I wanted to read AWS Postgresql from within SQL Server, so
I created a system ODBC connection to Postgresql on the SQL Server machine, tested it, fine.
I then created a Linked Server to connect to postgresql.
In the Security tab (For a login not defined in the list above, connections will), I selected "Be made using the login's current security context".
When using this linked server while connected to SQL Server through windows authentication, it works fine.
If I connect to SQL Server using a SQL Server authenticated account, trying to access postgresql data through that same Linked Server fails authentication.
I fixed that by switching my security setting to "Be made using this security context" and giving the POSTGRESQL login/password (same that I gave at the ODBC level).
Question:
Without repeating the postgresql details at the Linked Server stage, why is it working with Window sauthentication account and not for SQL Server authenticated accounts?
Neither are relevant to Postgresql?...
I made it work but still confused...
I will have to guess a bit to help you, but I hope to give you enough context to understand what is happening so you can debug further.
When you connect to SQL Server using integrated authentication, the domain controller gives out a token to talk to SQL and this is used to authenticate your connection from your client to SQL Server's process. Underneath the covers, Windows can use either NTLM or Kerberos to do this handshake. You can read more about this here in this blog post:
NTLM vs. Kerberos Blog. This protocol choice matters when trying to use linked servers since it has to then authenticate to something else over the network.
At this point, it matters what credentials are used to run SQL Server (usually as a service in the services window to see). If you are running SQL as Local System or Network Service or something else defined by windows (instead of as a specific user on the network), it may or may not have permissions to talk out to your target remote server (whether it be postgres or something else). When you use Kerberos and enable delegation (which the domain admin needs to do), you can have the original integrated auth credentials "flow" over the linked server link to the next connection. NTLM does not do this. Therefore, the usual scenario is to create a map in the local SQL Server of what credentials to use when talking out to a remote linked server.
If you are talking to an ODBC driver, then you are likely using the msdasql (OLEDB to ODBC bridge) provider and then also having to go through its authentication stack. It has been too long for my memory as to whether it even supports integrated auth at all, much less delegation in Kerberos. However, you may be able to debug this problem further if you:
consider which account is running SQL
consider which mechanism is used to do integrated auth to sql and whether that would work with delegation
determine which credentials are used to make the outbound connection to your ODBC target. You should be able to debug much of this through the profiler mechanism as there is a distributed query/linked server set of events IIRC.
I can't speak to your postgres provider specifically, but this should give you some more tools to debug. Hope that helps you get one step further.
Related
Testing SQL queries with large datasets against Azure SQL server may be costly, so it is better for me to test my code against a local server. I would like to create a new local server with "SQL Server authentication" rather than "Windows authentication", and I would like to keep my default local server that uses Windows authentication.
In lack of better phrasing:... is it "common" to have multiple SQL servers with different authentication methods on the same Windows-10 pc ?
If it is "straight-forward" to do this, then please share "how-to", or share better jargon for web searches. I did not find much information on this when googling "create new local server with sql server authentication"
As you may easily catch from the text: I'm not an IT expert...
Yes, you can use at an instance and solely your will to provide the accesses.
where you can use Windows Authentication mode and mixed mode.
More information about Windows Authentication may be found at: Connecting Using Windows Authentication.
We may utilize SQL Server Authentication to solve your problem by passing the user name and password.
I'm new to SQL Server. I was a postgres user before. I installed the default SQL Server on my local machine and I'm trying to get an old react with node js application of mine working with a SQL Server. When ever my frontend makes more than 1 call to the backend, if my SQL Server has admin privileges it throws
Error: 17810: Could not connect because the maximum number of '1' dedicated administrator connections already exists.
If not, it throws:
Error 18451: Only administrators may connect at this time.
I checked my database configs and it's set to MULTI_USERS, so I don't understand why I can't login without admin privileges. Can someone help me with this? I wasn't able to find anything online.
My NodeJS backend is using TypeORM to connect to the database
The dedicated administrator connection is a different kind of connection. It's not just "a connection being made by someone with administrative access". You would use the DAC when the SQL instance is having some kind problem, and you can't connect at all because resources are all tied up. SQL will reserve some resources especially for the DAC connection to make sure you can still connect.
A DAC connection can be made by specifying ADMIN: as part of your connection string, which will connect to the assigned DAC port.
