As part of the effort for developing a Windows Service, I restored a production database to a test database on the same SQL Server instance, and can access the test database just fine via SSMS. I gave db_owner role to the database to two other users that are unable to login, both getting SQL error
Error: 18456, Severity: 14, State: 38.
Login valid but database unavailable (or login not permissioned)
Here is the basic message which mentions the database in question as the problem.
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'MedFile_TestDataServer'. [CLIENT: ]
The database is not in "Restoring" status.
First user is NT Authority\System and the second a Windows user. Both credentials are used to run the Windows service that access the database in update mode, the system user from the same server, the Windows user from VS2013 running the service as a command program on my desktop. Both can get at other copies of this same database just by changing the database name so don't think a connection string issue. I have compared every property on the databases that work and do not work and see no differences except the file names and these two logins have less permissions on the databases that they can access.
Almost like this database is being kept unavailable after being restore but I can find no such property set on the database and I can access via SSMS. I've restarted the server containing the database ergo SQL Server as well.
I also tried running the service as a database administrator and get the same error even though that user accesses the db just fine via SSMS.
Is there anything that can make the database "unavailable"?
This is part of software development for a Windows service trying to use a test database. I am using both EF 6.02 and the latest ADO.NET version as well.
Check if your database has "Auto Close" property set to "True". If so, change it to "False".
You can see it from SSMS: right-click on database - Properties - Options.
can you check what is the Default database for those two users?
If you have (accidentally / purposefully) set a default database for the SQL Server Login user, and the user does not ahve permissions to access the database, you'll get this error.
Related
I'm trying to set up a connection to SSMS from SSIS project I'm working on with SQL Server Authentication.
I set up a cube_user login and gave it permission to my database transactions
Here is how I set up my cube_user:
Login Name, password. I also chose the default DB below to transactions, the appropriate DB.
Then in User Mapping tab, I gave user owner permissions and I checked in the appropriate DB
Having done all that, it seems like it should work. I then started an SSIS project and tried to connect to it like this:
As you can the drop down that is supposed to display databases, is blank. However, If i tried to connect to it using Windows Authentication, I am able to see all DBs....
Is there something wrong I'm doing. Can you not connect to SSMS using SQL Server Authentication?
Please check the following things:
In properties of cube_user - that it has at least guest rights on the RDBMS (SQL Server itself). User rights on specific DB will not give the permission to connect to SQL Server. The properties are in SSMS - Security\Logins - specific Login properties - Server Roles. See example below
On the third screenshot where you specify user name and password - specify those of cube_user, not admin.
The reason why you see list of DBs with Windows Auth - you do it under your account which presumably has DBA user rights on the SQL Server.
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code
I have a database application which has been working fine in the past, but since restoring my server a few weeks ago the main user login has stopped working -
I get this error when I try to login from SSMS.
The default database is defined correctly for the user in question, and I can connect to (and query) that database using the sa user. The database is online, set to MULTI_USER, isn't set to emergency status, and isn't part of a database mirror. The user that is being denied access is not a member of a group, and I've confirmed that the default database is set correctly for that user. If I can connect to the database in question using the sa user then clearly there's a problem with my chosen user/login, but I've run out of ideas. Can anyone help?
I'm running SQL Server 2008 on a Windows 2008 Server.
You can get this error in following cases:
database does not exist
database cannot be open (is offline, is restoring, etc)
your login is not mapped to the database
If you are sure that database exists and is online, you user can be orphaned.
This means that the login's sid does not correspond to user's sid, this could be caused by restore.
You can fix tihis by altering your user with login:
alter user MyUser with login = MyLogin
I have a SQL Server 2008 R2 instance and can log in using the sa user. But I want to define another user (administrator) to log in with SQL Server Management Studio, so I did the following:
Logged in to the server in Management Studio as sa.
Right clicked on the database name.
Clicked on properties.
Then under permission, I select the required username (administrator).
And I grant him all the permission.
But when I tried to log in using administrator, I got the following error:
Login failed for user “administator” Error 18456.
Can anyone advise what might be the problem?
If the server encounters an error that prevents a login from succeeding, the client will display the following error mesage.
