Linked server objects security model - sql-server

I need to lock down access to a linked server object in MSSQL server.
I am building views on a host database, from which, I query to populate a staging table on my warehouse server. I am using Data Tools/SSIS to extract the view data. To simplify the SSIS package, I am using the OPENQUERYsyntax to query the linked server object that exists on my warehouse server, and connects to other SQL servers, Oracle servers, etc., through linked server objects.
To provide access to the linked servers, I have set up a local SQL login on the host db that has read access, then I use 'Be made using this security context:' and pass the local SQL login. That works just fine.
I realize now that I have a problem: any user with warehouse access can query the linked server object because of that stashed security context! I don't want that! I do need folks who should have access to be able to query (so I can write my SSIS packages), as well as the SQL Server Agent service account to have access so when the SQL Server Agent job runs as that user that it can successfully query the linked server.
I believe that the key to locking down query access to the linked server object is somewhere in the 'Local server login to remote server login mappings', but I'm having a hard time figuring that out. When I try to add for instance NT SERVICE\SQLAgent mapped to the local login with access, then save, I hit 'Login failed for 'NT AUTHORITY\ANONYMOUS LOGON' when saving.
Any ideas on how I can allow a security groups that have access, and SQL Server Agent service account to query the linked server, but not the rest of people with warehouse access?

This is known as the 'double hop' problem
(https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/)
and to get rid of the Anonymous login error you would have to properly set up Kerberos pass-through authentication;
https://blogs.msdn.microsoft.com/farukcelik/2008/01/02/how-to-set-up-a-kerberos-authentication-scenario-with-sql-server-linked-servers/
https://www.databasejournal.com/features/mssql/article.php/3696506/Setting-Up-Delegation-for-Linked-Servers.htm
However this is quite involved - you mention that to 'simplify' the SSIS package you use a linked server, however SSIS solves exactly this problem... Why don't you just use SSIS to copy the data from the other server to avoid using a linked server?

Related

Cannot initialize the data source object of OLE DB provider "Microsoft.ACE.OLEDB.12.0" for linked server "xxxx"

In our SQL Server 2017 we have a linked server to a Microsoft Access file/database.
There is a bunch of users who all log into SQL Server using Windows authentication, and this linked server is working fine for all but 1 user, this 1 user gets the error message in the title of this post.
This user can open the Access database directly, so they have permissions for the file itself. I have compared this user to one that doesn't have the problem and their SQL server account is set up in the same way in terms of server roles and database roles they are members of.
I thought it might be something to do with double hop authentication, so for some reason SQL Server might not be relaying the user's authentication when it accesses the Access database.
Our IT department have said that this user is set up the same as a different user who doesn't have the problem and they don't know what to do about it.
I hope this helps someone else, but I solved this by adding read & write permissions to directory:
C:\Users\SS1\AppData\Local\Temp (where SS1 is the user account that SQL Server runs as)
for the user who was having problems and that fixed it.

What grants are needed for the SQL Server Telegraf plugin in Azure SQL Database

I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code

Execute SQL Server Stored Procedure from VBScript that updates Linked server table

I'm trying to run a VBScript which calls a stored procedure (SQL Server 2012) that Inserts records into a Linked Server Table.
The script returns the following error:
The Microsoft Access database engine cannot open or write to the file '\999999999\99999999\9999999\9999999.accdb'. It is already opened exclusively by another user, or you need permission to view and write its data.".
Nobody else is using the table.
However, when I execute the stored procedure from Management Studio it works fine. I believe the problem is related to permissions. How do I grant a user explicit rights to Linked Servers?
I apologize for not providing more detail to my question earlier, I made the mistake in thinking that there was a simple solution, with that said here are some more details:
The key to this problem is: When I login as Windows Authenticated User on SSMS I'm able to run my Stored Procedure (Which connects to the Linked Server) without a problem. Couple of more technical points to add as I do more research (and finding this is not a simple problem):
The SQL Server is on Subnet ...5.X
The Access Database is on Subnet ...2.X
VBScript runs from a Job Processing Server on Subnet ...5.X
The Windows Authenticated Account on SQL Server has the Linked Server setup and can connect using the IP address and shared folder \192.168.2.X\Blah Blah Blah\thedatabase.accdb
If I login to SQL Server using SQL Server Authenticated User they cannot access the Linked Server (See error in original post)
If I attempt to run the VBScript from the Job Processing computer as the SQL Server Authenticated User or with a Trusted Connection I'm unable to access the Linked Server.
I've tried mapping a drive on the SQL Server computer for the SQL User (didnt work)
I've tried various combination of Login configurations on the Linked Server: Made without using security context, made using the login's current security context, made using the security context (admin username and password on other machince, SQL server admin username and password)
I've added the SQL User to the domain user group (But I only made them a standard user, need to research this one before making to many modifications)
I've added the SQL User as an Admin on the Access Database computer.
The key to my problem is: Why can the Windows Authenticated user connect to the MS Database via Linked Server and the SQL User cannot
Again apologies for not supplying this much detail upfront but I made the mistake of thinking this was a simple security problem.

Access 2010 and ODBC connections

I have a server (2008R2) that has little Access (2010) databases relevant to departments and their needs. I have a new EHR server (2008R2) running SQL (2008R2) servers and am able to establish an ODBC connection between the two. I created the ODBC using the SA / SA password to the SQL Server.
As an administrator, I can log in to the Access database and run queries and reports based off of tables linked back to the SQL DB. No one else can. I did save the password when I created the External table link in Access. My Sys Admin - also Administrator, cannot run queries or reports logged into the Access database server for this DB.
On this particular SQL Server, I am not an admin under my login. I have to use the SA account to login to the backend or through the Management Console.
I need to have the EHR managers run their own reports. Does anyone have any experience with why the ODBC would not be allowing a connection for anyone but me when the connection is server based?
What Gord Thompson said is important. Access is not a database server and its engine runs on the client machine which will need copies of whatever DSNs are used.
But the problem of getting Access to 'remember' credentials is something I recall struggling with in Access 2000. My solution was to create a dummy pass-through query (anything that will run quickly) that stores the credentials. When a new client session starts, first call the dummy query and for the duration of their connection, they'll have access to the DSN in question.

VS2013 Project MS access and SQL server synchronization

I will try make this question clear as possible.
I have not found solid help on google really or anywhere else.
To make it short and simple.
I have a vb.net project in which i want two databases.
A local access database which must be created within the project at design, meaning at publishing and then installing this program to another user it must automatically create an acccess database on that user's computer,sync it with a SQL remote server and copy all records at first time run to the access database. The access database is used when my worker is on site and there is no connection to the remote SQL Server database.
Upon achieving connection to the remote SQL Server database at e.g. the office, the access db must update the SQL server database,compare the two databases and copy any new records in the local (Access Db) to the remote sql server and vice versa.
Hope this is clear enough?
Thanks for any help

Resources