on the SQL Server machine including any configuration within SQL Server. The "aUserName" account maps to a SQL Server read only Windows authentication only user.
When you connect with MS JDBC driver, you don't specify the password for the user (at least not in the connection string you provided). If your intention was to use integrated security, you should indicate this in the connection string, but then you process has to be authenticated already for differentDomainName\aUserName
Integrated security & JDBC:
https://msdn.microsoft.com/en-us/library/ms378428%28v=sql.110%29.aspx?f=255&MSPPError=-2147217396#Connectingintegrated
Since your plan is to access SQL server from linux, I doubt that you could make integrated security work for that scenario, so you should plan to provide the password in the connection string. I'm not sure if you can provide username/password for a domain user in the connection string (I think you can), but if you switch to a user with SQL server auth, it will certainly work. This should be a fallback option, as SQL server auth is less secure.

remote powershell script executed by anonymous user

We are running deployment scripts using pstrami. Part of the deployment is to execute database migrations. The migrations are using an connection string with Integrated Security.
When the script executes on the remote machine the migrations fail with a sql error saying Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
The person executing the script is a domain administrator. Other deployments that we run execute the remote scripts with the user who started the process.
The problem is that the credentials are not hopping to SQL Server for integrated security. You need to do the following:
On the server (the one that is making the SQL Server connection, as administrator run:
Enable-WSManCredSSP -Role server
On the client machine, as administrator run:
Enable-WSManCredSSP -Role client -DelegateComputer YOUR_SERVER_NAME
To open this up to all servers, you can run:
Enable-WSManCredSSP -Role client -DelegateComputer *
Finally, your invoke command make sure you run -authentication credssp. An example:
invoke-command -computername $remoteServer -authentication credssp -scriptblock { write-host "hello!" } -credential $credentials
This is the scenario:
You run the pstrami(deployment) script from desktopA. The script pushes your installation files to serverA. Then on serverA the scripts are run remotely as the person inititating the script from desktopA. One of the steps is to run a sql database upate with fluentmigrator using a connection string paramter using "integrated security" and the database is on serverB.
Connection string example:
$migration_db_connection = Data Source=serverB;Initial Catalog=PropertyDb;Integrated Security=SSPI;
.\migrate.exe /conn "$migration_db_connection" /db SqlServer /a $migration_assembly /profile DEBUG
Pstrami uses the powershell command invoke-command which uses the account you are running the script under as the default user. So, what happens is that when you run the script from desktopA as "jonDoe" it then authenticates on serverA. So your pstrami scripts run under "jonDoe" on serverA. When you execute the fluentmigrator script on serverA as "jonDoe", fluentmigrator returns an error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur. When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a Windows security measure kicks in and doesn't allow your site to access resources on any network servers. (http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx)
This is how I got around the Windows Authentication and the Double Hop problem I ran into. Run your migration scripts directly on your sql database server and include it as a server target in your pstrami environments.
Example:
Environment "dev" -servers #(
Server "serverA" #("InstallWeb")
Server "serverB" #("RunMigrations")
)
More on Double Hop
http://www.spdoctor.net/Pages/message.aspx?name=login-failed-for-user-bdc
http://www.sqlservercentral.com/blogs/sqlsandwiches/2011/06/20/double-hop-of-doom/
I am not able to comment on your question and posting this as an answer. I will update the same later.
It may be due to SQL Server not having the login account for your windows login account. If that is the problem please add the logged in user to the SQL Server in the remote machine.
If this is already addressed, then you have the option of giving Rights as DB_Owner to " NT AUTHORITY\ANONYMOUS LOGON " on the SQL Server as well as on the specific database you are using.

Cannot log in using SQL authentication ONLY from a remote server

I am trying to connect to SQL Server 2008 from a remote server using 'sa' username and its password (I can log in normally with this username and password from my own computer - so "SQL Server and Windows authentication mode" is chosen).
In the SQL Server log file on my computer I see this error:
Login failed for user 'sa'. Reason: An attempt to login using SQL
authentication failed. Server is configured for Windows authentication
only.
I thought it might be a remote connection problem, so I checked that the remote connection in the properties is enabled, in the configuration manager I enabled TCP/IP and Shared Pipes and restarted the service afterwards and I created a firewall rule for port 1433. I also tried to turn off the firewall in case that it is being blocked somehow, but I got the same error.
How this error appears only when accessing SQL Server from a remote server?
How can I fix it?
From the SQL Server management studio, right click on your server (after connect) in the Object Explorer window and choose Properties.
On Security item, make sure that SQL Server And Windows Authentication mode is selected.
The most obvious solution for me seems to allow SQL Server authentication on the server if it's really necessary to use sa for access (what it should not normally).
To answer the "why" we need more information. Which program do you use to access the server. Is the connection string really identical for both accesses?
Just guessing: From your local machine you use integrated security=true somehow (which causes user and password to be ignored), and your local windows user is allowed to access the server. From remote you use integrated security=false so that you can't logon using user/password, as the server is configured to only accept Windows authentication.
I had the exact same problem today. I was not able to connect to SQL server remotely using username/password, but it worked with windows authentication, and logging in locally also worked.
The reason it didn't work here was that I was using a password that was too short on the sa user. Apparently it does enforce password policy if logging on locally, but remote connections are blocked.
You can either change the password to a longer/more complex one, or disable the password policy enforcement for the sa user.
Short how-to:
In SQL Server Management Studio, open Security -> Logins, find "sa" -> Properties -> Change password or uncheck this box:
In my situation, I have SQL Server 2008 and SQL Server 2012 installed. So, in server name field, I need a concrete name (for example: 10.141.133.125\SQLServer2012). That's it!
Hope this useful for you!

Resources