Service account has different database behavior under IIS and task scheduler - sql-server

I run the same script as an application account under IIS, and as a Scheduled task, and i get very different results.
From IIS (as a web page), i can read e.g. field properties, and run very simple queries like
SELECT * FROM SYSTEMINFO
So connection to database is there.
Anything more "advanced", gives get all sorts of errors:
SELECT SYSTEMINFOID FROM SYSTEMINFO
or
SELECT COUNT(*) FROM SYSTEMINFO
or
INSERT INTO SYSTEMINFO ( SYSTEMINFOID ) VALUES (1)
typically gives "[Microsoft][ODBC Microsoft Access Driver] Unknown (SQL-42000)" or "[Microsoft][ODBC Microsoft Access Driver] Overflow (SQL-42000)" which means "missing access or syntax error" according to some ms error message overviews (Quite broad group of errors...)
If the application account is member of Administrators, all works fine (but not a good solution), any other memberships (user, power user, backup operator) gives the same error. (need to reboot server for such changes to take effect, so debugging is time consuming.)
User has local policies to "Replace a process token", and "Adjust memory quotas" granted (as well as run as batch + service).
Environment looks the same (except that in IIS web environment is added), and i can see in task manager that the scripts are run as the application account.
connection string is
DBI:ODBC:driver=Microsoft Access Driver (*.mdb);DBQ=C:\folder\Demo.mdb;
running CGI, Perl 5.18, DBI,
on IIS 8.5 Win2012 std, appliction pool uses the application account,with load user profile, and Impersonate user as True
Setting up the same on Win 2008 R2 works fine.
Connection to e.g. a local ms sql express database gives SSL errors, even if SSL is not in use, and using a sql account for authentication.
Spent four days on looking at all odd combinations, any suggestions for settings I may have overlooked?
(summary: when running as application account, not being an administrator under iis 8.5 the script is running, connection to database works, but anything more than trivial queries results in odd errors. )

Finally found a solution:
in IIS 8.5, for a service account to work, the same user (as pool user) must be set as Application Pass-trough authentication.
Creating an application under the Web Site,
Selecting Basic Settings for this Application, assigning it to a separate pool run by the service account was not enought.
In addtion, the "Pass-throught autentication" must be set as the same user, by selecting the "Connect as..."-button.

Related

How to Delegate Credentials through double hop to SQL Server?

What I am trying to do:
We have a Task Scheduler that kicks off an EXE, which in the course of its runtime, will connect to SQL Server.
So that would be:
taskServer.myDomain triggers the Task Scheduler action
taskServer.myDomain exe runs locally
taskServer.myDomain initiates a connection to sqlServer.myDomain
The scheduled task is associated with a service account (svc_user) that is set to run with highest privilege, run whether the user is logged in or not, and store credentials for access to non-local resources.
The actual behavior
What we are seeing is the Task Scheduler is indeed running as svc_user. It triggers the EXE as expected, and the EXE is also running as svc_user. When the EXE initiates a connection to SQL Server, it errors on authentication.
Looking at the Event Viewer we can see the failure trying to initialize the connection to SQL
Exception Info: System.Data.SqlClient.SqlException
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(System.Data.ProviderBase.DbConnectionPoolIdentity, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SqlCredential, System.Object, System.String, System.Security.SecureString, Boolean, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SessionData, System.Data.ProviderBase.DbConnectionPool, System.String, Boolean, System.Data.SqlClient.SqlAuthenticationProviderManager)
And then looking at the SQL Server logs we can see the root of the issue
Logon,Unknown,Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.
The connection initialized by the EXE to SQL Server is trying to authenticate as ANONYMOUS LOGON.
What I have tried
Background
This issue popped up when our IT team started deploying a GPO lockdown in our environments. So in order to get to this point, we first had to add some GPO exceptions to allow the svc_user to:
log on locally
log on as batch job
Progress?
This is where we started being able to capture the ANONYMOUS LOGON error in SQL Server. From there we tried a handful of other GPO exceptions including
Allow Credential Save
Enable computer and user accounts to be trusted for delegation
The actual issue?
So it would appear that this is a double hop delegation issue. Which eventually led me here and then via the answer, here and here.
So I tried adding GPO policies to allow delegating fresh credentials using the WSMAN/* protocol + wildcard.
Two issues with this:
the Fresh credentials refer to prompted credentials while the EXE is running as a service during off-hours and inheriting the credentials from the TaskScheduler
the WSMAN protocol appears to be used for remote PowerShell sessions (via the original question in the serverfault post) and not SQL Service connections.
So, I added the protocol MSSQLSvc/* to the enabled delegation and tried all permutations of Fresh, Saved and Default delegation. (This was all done in Local Computer Policy -> Computer Configuration -> Administrative Templates -> system -> Credentials Delegation)
Where it gets weird
We have another server, otherServer.myDomain, which we setup with the same TaskSchedule. It is setup with the same GPO memberships, but seems to be able to successfully connect to SQL Server. AFAIK, the servers are identical as far as setup and configuration.
The Present
I have done a bit more digging into anywhere I could think that might offer clues as to how I can feed the credentials through or where they might be falling through. Including watching the traffic between the taskServer and the sqlServer as well as otherServer and sqlServer.
I was able to see NTLM challenges coming from the sqlServer to the taskServer/otherServer.
In the case of taskServer, the NTLM response only has a workstationString=taskServer
On otherServer, the NTLM response has workstationString=otherServer, domainString=myDomain, and userString=svc_user.
Question
What is the disconnect between hop 1 (task scheduler to EXE) and hop 2 (EXE to SQL on sqlServer)? And why does this behavior not match between taskServer and otherServer?
So I finally have an update/solution for this post.
The crux of the issue was a missing SPN. The short answer:
Add an SPN for sqlServer associated with the service account SQL services are running as (not the svc_user)
example: SetSPN -S MSSQLSvc/sqlServer.myDomain myDomain\svc_sql_user
Add another SPN like above but w/ the sql service port
example: SetSPN -S MSSQLSvc/sqlServer.myDomain:1433 myDomain\svc_sql_user
Set the SQL service user account to allow delegation like so