You shouldn't use this for "routine" admin work. Just connect using a login with the required administrative server roles (eg, sysadmin). You definitely shouldn't use this as part of a regular application's connection string. You shouldn't be using a SQL Server sysadmin login either. Create a user with the appropriate permissions for your application, and don't use the admin connection.
Regarding your second issue: Make sure the instance wasn't set to start in single user or minimum configuration mode using startup flags. Note that this is for the whole instance, it's not the same as the configuration for an individual database.
The basic question is this, if our Windows service uses Windows Authentication for connections to SQL Server, and then because of a network disconnect, SQL server and/or the client machine cannot reach AD to authorize or authenticate, will our service still be able to connect to SQL Server and operate?
I’ve tried it and it seems to work, but we are concerned if it will work even after a few days of being disconnected or after server reboots and the like.
The alternative would be to use SQL Server Authentication, but we would rather not have to deal with potentially exposing and having to protect the password on the client computer. This computer may be in a remote location with little supervision. SQL Server would typically be running on this same remote computer.
And for the follow up questions, does it matter which edition of SQL Server we use? Does it matter that both SQL Server and the service are running on the same computer?
If AD connection is lost, existing SQL connections will keep working (at least for some time), and connection pools will be still available (again, for some time). However, I wouldn't get too comfortable with this, because these time spans might depend on settings outside of a typical DBA' reach.
Alternatives are:
Use an AD proxy. Depends on circumstances, might not be always viable;
Use local user accounts instead of AD. Works always.
I am new to SQL Server, I am planning to build a distributed application in Java for SQL Server. I am curious to know that if there is a way to handle the following scenarios:
UserA logs in on MachineA and chooses Windows authentication as credentials in app. My application's 2nd component is on MachineB (components communicate using RESTful web services) and MachineB has SQL Server installed on it. MachineB has the code to connect to SQL Server.
I want to know what are the steps to make this happen, is it possible to use windows authentication here?
UserA logs in on MachineA and uses Windows authentication, code to connect is on MachineB and SQL Server is on MachineC. What are the required steps here to make this happen, connection string and if I need to make any domain etc.
Assuming all machines are on the same DOMAIN, yes it will work. You may need to configure Kerberos (SetSPN) to make sure the service is trusted. You should check Microsoft® Kerberos Configuration Manager for SQL Server® from Microsoft. If Java is used from a Web site, you will also need to configure a SPN for this service as well. When it's all configured, To connect using Java, your ConnectionString should look like this:
jdbc:sqlserver://localhost;databaseName=AdventureWorks;integratedSecurity=true;
Hope it help.
I need to connect to a secure SQL Server database using Perl DBI. I need to find a way to authenticate the user securely (without fear of eavesdropping, and without storing passwords on the client side). I'm using SQL Server 2008 on Windows Server 2008, and Perl 5.10 on XP.
SQL Server supports encrypted connections via something called the "SQL Server Native Access Client API", but I cannot tell whether this is supported by any DBD driver, or how to use it if it is.
I am reluctant to use the DBD::ODBC driver with SQL Server authentication, because ODBC transmits user IDs and passwords in cleartext.
I can't use the DBD::ODBC driver with Windows authentication (trusted connection), because the server is not on any Active Directory domain that is accessible from the client's network.
How can I secure my connections to the database? Thanks.
I am reluctant to use the DBD::ODBC driver with SQL Server authentication, because ODBC transmits user IDs and passwords in cleartext.
That is not strictly true. If you are using a recentish SQL Server and have not disabled encryption in it then the username/password and connection string are encrypted as follows:
The client contacts the server and tells it what it is capable of (e.g., it can do SSL). If the server then supports SSL it requires the client end to encrypt the connection info and falls back to unencrypted after that. You should also see the "Use Strong encryption for data" checkbox in the DSN.
Two options:
Create an IPSec tunnel between two locations. Some info here:
technet.microsoft.com/en-us/library/cc737154(WS.10).aspx
technet.microsoft.com/en-us/library/cc786385(WS.10).aspx
Enable SSL. I am not sure how well it would be protected.
technet.microsoft.com/en-us/library/ms189067.aspx
I would suggest that you use some kind of secured connection system. It might be IPSec, but it is often viewed as complicated, so you might be better (or faster) off with OpenVPN, which I use, and generally am happy with.
It can be used on virtually any operating system, is fast, and free. You can check it here: http://openvpn.net/