Why not asking on dba.stackexchange: the description says it is for professionals, which I am not and SO has its "for enthusiasts" part.
I have an error
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
This is a common error with several possible reasons and solutions. The problem is that I have no knowledge of the database and server administration and credentials authentication topics, thus I will need to spend some significant time understanding what is being said and proposed.
Before I do that I would like to ask if it might be possible for me not to be able to solve the problem due to technical limitations. I will describe the situation in more detail now.
There is an MS SQL Server A with database Adb and table dbo.At. I can read from it. There is also an MS SQL Server B. I can read and write here.
I have MS SQL Server Management Studio 2012 open on my computer. I have a connection with server A open with query "select * from Adb.dbo.At" which works just fine. The connection used Windows Authentication.
I have a connection with server B (Windows Authentication as well) with query "select * from A.Adb.dbo.At" which results in the aforementioned error.
At this point I do have read access to A, I have read and write access to B. I can export data from A and then import it to B using my computer, i.e. I can do a kind of a copy paste and I will end up having what I want. There is no insurmountable wall between these 2 servers with me being the middle man. I simply would like to make it easier. Before I dwell on SPNs, delegations, Kerberos, Active Directory and whatnot I would like to ask if, assuming that I have nothing more than read on A and read/write on B, I might not be able to solve the issue?
It seems I have a "double hop" problem.
https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/
I have found a workaround. I can use Server Agent on server B. Using this I can use the server to perform some actions, for example query other servers. The Agent jobs are of a specific type (like T-SQL script). For specific job types the Agent can run the jobs in "run as" mode (requires a proxy). I created a proxy referring to my normal Windows login. Sadly T-SQL script type job cannot be executed in "run as" mode. But PowerShell type job can. PowerShell can also execute SQL statements. Thus I have created PowerShell job running with proxy with the command being:
SQLCMD -Q "select * into Bdb.dbo.Bt from A.dbA.dbo.At" -E
This solved my problem.
Related
We are running an SSIS Package from a SQL Server 2014 instance which connects to a remote SQL 2016 Server through an SMO connection in a Transfer Objects Task. This task retrieves schemas, tables and SP's. The SSIS package has three of these tasks running in parallel which connect to three different Db's on the same SQL server.
Things had been running fine until a day last week the owners of the remote SQL Server decided to create a new user/password combo to give to us. No permissions changed or anything else, only the u/p.
After they did that the package has been failing with various connection type errors. The errors happen randomly on the three parallel tracks. Here are the errors:
Failed to retrieve data for this request.
Invalid Operation: The connection is closed.
There is already an open DataReader associated with this Command which must be closed first.
Property TextHeader is not available for StoredProcedure '[Sp Name]'. This property may not exist for this object, or may not be retrievable due to insufficient access rights. The text is encrypted.
But on the DB side the error the profiler was showing was the password was invalid. This is not true.
After some extensive troubleshooting we tried giving he user SA rights, which did not help. On further work we tried changing the password to 123 (while keeping SA rights,) the prior password had been a 10+ char non-alpha-numeric (had the ! char) password, for example aBc12dEF3!!!. We tried removing the ! chars and various other iterations, but that didn't work then we finally got it down to the password being 123.
This final password change worked. But obviously this is not normal, we cannot have user with SA rights and 123 as password.
Does anyone have any ideas, advice, direction on what could be going on here?
Thanks!
Please find the diagram as below for my issue:
I have 3 servers in the same domain, there is a SQL Server instance A (it's windows service run under domain\User1), In this instance, we have a Stored Procedure used for BULK INSERT a text file from a network shared folder in server C, the domain\User1 has full permissions on this folder.
My issue is: The Stored Procedure runs ok (green arrow) when connecting by SSMS in its (server A). But it failed when I change to SSMS in server B (log in by the same domain\User1 to the same Instance A). The error is "Access denied" to the text file (red arrow). Does the client have a role in this? I think the client does not matter, the file reading is done from the server (by the user that run Instance A service)
Note: If I connect Instance A from SSMS B with SQL Logon User (not windows account), the stored procedure works fine.
Could anyone give me some advice and sorry for my bad English
This is just a link answer but hopefully it helps.
BTW I commend you for taking the time to analyse the issue to the extent of drawing a diagram. This is far higher quality than most questions on here.
I believe you are running into a double hop issue. I searched everywhere for the BULK INSERT permission model and finally found this https://dba.stackexchange.com/questions/189676/why-is-bulk-insert-considered-dangerous
which says this about using BULK INSERT:
When accessing SQL Server via a Windows Login, that Windows account
will be impersonated (even if you switch the security context using
EXECUTE AS LOGIN='...') for doing the file system access
and this
when accessing SQL Server via a SQL Server Login, then the external
access is done in the context of the SQL Server service account
When you have issues with windows authentication and there is three servers and impersonation, it's often a double hop issue.
This may help you with that:
https://dba.stackexchange.com/questions/44524/bulk-insert-through-network
Which in turn references this:
https://thesqldude.com/2011/12/30/how-to-sql-server-bulk-insert-with-constrained-delegation-access-is-denied/
We are running SQL Server 2016. For in-house political reasons, I can't restrict access the way I want to. Assume that I can't change the premise.
