I am currently setting up some users for my Azure SQL DWH. I have created a Login at server level and a User at my database. However, I am getting a login failed message if I try to use my database user. If I use the Login I have created it works just fine. This Login also only has access to the views I have granted it access to. Am I missing something really obvious or is there something different about logins and roles in SQL DWH?
CREATE LOGIN Login WITH PASSWORD = 'Password';
CREATE USER User FROM LOGIN Login;
You cannot use “user” as the name of the new database login because is a reserved word. Additionally add the login to the datareader role and try again.
EXEC sp_addrolemember 'db_datareader', 'newdatabaseuser';
Try to login to the SQL Data Warehouse server without specifying the database. If you are able to connect then with above statement you may solve the issue.
If you are trying to get connected from an application please make sure you are using appropriate drivers. Learn more about it here.
Hope this helps.
Related
I'm trying to create database users that are integrated with azure active directory. All of our users are guest users. I've been following multiple articles on how to create users in the SQL db but none have worked.
For example, this article: https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
Suggest to create users like so:
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
This yields the error:
Principal 'name#domain.comm' could not be found or this principal type is not supported.
Googling this error lands me on stackoverflow post (https://dba.stackexchange.com/questions/148325/add-active-directory-user-for-azure-sql-db):
which suggests:
CREATE USER [name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDER
and accesses:
EXEC sp_addrolemember 'db_datareader', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
EXEC sp_addrolemember 'db_datawriter', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
and this does not give an error, but it also does not provide access to the database. Since I get error NT AUTHORITY/ANONYMOUS LOGIN
I also tried to create an AAD group and provide that group access, also no error here but couldn't login either.
Couple of notes:
All IP addresses are allowed on the firewall
all users have been added in sql db IAM (not sure if this is even necessary)
I've enabled Active Directory Admin in the sql server, I put the subscription admin here
This is also the users with which I created users in the SQL DB
I'm able to create native sql users without a problem
Still I'm only able to login using the Active Directory Admin, and no other user is able to login.
Any advice on how I can login to my Azure sql database using windows credentials from Azure Active Directory?
When using external users, you need to use the "mangled user principal name" when adding them.
That's this one:
CREATE USER [name_domain.com#EXT##<your-azure-ad-default-domain>.onmicrosoft.com] FROM EXTERNAL PROVIDER
Secondly, the users will be created only in that database; they cannot connect to master.
So you need to choose the DB to connect to.
You may also need to specify the AAD tenant id in advanced connection settings.
The reason you might need to do this is because by default an external user will login to their home tenant. Which is not the one connected to your DB. So you may need to specify the tenant to have them explicitly login against your tenant.
Have a SQL Server instance on my local machine. I use window authentication to login the instance. My understanding is a login needs to map to a user, and that user needs assign some certain database level roles, then can operate some sort of actions.
But interesting, I did not assign any user to map this login, nor attach any database level role to any user. This login could still run all of the actions on that database. Can someone explain why is that?
Thanks
That login acts or as SYSADMIN or as Guest user in the database
I try (for the first time) to create a user account on my SQL Azure database.
I have read in some blogs that I have to create these command lines
CREATE LOGIN login_name WITH PASSWORD = 'strong_password';
CREATE USER 'user_name' FOR LOGIN 'login_name';
And then
USE [Database];
GO
GRANT CONNECT TO login_name;
But, when I try to connect with this new account on my database, I have the message error 916
The server principal "login_name is not able to access the database "master" under the current security context.
I don't understand because the don't create my new user for the master but for a specific database in my SQL Azure environment (I have 5 databases in my SQL Azure by the way)
If you have any idea to help me, thanks in advance
When first logging in, unless a database is specified in the connection string, a login connects to its default database. If the database is not specified in the CREATE LOGIN statement, the system default of master is used.
To fix this, use this for your CREATE LOGIN:
CREATE LOGIN login_name WITH PASSWORD = 'strong_password',
DEFAULT_DATABASE = MyDatabase;
how its possible to see 'sa' login in connection with login which have only granted to read some views? Probably cant to edit anything, but can see. And also can see list of databases, but cant to open. All in SQL Management Studio. Login just created by:
create login YourTpvLogin with password = 'enter new password here'
go
create user YourTpvUser for login YourTpvLogin
go
grant select on YourView to YourTpvUser
Thank you for explanation or way how to fix it.
Ok... First of all Every SQL Server login belongs to the public server role. Next - The public server role is granted VIEW ANY DATABASE permission which means that a login that is granted this permission can see metadata that describes all databases including master database which in turn records all the system-level information for a SQL Server system including information about SQl server logins and sa login of course is not an exception.
So... any new login can see all databases and logins but can't modify them.
Possible "solution" for hiding databases is to deny a login the VIEW ANY DATABASE permission.
To limit visibility to database metadata, deny a login the VIEW ANY
DATABASE permission. After this permission is denied, a login can see
only metadata for master, tempdb, and databases that the login owns.
And... you can't completely hide the sa login because every login must be able to read server's metadata from the master database.
I would like to know if it is possible to change a SQL Server authentication account to Windows Authentication?
Why would I want to do this you are asking yourself right now, well I don't want to give out a SQL Server Auth username and password to multiple users to connect to the database, currently the company do things this way, and we don't really have another choice. When we deploy a new database script we don't always have the Windows Auth account before it gets released and we don't want to go an update our deployment script.
I am trying to do this using
ALTER USER Test
WITH NAME = [mydomianname\username]`
I've tried it but no luck.
I keep getting this error:
Msg 15151, Level 16, State 1, Line 1
Cannot alter the user 'Test', because it does not exist or you do not have permission.
Thank you in advance!
I think you should be altering user with login not name, because with name you just rename the user:
ALTER USER Test WITH LOGIN = [mydomianname\username]
But it is impossible because of:
Cannot remap a user of one type to a login of a different type. For
example, a SQL user must be mapped to a SQL login; it cannot be
remapped to a Windows login.