I have gone through all the examples I could find online for building docker container based applications. I would want to run two services running in two docker containers:
A windows container running ASP.NET
A windows container running SQL Server
Easy job and many examples. However, in all examples you need to use SQL authentication and to provide a hard-coded SA password as an environment variable when running the SQL server container. You also need to hard code the SA password into the connection string in the ASP.Net code (or also provide it in some other manner in a configuration file, etc.)
Bottom line in all examples the password is hard-coded somewhere.
In most applications we develop now, we actually use windows authentication instead or use a grouped managed service account instead. But as far as I know, you cannot add a windows container to a domain, thus the SQL server is not part of the windows domain so I don't see a way to use windows authentication here.
So does any one have an alternative to hard-coding passwords this way ?
I'm dealing exactly with the same problem.
Here is the most complete procedure that I found.
The trick is to use gMSA.
But, as JanneRantala says at the end, I'm having the same problem when trying to add a new User in the Database :
Msg 15401, Level 16, State 1, Line 3
Windows NT user or group 'YOUR_DOMAIN\gmsa$' not found. Check the name again.
Here is walkthrough how to make it work. Windows Containers Walkthrough
This will not work though if your SQL is also running in container since SQL server itself have to part of Active Directory to be able to utilize GMSA accounts.
Windows authentication is automatically enabled in Windocks SQL Server containers. See here for more details.
The SQL Server containers created in Windocks are SQL Server named instances created automatically from the default SQL Service that is already installed on the Windows Server (2012 R2 or 2016). Any Windows accounts in the default instance are automatically enabled in the container instances.
Related
Testing SQL queries with large datasets against Azure SQL server may be costly, so it is better for me to test my code against a local server. I would like to create a new local server with "SQL Server authentication" rather than "Windows authentication", and I would like to keep my default local server that uses Windows authentication.
In lack of better phrasing:... is it "common" to have multiple SQL servers with different authentication methods on the same Windows-10 pc ?
If it is "straight-forward" to do this, then please share "how-to", or share better jargon for web searches. I did not find much information on this when googling "create new local server with sql server authentication"
As you may easily catch from the text: I'm not an IT expert...
Yes, you can use at an instance and solely your will to provide the accesses.
where you can use Windows Authentication mode and mixed mode.
More information about Windows Authentication may be found at: Connecting Using Windows Authentication.
We may utilize SQL Server Authentication to solve your problem by passing the user name and password.
experiencing an odd issue I've yet to see on any of my other machines. This is a fresh laptop, so I have installed VS 2017, SQL Server 2017 express, then created a quick sample project using one of the stock .net core projects (with authentication stored "in-app"). This, of course, creates some basic entity migrations and DB context.
When I run I'm getting access denied errors. So, of course, I checked SQL service default user which is an admin. I then run basic migration commands and receive this
So, of course, my next step was to double check the default data locations of SQL since it appears to be trying to store it in C:\Users root?! I have never had to bother touching this during install, but worth a look. And of course, they are as I expected in their default locations of C:\Program Files\ etc
Rapidly running out of things to try at this point - and considering this is a fresh windows 10 install, with bare-bones vs 2017 and SQL express 2017 it feels a lot like a bug here. Everything is a default if you were to File -> New Project -> .NET Core Web Application with INdividual accounts.
Anyone have any thoughts or things worth trying? Why is it trying to store my DB in C:\Users? Connection string -
"DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=aspnet-WebApplication3-53bc9b9d-9d6a-45d4-8429-2a2761773502;Trusted_Connection=True;MultipleActiveResultSets=true"
Thanks!
-Marc
You are not using SQL Server Express.
The local string says (localdb), which is the SQL Server engine running in user space. This is a big difference. Usually SQL Server or SQL Server express runs as service. (localdb) is not an alias for localhost (loopback address). It's a special name for a minified version of SQL Server which runs in user space.
When SQL Server runs as a service, it needs to have read/write permissions to the folder it writes. This is usually NOT THE CASE when the file is located within the User folder.
LocalDB on the other side, is always started when you start debugging your application and runs with the permissions of the user. So if your file was created by an admin user or outside of a directory you have write permissions.
Also, when you mount a database to SQL Server (Express), then the file is protected from write access to other applications, so LocalDB can't open it neither.
LocalDB is made for development to offer most of the SQL Server features but without all the hard setup and permanently running service in the background.
Essentially you have two options:
Use the SQL Server connection string as #TanvirArjel suggested
Detach the database from SQL Server express, copy it to your user folder (C:\Users\<myusername>\) and then correct the path to it
Then it should just work.
Notice that LocalDB is not meant to run in production, so you will likely experience issues when trying to run it in IIS (IIS Express and Console applications and WPF work fine).
