I am new user for sqsh to work with SQL Server from linux box.
Iuse sqsh passing servername username and password with -S,-U paramters.
I am logged to linux box with active directory credentials.
Can someone suggest how I can log to sql server from sqsh with active directory credentials
so that I amy not to type password each time
Sqsh supports single sign on using Kerberos authentication to SAP ASE servers. Take a look at the -K, -R, -V and -Z parameters in the documentation and maybe you can get it to work with MSSQL as well. Unfortunately I do not have the right environment setup with AD to test this out myself.
Related
How can we pass encrypted password in SQL connection string on PowerShell?
Unable to connect SQL server with NT AUTHORITY\ SYSTEM account. What teps need to be taken to connect to SQL Server with NT Authority\System account?
As checked, I installed PSTools and extract all files in specific location and ran cmd.
With below cmd
psexec -i -s ssms.exe
After running the above cmd, I got :
couldn't install
Access denied
You dont say much about the client and what you are supposed to achieve. The part about psexec is quite hard for me to understand.
You can use credentials in two ways from local network, sql login and windows login. I assume you are attemting to use windows login.
If you, from a windows computer, run a console app or desktop app, you will connect as the user who started the app. In normal terms, you.
Since you get "NT AUTHORITY\SYSTEM", I guess you want to try as similar as possible like a Windows Service. My recommendation is to start the service as a named user "AD\MyServiceAccount". You give access to this user in SQL server.
I recommend you to read about the differences of:
NT AUTHORITY\System
NT AUTHORITY\NetworkService
AD Account
If you are not trying to debug/build a service, but just want to get some sql server data in an desktop application. Use regular tools and your personal account. If not, sql login.
If you want to use the Computer Account, you should use add AD\$ComputerAccount to ACL list on SQLserver.
Note: AD being the name of your Active Directory.
I have an installer that's running the SQL Server 2014 Express installer in unattended mode.
Basically, it's creating a command-line and running the setup.
My problem is that I need to be able to connect to the installed instance as admin using SQL Server authentication.
The command-line already contains /SECURITY MODE=SQL. I can create a SQL login and login successfully, so that part of the problem works fine.
My problem is that while I can see sa in sys.server_principals, it's flagged as is_disabled, and I can't login using it.
Is there a way, when running the SQL Server 2014 install unattended, to pass command line arguments that will have it enable sa so I can successfully login using it?
Or some other login, if that's easier.
What I need is a sql_login that I can use to connect to the database as an db administrator without regard for the permissions of the logged-in windows user, after having run the installer in unattended mode.
The full commandline args:
/QS /IACCEPTSQLSERVERLICENSETERMS /ACTION=Install /FEATURES=SQL
/INSTANCENAME=SQLEXPRESS /SAPWD="SQLSVCPASSWORD"
If I login to Windows using an admin account, I can connect to the database using Windows authentication. I can then create a normal SQL Server login. With that, I can then login using SQL Server authentication and that account.
So I'm certain the DB is in mixed mode. And this:
Exec xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode'
returns '2'.
My problem is that I need the users to be able to run the software without being a windows admin. And part of what the software needs to be able to do is to drop and create databases, within the instance.
So I need SQL admin permissions, without depending upon the windows user having elevated permissions.
===
The setup tool I'm using is configured using XML files that contain, in them, LUA scripts that build and run the Windows Installer package command lines. Between the nested languages and various levels of escaping, I'd not noticed that the "/SECURITYMODE=SQL" argument was commented out, and not included in the command line.
With it included in the command line, the "sa" user is enabled.
TL;RD If you want the "sa" user enabled, after an install, include "/SECURITYMODE=SQL" on the command line.
You need to specify /SAPWD as well when using /SECURITYMODE=SQL. I am not sure, but if you do not specify the password, it will be disabled by default.
Have a look at this article https://learn.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-from-the-command-prompt?view=sql-server-2017 for more information.
I have read many blogs, and many articles relating to how to have my IIS server pass the authenticated user to SQL. I am stuck however on what exactly I need to set my SPN on and to. Here are my settings...
IIS: Application Pool .Net v4.0Integrated PipeplineIdentity = NetworkService
Authentication:
ASP.NET Impersonation = True (enabled)
Windows Authentication Enabled
Provider = Negotiate:Kerberos
Disabled Kernel-mode authentication
IIS SERVER:
Trusted for delegation for any service (kerberos only)
SQL SERVER:
Trusted for delegation for any service (kerberos only)
From what I understand with these settings I should be passing the windows account that I am currently logged in as into the IIS server, and it should be passing that token to SQL to authenticate me. However, it is only continuously prompting me for a user / pass from the site.
I Found this article http://blog.reveille.org.uk/2010/01/asp-net-impersonation-delegation-2/ that tells me I need to set SPN on the "Machine" using something like this:
setspn -A HTTP/[dns name of the site] [machine name]
I am unsure exactly what SPN(s) I need. Could anyone help me out? I'm thinking it's something like
setspn -A HTTP/mywebserver.mydomain.com mywebserver
Or would it be better to use a domain account in my application pool with the SPN set on those?
