I am trying to connect to sql server with forced encryption using sqlcmd.
I have added a certificate to sql server and enabled forced encryption.
But the sqlcmd tool is not able to connect to the sql server. Below is the command I am using:
sqlcmd -S"mymachine.mydomain.dom" -b -d"mydatabase" -i"E:\mysqlfile.sql"
-v mode="Load" -N -U"sa" -P"password"
this works when I remove mydomain.dom and -N option like:
sqlcmd -S"mymachine" -b -d"mydatabase" -i"E:\mysqlfile.sql"
-v mode="Load" -U"sa" -P"password"
What may be the reason?
Edit : I have stored the server certificate in both personal and trusted people store. I also ran the follwing query to check the encryption .
SELECT encrypt_option FROM sys.dm_exec_connections
encrypt_option is true for all the sessins.
Edit 2 : I am using a default instance. The certificate CN is mymachine.mydomain.dom. Also another connection to the same database with encrypt=true and using .net code is working fine. So this doesn't seems to be a certificate issue.
Edit 3 : Tcp/ip is enabled in network configuration. Remote connection is also enabled. I also tried executing sqlcmd as administrator but got the same error.
Related
I am hosting a few linux SQL Server 2019 instances. All connections to these instances should be encrypted, and therefore I enforce the encryption on the server side like this (following the official instructions here):
/opt/mssql/bin/mssql-conf set network.tlscert /etc/opt/mssql/mssql.pem
/opt/mssql/bin/mssql-conf set network.tlskey /etc/opt/mssql/mssql.key
/opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2
/opt/mssql/bin/mssql-conf set network.forceencryption 1
The mssql certificate is a self-signed certificate.
To verify that connections are indeed encrypted I use the following script on the server:
select session_id, encrypt_option from sys.dm_exec_connections
When I execute this on the server I can see that indeed all connections are encrypted (except some entries without a session ID, which I assume are internal connections).
Now comes the puzzling thing: since the certificate is self-signed I expect clients to reject connections if they do not explicitly trust that certificate. However, that appears to only work if the client also explicitly enforces the encryption.
With sqlcmd on a Windows machine that does not trust the certificate I get the following:
> sqlcmd -S db.mydomain.com -U user -P password -Q "select encrypt_option from sys.dm_exec_connections where session_id = ##spid"
encrypt_option
----------------------------------------
TRUE
(1 rows affected)
It seems the encryption is working and I do not get a certificate validation error. However, if I enforce encryption on the client (i.e. -N) I get this:
> sqlcmd -S db.mydomain.com -U user -P password -Q "select encrypt_option from sys.dm_exec_connections where session_id = ##spid" -N
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : SSL Provider: The certificate chain was issued by an authority that is not trusted.
.
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Client unable to establish connection.
If I trust the certificate explicitly (i.e. -C) then the connection succeeds again:
> sqlcmd -S db.mydomain.com -U user -P password -Q "select encrypt_option from sys.dm_exec_connections where session_id = ##spid" -C -N
encrypt_option
----------------------------------------
TRUE
(1 rows affected)
If I add the self-signed certificate to my trusted root authorities on the client machine all connections (with or without -N) also succeed as expected.
The same happens when connecting through SQL Server Management Studio (SSMS). When I just connect to the database with default settings, it works without validation error. If I select Encrypt connection in the Connection Properties then I get a certificate validation error.
Is this normal? I would have expected the client to always validate the certificate, regardless of who enforces encryption.
I am finding some problem trying to connect to a SQL Server instance from an Ubuntu machine using sqlcmd. The SQL server instance run on another server that is an always on MS-SQL Server cluster.
So I installed sqlcmd as explained here: https://learn.microsoft.com/it-it/sql/linux/sql-server-linux-setup-tools?view=sql-server-ver15#ubuntu
The SQL server seems to be reachable because I can successfully connect to the 1433 port of its IP via Telnet.
Then I tried to connect to one of my database on this server, in this way:
./sqlcmd -S MY-IP-ADDRESS -d ESB_WSO2_USER_DB -U datacenter\\wso2DBAdmin
Where:
ESB_WSO2_USER_DB is the DB name
datacenter\wso2DBAdmin is the domain\username
It ask me the password, I insert the password (pretty sure that the credential should be ok) but I am obtaining this error message:
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Login failed
for user 'datacenter\wso2DBAdmin'..
Assuming that username and password are correct: what could be the problem? Is it something that could be related to my sqlcmd installation (maybe some missconfiguration), or the driver? or something related to my connection string? or something related to the SQL Server database?
I have setup an Azure app service with a hybrid connection to my local on premise SQL Server 2014.
The connection is just fine I can ping it from app service using tcpping.
However I cannot make the connection to the database. The sqlcmd command fails complaining about the user / pass - but they are correct.
I am using this command
sqlcmd -S <servername> -d Sample_Dev -U xxx -P xxxx -I
I am getting this error:
Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : Login failed for user 'xxx'
I have searched online for that error and I am unable to make it work. Can you please help me on that ? I really appreciate your help.
Thanks
I was able to make it work by creating a database user directly on mssql and not using AD.
I have my SQLServer 2005 Standard instance configured for mixed mode fine. When using SSMS, none of the sql server logins seem to work. Just "Login failed for user '..'" message. But when I use SQLCMD, it works fine. The behavior is not just for one specific login account. All sql server logins including 'sa' fail when tried via SSMS. Windows logins work fine.
