I have a legacy Windows Service that basically prints Crystal Reports.
The service runs under a specific administrator account, if i run it under a different administrator level account it actually prints nothing! (that is an administrator account that is not logged into the machine), but doesn't error as it can still connect to the database.
Crystal Reports uses an ODBC System DSN (SQL Native Client 10.0 with no SPN specified) with Integrated Windows Authentication to log into SQL Server.
The question is if the machine restarts and the Windows Service is set to start on system start will the ODBC login still work?
P.S. The service is hosted on a Windows 7 machine that is part of the all encompassing domain.
Google in this case is not my friend, and documentation on Integrated Windows Authentication is very scarce and very unhelpful.
Related
I have successfully setup SQL on Linux and configured Windows Authentication. I am able to use my AD account when on the local box and using SQLCMD. However when I attempt to use SSMS from a bastion host, I get logon denied because of an untrusted domain. Even though the Linux server is joined to the same domain. I have not found any information so far so asking here.
I am using Visual Studio Community 2019 Version 16.71 over a Pulse Secure VPN. I have 3 machines I work from: 2 laptops and one deskside all running Windows 10 Version 2004. The laptops work fine but after returning from a vacation, the deskside computer started throwing the error: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." This happens with all the apps I work on for the University and all for the initial logon portion of the app connecting to the University's SQL server.
I use runas with my University AD credentials for both VS and SSMS.
The deskside still connects to the SQL servers just fine with SSMS so it does not seem to be the VPN or a Windows issue. At first I thought it was just the current app I was working on which is quite old but it happens with every app we have on our TFS server from Windows Forms, MVC and CORE.
Make sure your are using the correct username AND password when using runas.
Make sure you are using /netonly in your runas command
OR
If you are choosing to not use /netonly and are relying on Windows Credential Manager ensure the credentials you are relying on to connect are still valid. Perhaps your password has changed since you returned from vacation?
See answer by Mister Magoo for more information on using runas https://dba.stackexchange.com/questions/66014/connect-to-sql-server-with-windows-authentication-in-a-different-domain
Having all sorts of problems after publishing website from VS2015.
My Site has been working fine when run from within VS2015. However, I followed some instructions to Publish the website to my IIS and now the site Login page comes up but after entering user/password the application fails to make connection to the database and shows the error:
Failed to generate a user instance of SQL Server due to a failure in impersonating the client. The connection will be closed.
I am running Windows 8.1, SQL Server 2008/R2, Visual Studio 2015 and the Database connect string is:
I do NOT currently have Database User I am simply connecting using Windows Integrated authentication.
I think it's some kind of permissions error, can someone please assist ?
The website is using the AppPool identity to connect to the SQL database. By default the AppPool uses a Built-in Account.
You can change the AppPool to use a custom domain account which as rights to the database.
Here is what happened. I run a web application on windows server 2008 R2. The app pool it uses runs under LocalSystem account. The application complained about "NT Authority\SYSTEM" not having access to my database, so i added that user to the database. It all worked fine until yesterday, when the application started complaining about "Development\MyMachineName$" not having access to my database. The app pool still is running under "LocalSystem" account. I am confused why is it now changed the identity.
While playing around i ended up removing my username from sql server security. My sql server 2012 instance is running in windows authentication mode. now i cant connect to the sql instance. to fix this found someone suggested to use "psexec -i -s ssms" to launch management studio under "NT Authority\System" account. when i tried this the management studio tries to log on with "Development\MyMachineName$" as well. i am now wondering what happened to "NT Authority\SYSTEM" identity.
Thanks in advance for the upcoming help :)
EDIT:
My SQL Server instance is on same machine as the web application. i.e. its a dev machine where is have iis and sql server running for development.
Lots of stuff going on here, so hopefully this will clarify things for you.
I run a web application on windows server 2008 R2. The app pool it
uses runs under LocalSystem account. The application complained about
"NT Authority\SYSTEM" not having access to my database, so i added
that user to the database.
If the database server is local to the IIS server, that's fine (though I would still use a domain account to run the app pool). If the database server is remote from the IIS Server then the "local system" pool with attempt to authenticate a network resource which will transition to using the computer account Domain\Computer$ (as would network service).
It all worked fine until yesterday, when the application started
complaining about "Development\MyMachineName$" not having access to my
database. The app pool still is running under "LocalSystem" account.
I can't tell from your question if these are the same server or not, more clarification would be needed.
While playing around i ended up removing my username from sql server
security. My sql server 2012 instance is running in windows
authentication mode. now i cant connect to the sql instance. to fix
this found someone suggested to use "psexec -i -s ssms" to launch
management studio under "NT Authority\System" account. when i tried
this the management studio tries to log on with
"Development\MyMachineName$" as well. i am now wondering what happened
to "NT Authority\SYSTEM" identity.
NT Authority\System is a special built in identity and does not traverse network resources, if it needs to it auths as the computer account Domain\Computer$. I don't know the whole setup from your text but for the psexec to work, it'd have to start ssms on the database server or it will continue to use the computer account. If you need access back, be a member of the server admins windows group and start SQL Server up in single user mode - connect with windows authentication (locally) and add your login back in.
We'd need a infrastructure diagram to get more into it, but the basics are:
Built in identities and accounts can't authenticate on a network unless they use the computer object.
Built in identities and accounts are only good for the server they are on and local to.
Giving permissions to anyone who could access that computer (through the computer object) is grossly over-provisioning permissions.
If you are running an application, the identity if yours so you could have been authenticating with your account the whole time testing. While individual threads can have different identities, most applications inherit the identity that spawned the process and in this case is most likely yours.
I think i figured it out. The reason was that when connection string uses computer name then it forwards "MACHINE$" as identity but when it is using localhost then it forwards "SYSTEM" as identity.
I have an ASP.NET application which needs to connect to Analysis Services database.
All components are on the same machine:
Web application
IIS
Visual Studio 2008
SQL Server 2008
My domain account (DOMAINNAME\MyWindowsUsername) is an administrator on the SQL Server and also in "Administrators" group on the local machine.
Web application uses Windows Authentication and identity impersonate="true".
My IIS Windows Authentication settings (I have also tried other combinations but no success...):
Extended Protection: Off
Enable Kernel-mode authentication: true
Enables Providers: NTLM
When I use web application on ASP.NET Development Server (deployed from Visual Studio) then everything works ok. My domain account and corresponding database roles are recognized correctly, and security is working as defined in database roles.
But, when I deploy the same web application (without any changes in code) to IIS I get error (in browser):
An error was encountered in the transport layer.
The peer prematurely closed the connection.
In SQL Profiler (for IIS case when connection fails) I get only these two events:
Audit Login MyWindowsUsername DOMAINNAME
Audit Logout MyWindowsUsername DOMAINNAME
It seems Analysis Services recognizes the impersonated account, but still the connection breaks.
I have noticed that ASP.NET Development Server runs under DOMAINNAME\MyWindowsUsername while IIS under LocalSystem (the default setting). I tried to play with the accounts, adding various system/network account as Analyis Services administrators (just to understand the logic behind this), but also with no success (always the same error).
You must use delegation to pass on the user credential from the web browser to SSAS,
http://msdn.microsoft.com/en-us/library/ff647404.aspx
ASP.NET Development Server simply runs under your log on account, which prevents you from noticing this issue earlier.