Using the example below, which is in my App.Config file, are the uid and password values for the SQL Server, or the SQL Server instance, or for the database that is on the SQL Server?
value="server=localhost;database=myDb;uid=myUser;password=myPass;"
Thanks,
ADawn
Sql Server separates the concept of a login from a user. A server instance itself has logins. Individual databases hosted on a server instance have users.
When you want to run a query or otherwise interact with a database, you generally first connect to the server. You supply a username (uid) and password that match a server login. This login in turn maps to a user in one (or more!) databases hosted by that server.
You can see the user mappings by opening Sql Server Management Studio and connecting to your server. In the Object Explorer area expand the Security and then Login folders (just under "Databases"). Double-click a login to open it's Properties window, and find the User Mappings section.
The connection string also includes a database. The purpose here is (again) because a login might map to more than one database. Specifying a database as part of the connection provides context, so you don't need a database name with every table reference in your SQL code.
There's also Windows/Active Directory authentication (Integrated Security). This makes things even messier, because you can set up Active Directory groups (in addition to users) as server logins to manage access for a number of people at once. An Active Directory user can belong to more than one of these groups... and thus map to more than one user in a single database. In my experience, when this happens you tend to get the union of the set of permissions from every database user you could claim, but I haven't studied that situation thoroughly.
server=localhost;
This is the location of the server. You can use the IP address or the name of the computer. Localhost means this code is on the same machine as the SQL server
database=myDb;
This is your database. Such as master (which is a system one)
uid=myUser;
This is a login on the SQL server. Make sure that login has permissions to the database you are trying to access (and subsequent tables). See the picture below, that is a login abc_test.
password=myPass;
The password for the above user
It is possible to have those Logins as Windows Authenticated logins but in my experience in code it's usually SQL Server authentication (mixed mode) logins.
As sniperd said You can create a new login with a new username and password by right clicking on Logins. Or you can use an existing Login name and change its password. Hope this gonna work!
Related
I have a Microsoft Access Application which generates a connection string like:
Provider=SQLNCLI11;Server=servername;Database=db_name;Trusted_Connection=yes;
This works without any problem.
What I want to do is to connect to a SQL Server instance where the user must insert his Active Directory name and password.
Like this:
Provider=SQLNCLI11;Server=servername;Database=db_name;Uid=username;Pwd=password;
This only works for users which are created on the SQL Server directly.
I tried Uid=DOMAIN\username, but it isn't working.
Is this possible? Or is there another way how I can get through this?
The environment:
The User is using a local PC with a local account and then he's doing a "NetworkConnect" with his AD-User and password.
After that, "RunAs" as his AD-User is working BUT there is another Application that is started from the Access Application and this App must be started with the local User-Account.
SQL-Server and the AD-User are member of the same domain.
Your choices are
Login to SQL Server using your the Windows Domain account that you are currently logged into. You do this automatically by specifying Trusted_Connection=yes;, or
Login to SQL Server using a SQL Login.
Those are the only two choices possible using a SQL provider connection string. Specifically, you cannot use the SQL access provider to do impersonation, that is, to login to SQL Server using a different Windows domain account than the one that you are currently logged into.
Microsoft designed the AD integration with SQL Server to use the account of the client application, not to be able to handle logging in as a part of the connection string. If the user isn't going to be logged into the machine using the account needed for the database access, the next best option may be something like ShellRunAs in order to let the user run your client app as the correct AD account.
Is it possible to use LDAP (not Active Directory) to authenticate users on a MS SQL Server database. We have business users who have SQL user accounts on the database, and want to switch that to an LDAP server (specifically, JumpCloud).
Yes it is possible if you consider this:
Each user has a local machine user account on both the server and the client
The local machine user account names on the server and the client match exactly - case, spaces, characters (handle the accounts with jumpcloud agent).
