MSSQL server is running with Windows and SQL Server Authentication mode on a server called 'HOST1'. The application which needs to connect with the SQL Server is started as a service on a server called 'HOST2'. Since the service manager starts applications as the user "NT Authority\System", I'm unable to connect with the SQL Server on 'HOST1' from 'HOST2'.
I have the option of manually changing the user account using which the services are launched. That is,
Right click service -> properties -> Log On -> Choose 'This Account' -> Provide a user which has permission to connect with SQL Server in 'HOST1'
But the problem is, there will be hundreds of services, running in hundreds of hosts. Hence modifying the user manually for all services is not possible in my case.
Please let me know how I can connect to SQL Server.
Would using Powershell to script out a solution that is not quite as taxing? Maybe as part of the deploy process?
Powershell script to change service account
Related
Mystery of the Day:
I have two users who access SQL Server Integration Services remotely from their local machines. User 1 successfully connects using the Integration Service server type in SSMS. User 2 gets this error:
Note that 2005 is mentioned in the error, tho user 2 does not have 2005 installed. Both User 2 and the server are running 2014. Both users have the same persmissions on the remote server, and both are admins on the server. User 2 also gets this error when connecting to SSIS on the server, however, she is able to connect successfully when running SSMS as an administrator on the server. Here are some things that we've already tried:
Confirmed that User 2 is using a lower version of SQL than the version on the server.
Matched both users SSMS permissions to each other.
Added User 2 to the server's DCOM.
Restarted SSIS service on the server.
And this:
We suspect there may be a version issue between local and remote installations, but not sure what to check in that regard. There many similar posts to our issue, but we have combed through without success. Hoping someone can help here.
Thank you.
I changed the default logon of the SQL Server Integration Services 15.0 service to be the NT account on the VM I was given and was able to connect to Integration Services after a service restart.
I had recently installed SQL server 2012 and I used mostly the default settings. Database works fine and I can happily connect using SSMS (SQL Server Management Studio) but when I connect to the Integration Services Server I get this message
Connecting to the Integration Services service on the computer
"localhost" failed with the following error: "Access is denied."
By default, only administrators have access to the Integration
Services service. On Windows Vista and later, the process must be
running with administrative privileges in order to connect to the
Integration Services service. See the help topic for information on
how to configure access to the service.
here is the screenshot
I am not sure why but I am the domain admin and have full rights over the server. Also why when I connect from my Desktop it can successfully connect, only if I connect from the server itself which gives me this issues. How do I fix this so that I can make SSMS on the server connect to its Integration Services instance.
As I understand it, User Access Control, or UAC, can basically intercept requests for your group membership so in this case, it appears it was preventing your membership getting passed to SQL Server.
Others have noted in their comments that you may still need to right click and run SSMS as an Administrator.
As noted by an astute observer "This is a quick-fix, not a real solution. People shouldn't just be running stuff as administrator. These security walls are in place for a reason" And I agree. UAC is designed to get Windows users into a Principle of least privilege mindset - only escalate to a powerful account when required. The issue is that SSMS is known to not "play well" with UAC. As I see it, this leaves you with three options
You can turn off UAC and get your work done
Leave UAC on and tell your boss you are unable to work
Write your own query tool that is not affected by UAC
Go to all programs Click on Microsoft SQL Server 2012 folder Right click on SQL Server Management Studio Click on Run as Administrator
This should take care of problem for now. (With this you need to always repeat the same process). To avoid this every time and for a more persistent solution you need to get permission(s). Please do the following process and you should be good.
In previous versions of SQL Server, by default when you installed SQL Server all users in the Users group had access to the Integration Services service. When you install the current release of SQL Server, users do not have access to the Integration Services service. The service is secure by default. After SQL Server is installed, the administrator must grant access to the service.
To grant access to the Integration Services service
Run Dcomcnfg.exe. Dcomcnfg.exe provides a user interface for modifying certain settings in the registry.
In the Component Services dialog, expand the Component Services > Computers > My Computer > DCOM Config node.
Right-click Microsoft SQL Server Integration Services 11.0, and then click Properties.
On the Security tab, click Edit in the Launch and Activation Permissions area.
Add users and assign appropriate permissions, and then click Ok.