Any ideas?
EDIT1:
When connecting via SQLCMD, I do not specify the -S option. Just the -U and -P
Whereas in SSMS, Server name defaults to the machine name.
In SSMS the server seems to be registered as say xxxxN. When I connect using windows authentication, my ##servername returns xxxx_N.
When I try to use the xxxx_N in SSMS it fails to connect altogether.
Edit2:
When trying via SQLCMD if I give the -S option as xxxxN, it works fine too.
Edit3:
My SQLCMD:
C:...>SQLCMD -U sa -P Password (works)
C:...>SQLCMD -S xxxxN -U sa -P Password (works)
C:...>SQLCMD -U test -P Password (works)
C:...>SQLCMD -S xxxxN -U test -P Password (works)
in SSMS:
ServerType: Database Engine
ServerName: xxxxN
AUthentication: Windows Authentication (works)
ServerType: Database Engine
ServerName: xxxxN
AUthentication: Sql Server Authentication
Login: sa
Password: Password (fail)
ServerType: Database Engine
ServerName: xxxxN
AUthentication: Sql Server Authentication
Login: test
Password: Password (fail)
EDIT 4(Answer)
ODBC connections using sql accounts seem to work fine.
SSMS connections from remote machines work fine also.
This HAS TO BE an issue with local SSMS install. I believe a reinstall would fix this..
Your server/instance name is not consistent between the two.
MyMachineName\Express
is the "most common" instance name.
But yours may vary.
Since sqlcmd "works".
Run sqlcmd, and pass it this command
select [MyServerAndMaybeInstanceName] = ##servername
Then you will know what to put into SSMS ! (ta da!)
EDIT:
You say in sqlcmd, you give it
-U and -P
thus you're using Sql Authentication. (and not windows authentication)
Are you providing Sql Authentication credentials when trying through SSMS ?
I see you said "All sql server logins including 'sa' "
thus you are trying Sql Authentication credentials.
Can you just verify you've tried some Sql Authentication creditials, maybe something besides sa.
EDIT:
Here is a guess, but I hit it one time, a long time ago.
In the SSMS connection box, click "Connection Properties"
Find "Network".
And pick TCP/IP as the network protocol.
especially if the machine is a remote machine.
EDIT:
Here is another poor man's test.
Go to Control Panel /Admin Tools / Data Source (ODBC) / System DSN. And try to add a connection there.
You can also play with the protocols there (named-pipes vs tcp/ip, etc) with the "Client Configuration" button in the Wizard.
From the system where the server is running, I can login using the following command:
sqlcmd -S "ComputerName\InstanceName" -d "DatabaseName" -i "sql.txt" -s"," -o "result.csv"
I want to connect to this server from another machine, So I tried this
sqlcmd -U "UserName" -S "ComputerName\InstanceName" -d "DatabaseName" -i "sql.txt" -s"," -o "result.csv"
"UserName" above is the default user name of the server machine that has administrative privileges. This user account does not have any password.
After issuing that command, it asks for password. Since there is no password, I hit enter. But I get the following error:
Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : Login failed for user 'UserName'..
SQLCMD Reference
i met this situation:
sqlcmd -S "server" -d "db" -E -i test.sql
which gives "Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : Login failed for user 'DOMAIN\administrator'.."
but when i switched to:
sqlcmd -S server -d db -E -i test.sql
it works fine. so look out for your double quotes. hope this maybe of help.
-U UserName specifies the name of a SQL Server login, not a Windows user. It seems to me you want to use a Windows user. The proper way to do it is to have a domain, run as a domain user and grant appropriate permissions in SQL to domain group of which you are member. Bare that, you can use runas /netonly /user:ComputerName\UserName sqlcmd -E.
The issue is related to differences between SQL and windows authentication.
In case of windows authentication e.g. in domain environment with several untrusted domains it is only option to use runas.exe /netonly /user:YourTargetDomain\SQLUser to run SQLCMD or Ssms.exe (SQL management studio) under the proper SQL User.
Both sqlcmd and ssms can use Windows (also domain) authentication without any credentials SQLCMD -E (UI option in Studio) but process should be run as a local or domain user configured for NT Authentification in SQL. Or provide SQL user credentials (configured directly on SQL server e.g. SA) - SQLCMD -U SQLUserName -P SQLUserPassword (the second UI option in the Studio).
Commands below can be used to connect to SQL server configured with Windows (NT) authentication (e.g. lab domain user) from machine in separate untrusted domain (e.g. from office laptop with your office domain account - not configured to access the SQL server).
To run SSMS (it is possible to create a windows desktop shortcut, path to ssms can be different, depends on used version and installation preferences):
C:\Windows\System32\runas.exe /netonly /user:MyLabDomain\SqlUser "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\ManagementStudio\Ssms.exe
To run a query with SQLCMD (in the example, it cleans a table, also can be used as a shortcut):
C:\Windows\System32\runas.exe /netonly /user:MyLabDomain\SqlUser "sqlcmd -S 123.123.12.34 -E -I -Q \"delete FROM TestDB..TestTableToEmpty\""
SSMS or SQLCMD should be installed on machine from which you connect to SQL server.
After run you should enter passwords for the SQL User.
I suppose, these examples may help somebody.