The passwords for the local machine account on the server and client match exactly - case, spaces, characters (set the passwords from jumpcloud)
Create permissions of local windows users on each sql database you will need to access (On SQL Management studio, expand the database, security, users, right click and add user of type windows user, browse on user name ..., type the username, check name and confirm it)
To have a better idea you can check https://jumpcloud.com/blog/managing-shared-ntfs-folders-local-accounts/
To express myself better i start by example.
In my client server application there is a users table.
Each user is mapped to a sql server user.
The database is full of tables, anyway each user can query just 1 table.
The table contains the following information:
the version of the database (so the client app can check whether the database version matches with the client version)
the db admin login name (tipically "sa")
the db admin password (this is encrypted with custom algorithm for security - please note i install a dedicated Sql Server Instance for my applciation)
I make sure each user can query just a table by executing for each user:
GRANT SELECT ON ConnectionTable TO LoginName
So the full flow is:
1) the user inserts username/password
2) the client application retrieves all the info from ConnectionTable
3) the client applicaion decrytpts the sa password
4) the client application logs in as sa so all tables are visible and editable
Now this is what i have (legacy) and I cannot change it.
Somehow this "custom login trick" has been done to avoid to write somewhere on the client the sa password, many client server software i know in fact all use sa to connect and user/password are just two fields of a simple USERS table, but the real connection string is somehow (with a certain degree of security) saved on a file in each client; in my case the "connection string" is stored in the database so as a user logs in to the database (even if with a user that has a restricted access) he gets all he needs to succesfully login.
Since i install Sql Server in mixed mode i support also Windows AUthentication.
So at login the user has a switch to choose between SQl Server and Windows Authentication, as it happens when connecting to SS Management Studio.
What i am trying to achieve now is to login as another user.
I would like that the user checks "Windows Authentication" but he/she can still type the username and the password.
My application is written in Delphi using the SDAC components. As far as i understand SDAC does not allow to perform what i need to do, but i could change only the login part using anothe DAC (Firedac for example). My goal is to login as another windows user.
The final goal is to query ConnectionTable so that i can retrieve the encrypted sa password and login.
So my question is:
is it possible (in Delphi Seattle VCL Application) to login to a Sql Server database by setting a windos user different than the current logged in user?
UPDATE:
To better explain my need i describe the real scenario that generates my requirement.
I created a web applciation (using VCL for the web) that uses the same authentication method as my client server application does.
Imagine my user is MyDomain\MyUser, when I am in LAN i will use Windows authentication to login, but when I login let's say from my Android Phone I would like to login as MyDomain\MyUser by providing password. This is the case, in fact i do not need to impersonate other users, i just want to login with my user when i am not logged in on a Windows pc in a LAN.
So somohow at the login screen of my application i would like to choose Auth: Win/SQL and in case Win is chosen, i would like to pass the actual username and password to login.
I hope this clarifies more the scenario.
Moreover i also host my application in the cloud and in this case all users are WIndows authentication users of a domain that i created for administratrive purposes, and each user needs to provide username and password to login.
My request comes from the fact that I always supposd that Winows Authentication = LDAP and therefore in LDAP it is possible to specify user and password, while in sql server it looks somehow user is pre-defined (and = to the logged in user) in case of Windows authentication.
Could somebody explain how you can have different databases/security when connecting in via Windows Authentication from when someone connects via SQL authentication?
I have a customer who had to put a computer onto their network. When they did this, the computer name changed. When connecting into SQL it now has a different server name.
The thing is if I connect using a SQL username and password, I get the databases that were installed before. However If I connect using windows authentication, I do not get the database.
I would like to know what needs to be changed in order for windows authentication to see the same as a user logging in via SQL authentication.
How can I go about changing the permissions of windows authentication?
Within SQL Server, there are Logins (at the server level) and Users (at the database level). Your SQL Server login obviously has permission to the database(s) you want to see. The logins can also be windows users and/or groups. So, if you add a named windows user as a server login, you can extend that login as users in different databases. You can do the same thing with a group. So, you could have a single login to your sql server that represents all authenticated users in your domain, etc...
So, I think you need to get into SSMS (SQL Server Management Studio) and see what logins and users are defined on your SQL Server.
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.