Reasons for LocalDb not working with IIS is because ASP.NET (Core) applications within IIS run with a special user, but LocalDbs are always created in the users profile folder. Now, the accounts used by IIS don't have a profile and can't create the database and can't access any database outside (since localDbs are stored in user folder only the user who created it has access to it).
Here some source on it and the reasons behind it.
Using LocalDb with IIS
Write the connection string as follows.Hope it will work...
"DefaultConnection": "Server=YourPcName\\SQLExpressInstanceName;Database=aspnet-WebApplication3-53bc9b9d-9d6a-45d4-8429-2a2761773502;Trusted_Connection=True;MultipleActiveResultSets=true"
I have created a SSIS Package and now want to deploy it, for that I am required to create the Integration Service Catalog,so I have SQL Server Evaluation Set up in that when I m trying to connect the integration service, I am getting following error,
Connecting to the Integration Services service on the computer
"RESHMAJADHAV"
failed with the following error: "Access is denied."
By default, only administrators have access to the Integration Services service.
On Windows Vista and later,
the process must be running with administrative privileges in
order to connect to the Integration Services service.
See the help topic for information on how to configure access to the service.
Also I have observed that my instance for SQL Server Evaluation edition is RESHMAJADHAV\SQL_SERVER_EVALU but when I am trying to connect this server, then this option is not shown under Integration Services as shown below,
.
I am unable to sort this out, since I am entirely new to this, please explain what can be the solution.
Please make a note, I also have sql server express edition ,but since it doesn't support to create the SSIS Integration service catalog then I installed the SQL Server Evaluation edition .
Also when I am trying to connect via SQL Database as shown in below image,
then while creating the integration service catalog, it is given the following error
Password validation failed.
The password doesn't meet the requirements of password of the password filter DLL.
Change database context to SSISDB.
One fact I have observed, I don't know whether it is related or not but when I am trying to enter password for my system, then also it's giving same error that password doesn't meet the requirement and also when while installing the SQL Server edition, it gave the same error, no doubt my password was very strong and fulfill all the requirements of strong password, currently I am trying to run my SQL Server with windows authentication mode and also I have tried to disable the strong password policies from the administrative tools but it's totally futile....any help will be greatly appreciated.
Go to all programs
Click on Microsoft SQL Server 2012 folder
Right click on SQL Server Management Studio
Click on Run as Administrator
This should take care of problem for now. (With this you need to always repeat the same process). To avoid this every time and for a more persistent solution you need to get permission(s). Please do the following process and you should be good.
In previous versions of SQL Server, by default when you installed SQL Server all users in the Users group had access to the Integration Services service. When you install the current release of SQL Server, users do not have access to the Integration Services service. The service is secure by default. After SQL Server is installed, the administrator must grant access to the service.
To grant access to the Integration Services service
Run Dcomcnfg.exe. Dcomcnfg.exe provides a user interface for modifying certain settings in the registry.
In the Component Services dialog, expand the Component Services > Computers > My Computer > DCOM Config node.
Right-click Microsoft SQL Server Integration Services 11.0, and then click Properties.
On the Security tab, click Edit in the Launch and Activation Permissions area.
Add users and assign appropriate permissions, and then click Ok.
Repeat steps 4 - 5 for Access Permissions.
Restart SQL Server Management Studio.
Restart the Integration Services Service.
(Source MSDN)
I hope this will help
I researched little bit and then I came to know it was actually the problem of HP Security Tool Manager service of HP Laptop which was messing with the password of system,SQL Setup and catalog of Integration Service,I uninstalled it from PC and now my problem is resolved..
look like you don't have a admin privilege.
so start->sql server->right click->run as administrator
it might solve !!!
it's not clear whether this is due to your windows password or the SSISDB encryption password http://fendy-huang.blogspot.com.au/2012/01/sql-server-2012-integration-services.html.
I suggest you think of a very long complicated password with a mixture of upper, lower and punctiation like this:
~~AgFcDeUk17aP9%3(5#hY,lTSs9+
and put that into the encryption field when creating the catalog. If that doesn't get around your error, try changing your windows password to that. The only way to solve thedr things is divide and conquer. Once you know which password is the issue you can attack it further.
I have followed these steps https://www.windowsazure.com/en-us/manage/windows/how-to-guides/capture-an-image/ to capture an image of a VM. Used sysprep as mentioned and I was able to replicate the VM. The problem is that when I rdp into the machine, I can't connect to SLQ Server. Login fails for Windows Authentication. Usually this means that the SQL Server is on another domain, but in this case the error is on local machine.
So my question is, how to capture an image of a VM with SQL Server in Windows Azure and ensure that I can login with Windows Authentication at least when deployed?
