As part of a security task I need to find all SQL Server logins that connect to the SQL server instance.
I create extended event for capture logins and filter only SQL Server logins.
The problem is that I can not tell from the SQL Server what was the NT user that was used.
Example:
From the xEvent I can see that user [sa] logged in to the SQL server instance and I can also see this client host name.
BUT , now I would like to know what was the domain account that was logged in to the client host name and use this SQL authentication.
I understand that SQL Server can not give this information but I would like yo know if I can get this info using PowerShell maybe.
I have the host name and the SID.
I could not find a solution here :
How to get Windows Log-in User Name for a SQL Log in User
You do not have a SID, that is a SQL Server SID (yes, there is a such a concept).
First, the answer: you do not. If you want to prevent SQL Logins, you deactivate SQL Logins, and that should be the end of the story.
Since there is no NTLM/Kerberos exchange for a SQL Server login, there is no way to find the credentials of the process/thread that initiated a SQL Login connection. However, you do have the host from where the connection was initiated and the process ID (they are the host_name and host_process_id columns in sys.dm_exec_sessions). Finding the credentials of the remote process is a trivial matter left as an exercise.
You've referenced having the SID, so if this is correct you can translate that to a user account. This works for both local users, and domain users:
$sid = 'S-1-5-21-3423846758-2645770820-3983523239-1001'
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
($objUser.value -split '\\')[1]
Note: $objUser will contain either the computer name (for a local account) or the domain name (for an Active Directory account), so the split is to parse out the username only.
However, I'm currently unsure how you link this to which account they're using within SQL server (using SQL authentication) - I'm not sure where you're getting the SID information from (Windows event logs? Within SQL itself?).
Thank you all.
I managed to get the AD domain user by running a Get-WmiObject -Class Win32_Process :
1.Find the host_process_id and host_name using sys.dm_exec_sessions
2.Run a PowerShell:
Get-WmiObject -Class Win32_Process -ComputerName $host_name -Filter "ProcessId = '$($host_process_id )'" | ForEach-Object { $_.GetOwner() }
Related
In Windows 2003 Server, I have a service running called 'SQL Server Reporting Services'.
This service will Stop at times, and when I try to Start it, it would give an Error as:
'Error 1069: The Service did not start due to a logon failure.'
After which, I would go to Properties -> Logon -> this account -> Give Username and Password.
After Applying the Changes, I can start the Service.
How do I go about writing a Script which would Automate this setting username and password and starting the Service? Also, is there any way to check if the Service is in a Run State and if not, script the logon step and start it?
Thank you.
I would suggest installing powershell for server 2003.
Have a look at this Powershell script to change service account.
You can user get-service to find if the service is running.
Something like the following could help. (For a Windows machine)
----> Refresh_SSRS.ps1
Stop-Service “SQL Server Reporting Services (SQLSRV)”
Start-Service “SQL Server Reporting Services (SQLSRV)”
$wc = New-Object system.net.webClient$wc
$cred = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.Credentials = $cred
$src = $wc.DownloadString(“http://ComputerNamexxx/Reports_xxxxxx/Pages/Folder.aspx“)
---->Run in Task Scheduler - on a regular occurance - where the user account can be assoicated:
Powershell.exe
-ExecutionPolicy Bypass -File C:\commands\Refresh_SSRS.ps1
In my .exe setup having connection string
Data Source=SERVER;Initial Catalog=POS_Chimur;User ID=sa;Integrated security=false
I have to install database for this exe what settings will be needed according to above connectionString.
Till now I have installed sql server with default instance with name of pc SERVER. Still i am unable to connect with above connection string.
You need to cheat your way in. Here's how I would approach this problem:
Data Source=SERVER;
You can create an alias to point to your final instance using "SQL Server Configuration Manager", "Aliases"
Initial Catalog=POS_Chimur;
You need to have a database named POS_Chimur
User ID=sa;Integrated security=false
Here, you need to provide a SQL login named sa with no password. I recommend to rename actual sa account to original_sa then create a new account named sa with no password. You also need to create a user mapping for that new account in the POS_Chimur database using this code.
CREATE USER sa FOR LOGIN sa;
ALTER ROLE [db_owner] ADD MEMBER sa;
If DBO doesn't work then you can give it SysAdmin rights if you still have error.
If you are using SQL Server security, you need to specify a username and a password, like this (where you replace 'mySApassword' with the actual password):
Server=SERVER;Database=POS_Chimur;User Id=sa;Password=mySApassword;
In the event you want to use Windows security, you will need this connection string:
Server=SERVER;Database=POS_Chimur;Trusted_Connection=True;
If you are running the executable on the same machine as where SQL Server is running, you can replace 'SERVER' with '.' in order to make it work on all computers, if you need to distribute it to more than one pc.
Here's some more information about SQL Server 2008 connection strings.