We have a user that is used in SSIS packages. Unfortunately, some devs are logging directly into the db with ssms using this user. I need to prevent this without changing the password or something. What I need is to be able to allow a user access to the database ONLY if it is running from an SSIS package and NOT if it is coming in any other way.
I am not looking for other suggestions of how to fix this issue. I understand most of them already, I am stuck because of management decisions that I cannot change.
Can anyone tell me how to restrict a user in such a way?
An approach is to use a LOGON trigger
A first blush approach might be to reject any process that look's like the SSMS application
CREATE OR ALTER TRIGGER logon_developer_check
ON ALL SERVER
FOR LOGON
AS
BEGIN
IF (ORIGINAL_LOGIN() = 'triskydeveloper'
and EXISTS
(
SELECT
*
FROM
sys.sysprocesses AS S
WHERE
S.spid = ##SPID
AND S.program_name LIKE 'Microsoft SQL Server Management%'
)
BEGIN
ROLLBACK
END
END
But developers, being devious little buggers, will then write their own .NET application or use SQLCMD so you'd fall into a rat race trying to identify all the program_names that might show up.
I would instead look at the hostname column on sys.sysprocesses - if the connection isn't coming from the server itself, just reject it. Unless you have to deal with developers able to RDP onto the server.
Oh and if you mangle the logon trigger and it's rejecting everything, use SQLCMD and the dedicated admin console, DAC, and
sqlcmd.exe -S localhost -d master -Q "DISABLE TRIGGER ALL ON SERVER" -A
So I'm trying to setup Railo and I want to add a datasource.
For the database I'm using Microsoft SQL server Management Studio.
But now I've run into the classical problem: "Login failed for user 'sa'. ClientConnectionId:afd80ac2-0744-4a7d-a9f7-083d93adee0d"
What I've done so far:
With the SQL Server Configuration Manager in the TCP/IP settings I enabled the IPs I had to.
I set the password for the user 'sa' in MSSQL and I added a user mapping for the table I want to use.
I made the user 'sa' the owner of the DB i want to connect to
Restarted the SQL service, my computer and Railo multiple times.
I'm pretty much out of ideas.
After Leigh mentioned in the comments to look at my logs it had the following message: "Login failed for user 'max'. Reason: Failed to open the explicitly specified database 'test'. [CLIENT: 127.0.0.1]"
I then tried to make a connection without mentioning a database and that worked.
I would also point to Leigh's answer here which explains how to turn Mixed-Mode authentication on, as this can also cause this error. Since the cause of this isn't on Railo/Lucee's end, this issue still arises in 2018.
I just don't want a useful answer to get lost to history, nor plagiarize an answer I barely found.
I'm getting this error when running an SSIS package through SQL Agent
Failed to acquire connection "ORACLE ADO.NET". Connection may not be configured correctly or you may not have the right permissions on this connection.
When I log on as the SQL Agent User and run the ssis package directly it is fine. When I then execute it through the SQL agent job, it fails.
I've read around extensively on this topic, and it seems a lot of the advise concerns how you are logged in, configuring of proxy accounts, etc, etc, etc, none of which has been helpful.
I am logging onto an Oracle database with an ADO.NET conncetion. The connection string is as follows (datasource, userid and password have been changed):
Data Source=DATASOURCE;User ID=userid;Password=password;Persist Security Info=True;Unicode=True;
I'm loading this from a registry setting using package configuration. To check that I am getting the correct string, I am writing it into a temporary log table. I am definately getting the string I need from the correct registry setting.
I've tested the oracle login credentials though PL/SQL developer, and it lets me login just fine.
As far as I can tell, as I'm using an explicit user name and password for the Oracle connection it just shouldn't matter who the SSIs pacakge is run as. The only point of failure that Ican see would be the reading of the information from the registry, but that seems fine.
I'm really quite baffled, I must confess, and would appreciate any help some of the splendid experts here can offer.
Many thanks,
James
Ok, tracked this one down after quite a lot of pain.
It was working fine on one environment, but not another, so I fired up Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) and ran a package through the SQL Agent job, comparing which system entities were hit on each enviroment.
On the failing environment, at the point of the bulk transfer operation, the package attempted to get the Oracle 11 client DLL, and then hung.
I knew that this was installed, and, moreoever, the DLL path was a system environment setting. After further investigation it was revealed that the server had not been rebooted since the Oracle Client install and the SQL Server Agent process had not bee recycled.
Yes, can you believe it, the old helpdesk fix "Can you reboot your computer?" worked.
Sigh!
We had issues at a client with running packages connecting to Oracle before stored on our sql server instance. The work around we found was to change the package property, protection level, to "Dont save Sensitive Data" and for security purposes, we encrypted the username and password in the package configuration that was decrypted by a udf in sql server. Of course, before you try the whole encryption part, I would recommend putting the username and password in the package configuration without encrypting the values to see if changing the protection level setting is the solution to your specific problem. I hope this helps.
I was getting this error when tnsnames.ora file did not have a valid entry for the environment