Good ol' Kerberos. I'm not over-complicate this answer, unless more explanation is requested. I'm going to presume from your question that we are talking about a single server and I will also presume it's domain joined. Hence, I'm going to define the following for my checklist:
Let the NetBIOS name for the server be websvr1
Let the FQDN (fully-qualified domain name) for the server be websvr1.domain.com
And of course, we presume that we are on the domain domain.com
Let the NetBIOS name for the SQL Server be sql1
Let the FQDN for the SQL server be sql1.domain.com
Let the SQL Server service user be DOMAIN\sqlusr
I'm assuming the default SQL Server port of 1433
Having said that, plus taking into account what's already stated in your question, I would try this setup:
First Hop Setup (SPN)
Register the following SPNs
setspn -S HTTP/websvr1.domain.com websvr1$
setspn -S HTTP/websvr1 websvr1$
First Hop Setup (Authentication)
Please include Negotiate and NTLM in the providers in order to allow a fallback mechanism.
NOTE: Ensure Negotiate is on top of NTLM in the providers list.
You don't need to disable Kernel-mode authentication. Honestly, I'm not sure why so many people disable Kernel-mode authentication. Even for application pools running as a domain account, you can use the useAppPoolCredentials="true" attribute to allow Kernel-mode authentication successfully decrypt a Kerberos ticket encrypted with a domain account.
The rest of your setup is fine.
Second-Hop Setup (SPN)
Just to ensure we cover all possible combinations, set the following SPNs:
setspn -S MSSQLSvc/sql1.domain.com DOMAIN\sqlusr
setspn -S MSSQLSvc/sql1.domain.com:1433 DOMAIN\sqlusr
setspn -S MSSQLSvc/sql1 DOMAIN\sqlusr
setspn -S MSSQLSvc/sql1:1433 DOMAIN\sqlusr
Second-Hop Setup (IIS delegation)
Now that both the IIS and SQL SPNs are setup, you should be able to setup constraint delegation to allow IIS to request an MSSQLSvc service ticket on behalf of the currently logged on user's behalf.
In the AD delegation tab for the DOMAIN\websvr1 computer account, select the "Trust this computer for delegation to the specified services only" option.
Leave the Use Kerberos only
Select the MSSQLSvc\sql1 and MSSQLSvc\sql1.domain.com from the list and add these services.
The setup above is considered a constrained Kerberos delegation, which is much more secure than the unconstrained delegation. And to my understanding that should cover it.
NOTE
I chose to use setspn -S since it will ensure I don't accidentally set duplicate SPNs and break Kerberos authentication. From the example above, please substitute the server names, FQDN and accounts for their real respective values.
NOTE (Again)
For the Web Server SPN, if for some reason the URL host that we are requesting is just a custom DNS entry (please ensure it's an A-record instead of a CNAME, by the way) then you'll need to register said DNS entry instead).
Hopefully the information above helps.
Just installed SQL Server Management Studio with Tools including LocalDB. Went through entire setup without ever seeing an option to set the sa password nor setup any other users/logins with sysadmin rights. So now I can't actually do anything in SSMS. Permission is denied to create new database, change the sa password, etc. Pretty useless until I can either log in as sa or setup my user with sysadmin rights. What am I missing here?
During setup you should have seen a screen that offered you to choose mixed authentication for the database engine and also add Windows users to the sysadmin server role. Here's what it looked like:
Chances are you blew past it clicking Next > Next > Next. It's ok, we've all done that.
The easiest fix, I think, is to connect using SSMS via PSExec.exe. This will allow you to connect as NT AUTHORITY\SYSTEM, which has inherent sysadmin rights to SQL Server. You launch it with these options:
PsExec -s -i "C:\...path to ssms...\Ssms.exe"
This will run SSMS as NT AUTHORITY\SYSTEM using Windows Auth. You will be prompted to connect to a server, just enter .\SQLEXPRESS (make sure the service is running):
Then you can right-click your instance and change the authentication mode to mixed (Properties > Security), reset the sa password under Security > Logins, and add your Windows login as a sysadmin.
You can also see this answer if that doesn't get you everything:
https://stackoverflow.com/a/12164306/61305
If I want to log into a SQL Server instance using another Windows account can I do this by simply selecting "SQL Server Authentication" as my authentication mode and entering the DOMAIN/username and password for the account I want to use?
Are there any special settings that I need to set in order to get this to work?
No. 'SQL Server Authentication' works only with SQL Server logins, it won't work with a NT login. To log in as another credential have the process run as the credential you desire to run as. Use runas, most likely you want to run SSMS like this:
runas /netonly /user:domain\user "c:\program files\...\ssms.exe"
By specifying the /netonly argument your SSMS will run with the desired NT credential only for remote hosts, locally will have your local credentials. This not only preserves your SSMS environment (last used files, options etc) and doesn't require domain\user to have local priviledges, but, more importantly, it works even for a completely unrelated domain. That is if you machine is in domain foo (or not even joined to the domain) and the desired runas is in domain bar, the runas /netonly /user:bar\user ... will run just fine.
The /netonly trick works only if the SQL server host you are connecting to is remote (not on the same machine). If is local, then your runas must be locally using the desired credential, so remove the /netonly argument.
If you have Windows 7, you can add credentials for other domains via Control Panel > Administrative Tools > Credential Manager. Map your credentials to each server you want to log into.
Then, log into additional machines using Windows Authentication. I think there is a caveat - it will try to log you in to the server using your current domain/username. IF that is rejected, it will lookup any entries you have for that server in Credential Manager, and if those are valid, you will be logged in.
If I understand the question correctly, the solution it just ship + Right click on your SSMS, that will give you "connect as different user" option and that where you want to put your windows authentication. Domain\User and password.