SQL Maintenance Cleanup task not deleting any files, SQL installed on a DC

The generic problem is as listed here SQL Maintenance Cleanup Task Working but Not Deleting but no solutions applicable. Environment: Windows Server 2012R2, AD DS (with policies of course), RDSH/TS Licensing, 1C-server. The primary problem is SQL Server generating insane amount of events per backup plan run, recording a pair of 18456+17052 errors per file to delete. Errors are as follows:
17052: [Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'DOMAIN\mssql_srv'
18456: Reason: Could not find a login matching the name provided. [CLIENT: 192.168.x.x] (matches localhost)
Given that each pair of errors appears once per file to delete (there are about 6000 files already!), the algorithm looks like this:
First, backup plan task runs xp_delete_file, it enumerates all the files in target folder;
Second, each file is deleted by creating a separate connection to machine with service's credentials;
Each connection fails due to whatever restrictions default DC policy applies, generating the pair of events. Of course the file remains in place.
The workaround is of course assign file delete task to a local script run as system, for example, but the very reason of why does SQL server fail to delete a file remains unknown. Permissions have been checked and verified that both SQL Server Agent and SQL Server service accounts have full control to the folder.
It turned out that this "login missing" is not a Windows login, but rather SQL "login" which was not present for the service account. So I needed to create a "DOMAIN\mssql_srv" login in SSMS, give it "public" access rights and voila, files started to get deleted properly. The reason is explained in comment:
If it's T-SQL step and job owner is member of sysadmin server role, the step is executed under service account.

Permissions issue in SQL Server 2016 and R

We’re very experienced with SQL Server as well as R (as a standalone product). We’ve setup SQL Server 2016 test server (production version from MSDN) with R also installed. The machine works fine, and we’ve tried some rudimentary R, and that works fine as well (which also means that we’ve referred to this article from Microsoft: https://msdn.microsoft.com/en-us/library/mt696069.aspx).
So, the issue we’re having is trying to load an R script from a location on our network. For example:
source(“\\\\MyServer\\MyRDirectory\\MyRScript.R”);
Just in case UNC didn’t work, we tried mapping a network drive to a drive letter, but received the same, “No such file or directory” error message.
There seems to be a permissions issue accessing this file. If we copy that file to the local test server, it works fine. For example, we have no issue with this:
source(“C:\\Temp\\MyRScript.R”);
For this test, I am using SSMS 2016 and I am logged in as a Windows AD user with DBO permissions, and I have permissions to the remote folder. The SQL Server 2016 service accounts are also AD “users” with appropriate permissions. I read that R has its own user group (SQLRUserGroup) and 20 user accounts are in that group – all of this is assigned by SQL Server during the install; these are accounts that are local to the test machine. I suspect this is the issue: R/SQL Server must be trying to access that network folder/file as a local user – not an AD user with appropriate permissions.
Has anyone run into this and found a resolution that you can share?
FYI, as expected, running the following R script in SQL Server 2016 (SSMS):
execute sp_execute_external_script
#language = N’R’
, #script = N’ OutputDataSet<- data.frame(c(USERNAME=Sys.getenv("USERNAME")),HOME=Sys.getenv("HOME"))'
, #input_data_1 = N''
WITH RESULT SETS ((USERNAME varchar(200),HOME varchar(200)))
Reports that my script is running as "MSSQLSERVER01" with a local/home directory and GUID for that user. I'm sure that's the issue, but how do I change that to run as an AD user with proper permissions?
I get the strong feeling that this is not going to be possible, but can anyone here verify?
SQL Server R Services always runs the scripts in the context of worker accounts that are local to the system, for security and isolation purposes. And it is not possible to run them in the AD user context.

