Kerberos Double Hop Authentication - SQL Server - sql-server

We three application servers and three database servers. We're trying to enable Kerberos authentication between the application servers and the database servers. All of the application servers can successfully connect to two out of the three database servers. The app servers are using Windows 2008 and Windows 2012 with IIS 7.0.
The database servers are using Windows 2012 and SQL Server 2008 R2. We can't figure out what is different between the two SQL Server instances that work and the one that does not. The one that does not appears to not be receiving tokens as it is reporting an anonymous login.

Everything is on the same domain. I am using Kerberos in order to allow IIS to impersonate the client user. We have a production app & database server and a test app and database server. We're trying to setup a training/QA app and database server. None of the app servers have any difficulty connecting to either the live or test database servers. All of them fail to connect to the QA database server. We're trying to track down what is different on that server.

Related

Azure VM SQL Server using Windows authentication from another Azure VM ASP.NET application

Currently I have two Azure VM's, one for the ASP.NET application (VM1) and another with SQL Server 2017 (VM2).
At the moment, the application on VM1 connects to VM2's SQL Server using SQL Server authentication, but now I want to change it to Windows authentication. I found this on the Azure website about how to connect:
Virtual networks also enables you to join your Azure VMs to a domain. This is the only way to use Windows authentication to SQL Server. The other connection scenarios require SQL Server authentication with user names and passwords.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/sqlclassic/virtual-machines-windows-classic-sql-connect
But there is also a website forum ask to use Azure Active Directory domain in order to achieve this.
I am confused regarding this, can anyone help me with a description how to connect my VM1 application to VM2 SQL Server using Windows authentication?

Connect to Internal SQL database from Azure Web Application

I'm trying to build a webservice that talks to a SQL database hosted on a server in our internal network. The service is hosted by Azure as a Web App. Is there a good way of doing this? Do I have to use Azure Sql databases, and if I do, is there a way to have the Azure database act as a proxy for our internal database?
There are already rules permitting connections to the ports on our database server, so I don't think that's the problem. I see a lot of questions regarding connecting to Azure hosted sql databases, but nothing about connecting Azure web apps to other kinds of databases.
The error occurs when I try to call a stored procedure (via generated entity framework code) and is as follows:
Error occurred: System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.
Our database is configured to allow remote connections, so what I'm guessing the Web App is having difficulty connecting to our vpn.
Please let me know if you need any additional information.
Thanks,
Josh
You can leverage Azure Hybrid Connections which is a feature of App service. Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint and uses Azure Relay service to connect to on-premise.
Check out the below link for more details :
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
First option is to look on azure app service hybrid connection but for you to do that you should have Windows server 2012 or above.
Azure App Service Hybrid
Azure App Service hybrid connection is good if you are pulling small amount of data.
If you are pulling large amount of data or your SQL server version is below server 2012 you have two options:
Azure Site to Site VPN
Azure SQL Data Sync
Azure SQL DB Sync is a feature that available on Azure SQL database. You can create a Azure SQL database on azure and sync your on-premise SQL database or SQL database table to Azure SQL database and you can connect your application to Azure SQL database instead of connecting to on-premise database server. This will increase your performance of your application.
We ended up adding the application to an Azure Virtual network that allowed connections to our on-prem servers. The remaining difficulties were due the wrong port numbers being open.
What was very helpful in debugging this was the Kudu console in Azure, under Advanced tools -> console. There you can run commands from the machine hosting your application like ping, or the below:
sqlcmd -S tcp:servername,1433 -U Username -d databasename -P password -q "SELECT * FROM tablename"

Problems with connecting to SQL Server instance on multiinstance computer

I have a computer with several SQL Server instances installed - 2008, 2012 and 2016. From this computer there is no problem to connect to any of them using Windows Authentication.
Now I try to connect to the SQL Server 2016 instance from another computer. On the server computer I've created the appropriate Windows user and SQL Server login. But when I try to connect to this instance from the different computer, the login fails.
Finally I've managed to connect to SQL Server 2016 database engine using following server name:
TCP:ALEXMWIN81,49602
But when I try to connect to the SQL Server 2016 Analysis Services, the login again fails.
Can anybody give some advice on how to connect? All instances are very important and re-installation is a problem.
Thanks in advance. Alexander Mitchenko
When you say
On the server computer I've created the appropriate Windows user and SQL Server login.
This makes it sound like you are creating a local windows login on the server machine. It should be noted that in order to use Windows authentication both your connecting machine and the server need to be on the same domain.
Creating a SQL login is a separate authentication process called "SQL Server Authentication". When you use this methodology you connect with a username and password only. For this process you would connect by putting the login credentials into a connection string.
Do you have multiple domains? This can cause problems.
Cross Domain SQL Server Logins Using Windows Authentication
Does the SQL instance expose all the required ports to the internal network?
https://msdn.microsoft.com/en-us/library/cc646023.aspx
Is the server running a Windows Firewall?
What software are you connecting from?

Reporting Service SQL Server 2008 not deploying

I have two pairs of servers, one web server one DB server in each pair. I installed SQL Server 2008 in my DB servers and everything works, but reporting services only works in one.
In one of my servers, reporting service refuses to deploy my reports to http://xx.xx.xx.xx/ReportServer and says "Unable to deploy the server check to make sure target url is correct..." However it works fine in the other server.
What are the possible conditions for a reporting service to refuse deployment??
Does it require IIS to deploy? Are there some sort of port 80 restrictions on one of the servers making it unable to deploy?
Any ideas??
check your rights on the server you can't deploy to.
also, go onto the server where you can't deploy to and double check the url for the web service in reporting services configuration

Configuring ASP.NET MVC app's IIS 7.5 Application Pool identity as login on SQL Server 2008 R2

I am trying to use IIS 7.5 Application Pool identity as login on SQL Server 2008 R2 so that my ASP.NET web app can connect to the database...
Using this approach worked fine on my local dev machine (IIS 7.5 and SQL Server 2008 R2 on same machine).
However, when I try to set up the same on production (IIS and SQL servers are separate) I am unable to add "IIS APPPOOL\MyAppAppPool" login to SQL Server 2008 R2.
Notice that in either case you cannot use "Browse..." when creating a login in SQL Server since "IIS APPPOOL\MyAppAppPool" user identity is dynamic (or "special")...
Any ideas?
Update:
For more info on Application Pool Identities see here.
From article:
Whenever a new Application Pool is
created, the IIS management process
creates a security identifier (SID)
that represents the name of the
Application Pool itself. For example,
if you create an Application Pool with
the name "MyNewAppPool," a security
identifier with the name
"MyNewAppPool" is created in the
Windows Security system. From this
point on, resources can be secured by
using this identity. However, the
identity is not a real user account;
it will not show up as a user in the
Windows User Management Console.
That articles states (under "Accessing the Network") you still use the <domainname>\<machinename>$ aka machine account in the domain.
So if both servers are in "foobar" domain, and the web box is "bicycle", the login used to the SQL Server Instance is foobar\bicycle$
If you aren't in a domain, then there is no common directory to authenticate against. Use a SQL login with username and password for simplicity
Edit, after comment
If the domains are trusted then you can use the machien account still (use domain local groups for SQL Server, into which add a global groups etc)
As for using app pool identities, they are local to your web server only as per article. They have no meaning to SQL Server. If you need to differentiate sites, then use proper domain accounts for the App Pools.
You can't have it both ways...

Resources