Repeat steps 4 - 5 for Access Permissions.
Restart SQL Server Management Studio.
Restart the Integration Services Service.
(Source MSDN)
I hope this will help
Right Click on the Sql Server Management Studio and select Run as Administrator and try to connect
if it is installed on the local instance
You should check to see what user the SSIS Service is running under. Go to Start > Run > Type "services.msc" and scroll down to the SQL Server Integration Services 11.0 entry. Right click and check the properties to find out what user it's running under. The second tab should be the LogOn tab. Since you're just running on a local instance, you can set your user as the LogOn User account and SSIS will have the same permissions that you do.
Lost a day of work on that problem. My package has a .NET script task to copy file from a shared network folder to a local folder and I was stuck with the "access denied" exception every time I tried to execute the package from the server (Through SQL Studio). The package works fine when running locally.
Tried many things picked up here and there and at the end of the day what worked is to create a Job (owner is sa) which execute the package as SSISExecutor.
I have to mention that the file on the network has read access for everyone, and that I still don't understand what was wrong.
I have followed these steps https://www.windowsazure.com/en-us/manage/windows/how-to-guides/capture-an-image/ to capture an image of a VM. Used sysprep as mentioned and I was able to replicate the VM. The problem is that when I rdp into the machine, I can't connect to SLQ Server. Login fails for Windows Authentication. Usually this means that the SQL Server is on another domain, but in this case the error is on local machine.
So my question is, how to capture an image of a VM with SQL Server in Windows Azure and ensure that I can login with Windows Authentication at least when deployed?
I don't think you can, I think you will need SQL Server Authentication before sysprep (I haven't tested this), as far as I know this is the same on-premises and not an Azure feature per se...
If you run sysprep on Windows, you shouldn't have any expectations that the current principals provisioned in SQL Server will continue to work. SQL Servers references Windows accounts by their SIDs and running sysprep on Windows will create a new set of SIDs for the Windows account. Therefore, you will have to re-add them to SQL Server as you've discovered.
Adding a solution that worked for me, in case anyone facing same problem and haven't found any working solution.
After creating an Azure VM from the Image based on a generalized VM (sysprep run):
Launch SQL Server Configuration Manager.
Navigate to SQL Server Services.
Right click on SQL Server (SQLEXPRESS)->Properties from the right side panel.
Select 'This account:' and enter details of current VM Administrator credentials.
Apply changes and restart SQL Server.
Now, try connecting to the SQL Server. It should work.
Our custom SharePoint site uses a standard connection string (in web.config) to a remote sql server using a sql server authentication. I need to know if it is possible to change this connection to use a SharePoint service account instead of a sql server account. If so, how do specify the service account in the connection string and how do you create a login and user for an sp service account when that user does not exist on the sql server machine and nor is it available on Active Directory.
Update:
I think I need to use integrated security in the connection string and run db calls within SPSecurity.RunWithElevatedPrivileges block. If i use this as a delegate, what sp account will the code be executed under and how do i assign a sql server login to a sharepoint account on a remote machine. Any links to sample code or articles explaining this process would be helpful.
Thanks.
From the SQL Server side, you should create a domain account for Sharepoint in AD. Then you log in to SQL Server via Management Studio (SQL2005 or later), on the left hand side click on security tab, and add a new login - you'll enter the domain Sharepoint service account, and give it the relevant permissions to the databases it needs to access.
For the Sharepoint side, you probably can edit web.config but there must be a Sharepoint admin tool to take care of this properly.
I have one web server & one DB server (running SQL SERVER 2008). Both the servers are in different domains. The web server is allowed to communicate(the communication takes place internally without the intervention of firewall) directly with the DB server, it is given Admin privileges & the DB access through SQL is going on without any problems.But whenever the web server tries to access the Reporting Server & its services, its asking for a separate authentication(Local system account authentication has been configured for SQL Server). I want to know whether is there any way to get rid of this separate authentication for Reporting Services
If you are being prompted for credentials when running a report, then your data source is configured to prompt at run time. You'll need to change the DS to use a SQL login if you don't want this to happen. Your windows credentials cannot be passed from one server to another.
If you are being prompted to log on to the RS site - I've only experienced that on firefox but fixed with a firefox config setting to save the cred for the domain.