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' - MS SQL Server - possibility of being unable to solve the issue

Why not asking on dba.stackexchange: the description says it is for professionals, which I am not and SO has its "for enthusiasts" part.
I have an error
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
This is a common error with several possible reasons and solutions. The problem is that I have no knowledge of the database and server administration and credentials authentication topics, thus I will need to spend some significant time understanding what is being said and proposed.
Before I do that I would like to ask if it might be possible for me not to be able to solve the problem due to technical limitations. I will describe the situation in more detail now.
There is an MS SQL Server A with database Adb and table dbo.At. I can read from it. There is also an MS SQL Server B. I can read and write here.
I have MS SQL Server Management Studio 2012 open on my computer. I have a connection with server A open with query "select * from Adb.dbo.At" which works just fine. The connection used Windows Authentication.
I have a connection with server B (Windows Authentication as well) with query "select * from A.Adb.dbo.At" which results in the aforementioned error.
At this point I do have read access to A, I have read and write access to B. I can export data from A and then import it to B using my computer, i.e. I can do a kind of a copy paste and I will end up having what I want. There is no insurmountable wall between these 2 servers with me being the middle man. I simply would like to make it easier. Before I dwell on SPNs, delegations, Kerberos, Active Directory and whatnot I would like to ask if, assuming that I have nothing more than read on A and read/write on B, I might not be able to solve the issue?
It seems I have a "double hop" problem.
https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/
I have found a workaround. I can use Server Agent on server B. Using this I can use the server to perform some actions, for example query other servers. The Agent jobs are of a specific type (like T-SQL script). For specific job types the Agent can run the jobs in "run as" mode (requires a proxy). I created a proxy referring to my normal Windows login. Sadly T-SQL script type job cannot be executed in "run as" mode. But PowerShell type job can. PowerShell can also execute SQL statements. Thus I have created PowerShell job running with proxy with the command being:
SQLCMD -Q "select * into Bdb.dbo.Bt from A.dbA.dbo.At" -E
This solved my problem.

WiX issue with executing SqlScript at the remote DB

Executing SqlScript at the remote DB causes an error:
Failed to connect to SQL database. (-2147467259 myDB1)
The SqlScript is the following:
<sql:SqlString
Id='UpdateSomething1'
SqlDb='myDB1'
ExecuteOnInstall='yes'
User='SQLUser'
ContinueOnError='no'
ExecuteOnReinstall='no'
ExecuteOnUninstall='no'
Sequence='26'
SQL='[SqlString]'/>
where the Db is:
<sql:SqlDatabase
Id='myDB1'
Database='myDB1'
Server='[DATABASE_SERVER]'
CreateOnInstall='yes'
DropOnInstall='no'
DropOnUninstall='no'
ContinueOnError='no'/>
and the user is:
<util:User
Id="SQLUser"
Name="myUserName1"
Password="password1"/>
The problem does not occur with the local DB.
We extracted more specific error message from the IP traffic (the actual error that the remote MSSQL server throws):
Can not open database "myDb1"
requested by the login. The login
failed. {remote machine name} Login
failed for user {user name}
Thank you for any help and information.
Max
I would need more information to be sure but here are some general observations I've had over the years.
In MSI, you typically run deferred custom actions with no impersonation so that they run as Administrator to support managed/elevated installs where the invoking user doesn't have admin either because they really don't or because UAC hasn't elevated their process.
In InstallShield, and I'm sure WiX is similar, this typically causes a problem for remote database connections. If you have a dialog in the UI sequence to test the connection it will succeed ( when expected to ) because the interactive user has permissions to that database/instance. And if installing locally it will succeed because SYSTEM (typically) has permissions the database/instance. But when installing to a remote instance it will frequently fail because SYSTEM can't authenticate against SQL on the remote machine. Your mileage will improve if using sql authentication ( e.g. SA ).
Personally I have some practices that I follow. If I'm creating a single tier system, I restrict the database to (local). If I'm creating a 2 tier system, I create two installers: one for my database layer which I restrict to (local) and one for my application layer which I then reuse the sqllogin dialog to verify connectivity and write the values out to a web.config or app.config. This allows me to loosely couple the layers and service them independently of each other.
I hope this helps to understand the types of issues that can be encountered. I don't know your exact problem without seeing your environement.
The WiX custom actions are just using standard OLEDB commands to connect to the remote server. If the credentials work locally but not remotely then I'd start by ensuring the credentials are correct. There isn't anything different in the WiX custom actions between local and remote servers.
Looking at your database element I would say that you have not added the User attribute to the sql:SqlDatabase so it is creating the database impersonating the current user.
Try:
<sql:SqlDatabase
Id='myDB1'
Database='myDB1'
Server='[DATABASE_SERVER]'
User='SQLUser'
CreateOnInstall='yes'
DropOnInstall='no'
DropOnUninstall='no'
ContinueOnError='no' />

Resources