I don't think you can, I think you will need SQL Server Authentication before sysprep (I haven't tested this), as far as I know this is the same on-premises and not an Azure feature per se...
If you run sysprep on Windows, you shouldn't have any expectations that the current principals provisioned in SQL Server will continue to work. SQL Servers references Windows accounts by their SIDs and running sysprep on Windows will create a new set of SIDs for the Windows account. Therefore, you will have to re-add them to SQL Server as you've discovered.
Adding a solution that worked for me, in case anyone facing same problem and haven't found any working solution.
After creating an Azure VM from the Image based on a generalized VM (sysprep run):
Launch SQL Server Configuration Manager.
Navigate to SQL Server Services.
Right click on SQL Server (SQLEXPRESS)->Properties from the right side panel.
Select 'This account:' and enter details of current VM Administrator credentials.
Apply changes and restart SQL Server.
Now, try connecting to the SQL Server. It should work.
We have an application, consisting of an MS Access frontend (2007, mdb format), a few .net libraries and an SQL Server (2008) backend. I am working on an installer, which automatically installs the MS Access Runtime, our application, our libraries, SQL Server Express and configures everything.
Clearly, the MS Access application and the libraries (running in a normal, non-admin user context) need access to the SQL Server database. What is the best way to grant access to the application?
This is what I came up with. Unfortunately, all of these seem to have drawbacks:
SQL Server Compact Edition: Does not support views.
Application Roles: This seems to be best practice. However, it requires executing a stored procedure before accessing the database (I cannot pass the app credentials in the connection string). Thus, I cannot use this to attach the SQL Server tables as a linked tables in the Access MDB, which is a requirement of our Access application.
SQL Server User Instance: To quote from MSDN: "This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work..."
SQL Authentication: Microsoft says: "When possible, use Windows Authentication."
Using Windows authentication and granting BUILTIN\USERS full access: This is by far the easiest solution, but somehow it "seems wrong" to do that...
The application is targeted at a non-technical audience, so asking the user to configure permissions is not an option.
EDIT: Some clarification: It's a "local" application, i.e., the SQL Server is located on the same machine as the application; SQL Server access from the network is neither necessary nor desired. The software (a regular business application for managing stocks, invoices, etc.) will be available to download for free, so it should run in a variety of environments (domain/non-domain, different operating systems, etc.), and IT knowledge should not be required to install it -- apart from the usual "click on setup.exe, confirm UAC prompt, acknowledge the installation directory, etc.". I expect the most common scenarios to be "Windows XP, local admin user" and "Windows Vista/7, local admin user with UAC enabled". Since we want to follow good practices, running the application should not require "Run as Administrator" in the latter case.
#Heinzi write:
Using Windows authentication and
granting BUILTIN\USERS full access:
This is by far the easiest solution,
but somehow it "seems wrong" to do
that...
The usual approach here is to add a custom user group (e.g., "db-users") and put the users in that group. That way you can control exactly who is allowed access.
How about:
Use an Access ADP project, pre-configured to connect to the locally installed SQL Server instance.
Connect using BuiltIn\Users group (or SQL authentication) but grant only the bare minimum credentials. Enough to logon and ...
Call sp_setappprole to "elevate" the client connection to your defined application role's identity.
If sound like you have only got the tie of the iceberg. When it comes to selling and deploying access SQL applications.
I have take a different route. I have virtual computers as standalone workstation and domain server and workstation all virtual.
I have write a scripts they are a combination of VBA and VBScript.
Ask
Is the DB and App to run on single computer or different computers.
If different computer what is the name of the computer the DB is located on.
Is the DB and App to in a workgroup, homegroup or domain environment
Is the DB computer already have SQL Express or above
Is the App computer already have Access or Access Runtime installed.
If yes which version.
Will all or only limited users have access.
If limited what is the user group name of user to be have access to the data.
Does this group already exist
If No List the Name of the Users that Should Be Added to the Group
Also questions about the Admin Users and Group
The script start the virtual machines and goes through a series of steps to rep the MDB and SQL DB for deployment. Then creates an MSI for the Server Install with include a custom script that sets up the environment. Finally packages MDB in a nice MSI.
I have since enhanced the process to allow some questions to be answered at the beginning of the server installation. This means the user groups and users can be selected from the lists in the workstation or domain depending on prior questions asked.
If user the app user is a member of the Admin Group of the Workstation or Domain. They get extra menu options. That allow them to add or remove members from the DB user group for the workstation or domain. This I find is helpful.
I am now moving to the next stage and looking at hosting my assess app as an SasS (Software as a Service) (Rental). So the app can be use in any HTML5 Browser, Windows or Mac as Virtual Desktop or Android and Apple device. Having said that Access is a bit ugly on mobile devices.
When I am up and running I will make the platform available to others.