I see two things mainly:
You are connecting with SQL Server login
Go to SQL Server Management studio
Connect to the database server with administrative account you know and that works
right mouse click on the server in the 'Object Explorer' window
choose security
In the Server authentication group, choose 'SQL Server and Windows Authentication mode'
Restart SQL Server
This account is sa and doesn't have a password
Go to SQL Server Management studio
connect to the database server with administrative account you know and that works
unfold the server object [-]
unfold the Security folder [-]
unfold the Logins folder => find sa login
right click on it and click Properties
In General section uncheck the Enforce password policy checkbox and clean the passwords in both text boxes
In Status section, make sure that Login is Enabled and that the Permissions to connect is set to Grant
click Ok
confirm, that you want to create a login with blank password (which is obviously always a risk)
After performing those steps, please log out, and try to log in again, but change the Authentication drop down value to 'SQL Server Authentication' and try to login with sa and empty password, if it works, then the connection string should be fine too.
You need to mention the Provider. Your connectionstring should look like this.
Data Source=SERVER;Initial Catalog=POS_Chimur;User ID=sa;Integrated security=false; Provider="System.Data.SqlClient"
I tried on MS SQL SERVER 2016 Standard change with SQL Configuratin Manager service SQL Agent from LocalSystem to NT SERVICE\SQLSERVERAGENT (without problems).
When I change SQL Server service from LocalSystem to NT SERVICE\MSSQLSERVER i get message "WMI Provider Error" - not object or property found 0x80092004 Systemlog: SQL Server service (MSSQLSERVER) ended with the following specific error Service: object or property is not found. ID: 7024
The server normally works with SQL services under Local System and works without problems. For Database Mail I need to configure the service to NT SERVICE.
SQL run under Windows Server 2012 R2.
I tried unsuccessfully to:
Reboot the server, change login name direct with Services.msc, Powershell get-service | foreach {Write-Host NT Service \ $ ($ _. Name)} NT SERVICE\MSSQLSERVER exists, WMI Diagnosis Utility (in my opinion, nothing major found).
Thank you for your help ...
I found information than NT SERVICE\ impossible set for SQL accounts
under Domain Controller ...
https://blogs.technet.microsoft.com/mdegre/2011/06/25/can-i-install-sql-server-on-a-domain-controller/
Hello, just last two comments ....
1) SQLSERVERAGENT service works without problem
2) I'm surprised that I can not find powershell script for
create permissions and rights SQL folder structure ...
https://msdn.microsoft.com/en-us/library/ms143504.aspx
I'm alone who have Domain and SQL ... or nobody create separate
user for SQL services ...
- I think the script would be very helpful
I've just completed registering our SQL Server 2008 R2 in AD with an SPN.
I'm able to connect using SQLNCLI10.1 via OLEDB with the following keyword :
Server SPN=MSSQLSvc/server.domain.local
and once connected, the following query verifies that Kerberos is being used :
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = ##spid;
result:
KERBEROS
however, i'm unable to figure out, or search the internet for information on, connecting within SSMS using the SPN. Adding the keywords suggested to "Additional Connection Parameters" just results in
Keyword not supported: 'serverspn'
Keyword not supported: 'server spn'
Is is possible to connect within SSMS using SPN ? If i do so without specifying SPN, the test query returns:
NTLM
What commands did you use to create the SPNs?
You should have 2 SPNs for the service. 1 for server.domain.local and 1 for port 1433 (or whatever port your service is using).
Here's the examples from http://msdn.microsoft.com/en-us/library/ms191153.aspx:
setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname
setspn –A MSSQLSvc/myhost.redmond.microsoft.com accountname
Once the SPNs are created, then Windows Authentication should be all that you need to get Kerberos.
To verify what SPNs are created you can use the following:
setspn -l accountname
Additionally, if the service account has Write servicePrincipalName and Read servicePrincipalName permissions, it will automatically register the SPNs on startup.
See Clint's blog for more info: http://clintboessen.blogspot.com/2010/02/dynamically-set-spns-for-sql-service.html
Whenever you get NTLM it means that the SPN didn't register properly or that one of the accounts isn't on the domain. Otherwise, you should always get a KERBEROS connection. There are couple of things you need in place to ensure to always get a KERBEROS connection.
Make sure the login exists on the domain which SQL Server runs on.
Make sure that the login has sufficient perms on AD, login used for SQL service.
Manually create an SPN setspn -S MSSQLSvc/<domain.com> <login>. This command will check for duplicates before adding an SPN.
Above steps will ensure that the SPN is registered when you restart SQL server.
To verify a successful registration:
You can check in SSMS Management -> SQL Server Logs -> Current.
You could also run the following command in CMD setspn -L MSSQLSvc/<domain.com> <login>
After you have verified that the server SPN registered successfully, you can login with a domain account and run your test command. You should always get KERBEROS after this.
I'm getting message login failed user not associated with a trusted Sql Server Connection
It's a Sql Server 2005 legacy system with linked servers. Whoever set it up left sa password blank (I will be changing.)
How do make a trusted Sql Server connection ?
A "trusted SQL Server connection" error usually means that you're attempting to authenticate using Windows Integrated security and the currently logged on Windows user has not been defined either directly or through group membership to have access to the sql server database being requested.
If the sa password is indeed blank you can login using sql server security as sa + [blank] and associate your Windows account with the appropriate server permissions (and change that sa pwd just after you verify your new account works ok...)
From code a Windows Integrated connection string looks like this:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
a SQL Server user id/pwd connection string looks like this:
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
(for more varieties check out connectionstrings.com)
Good luck!