Msg 18456, Level 14, State 1, Server <server name>, Line 1
Login failed for user '<user name>'
This usually means that your connection request was successfully received by the server name you specified but the server is not able to grant you access for a number of reasons and throws error: 18456.
This eventID sometimes provides also state 1 which actually isn’t that useful as due to security reasons any error is converted to state 1 unless you can check logging on the server.
Microsoft does not provide very useful message boxes so below are some explanations why you get the error.
Invalid userID: SQL Server is not able to find the specified UserID on the server you are trying to get. The most common cause is that this userID hasn’t been granted access on the server but this could be also a simple typo or you accidentally are trying to connect to different server (Typical if you use more than one server)
Invalid password: Wrong password or just a typo. Remember that this username can have different passwords on different servers.
less common errors: The userID might be disabled on the server. Windows login was provided for SQL Authentication (change to Windows Authentication. If you use SSMS you might have to run as different user to use this option). Password might have expired and probably several other reasons….
18456 state 1 explanations: Usually Microsoft SQL Server will give you error state 1 which actually does not mean anything apart from that you have 18456 error. State 1 is used to hide actual state in order to protect the system, which to me makes sense. Below is a list with all different states and for more information about retrieving accurate states visit Understanding "login failed" (Error 18456) error messages in SQL Server 2005
SQL Authentication not enabled: If you use SQL Login for the first time on SQL Server instance than very often error 18456 occurs because Windows Authentication (only) is set in Server properties (security section).
To Access Server Properties,
- Open SQL Server Management Studio, go to Object Explorer pane (use view if you can’t see it).
- Use the connect button to connect to database engine for your server. Once connected you will see it in object explorer.
- Right click server and click properties. Server Properties window will appear.
See below screenshot that might be causing SQL login to fail
You should set Server Authentication to SQL Server Windows Authentication
To resolve this error follow the steps below on computer with SQL Server 2005.
Create new user with Administrator privilege with same username and password as of SQL Server 2008 in operating system.
On SQL Server database create new user by expanding DatabaseNode >> Security >> Login >> - Create New User and add this new user with Windows Authentication radio button selected. - This user can be only added by selected Windows Authentication it is Operating system’s User Login.
Once above two steps are completed when connected from SQL Server 2008 to SQL Server 2005 using Windows Authentication it will connect successfully.
How to fix? Check this link video SQL Server and Windows Authentication Mode page.
Source
You need to add a server login:
Connect to your SQL Server with SSMS as sa.
Drill into the server's Security folder in SSMS's Object Explorer pane.
Right-click on the server's Security > Logins folder that appears in Object Explorer.
Click on New Login... in the context menu that appears.
Provide details of the new login in the Login - New dialog that opens - particularly its General, Server Roles, and User Mappings pages (along the left). (See the screenshots of each page with sample input at the bottom of the answer.)
You may need to add a database user depending on your needs, but a server login (like your sa login) is necessary to connect to the SQL Server instance using Windows or SQL Server authentication. Mapping the new login to a database user (in the Login - New dialog's User Mappings page) will create a new user in the mapped database if you specify a username that does not already exist; alternatively you can map the new login to an existing database user.
Another SO question speaks to the differences between server logins and database users.
Login - New (General page)
SQL Server authentication
or
Windows authentication
Login - New (Server Roles page)
Login - New (User Mappings page)
SQL Server authentication
or
Windows authentication
From server1, I've created a connection to a remote server (server2) with the Linked Server facilities. Both servers are on the same domain. When I log to server1 I can successfully execute my stored procedures from SQL Server Management Studio but when I execute my stored procedures from my browser application I get the following error on server 2.
Error: 18456, Severity: 14, State: 58.
Login failed for user 'sa'. An attempt to login using SQL authentication failed.
Server is configured for Windows authentication only.
I've searched the Internet and Stackoverflow for solutions but I'm not sure what's the best way to solve this issue. I'm sure it involves adding/changing database security settings but I'm unsure where to make these changes.
Thanks in advance.
Right-click the server in Enterprise Manager, select properties, goto Security, and change to SQL Server and Windows Authentication mode.
Mixed mode is required if you want to use sa or any other sql-account for authentication. However i believe that the recommended way is to keep the server at Windows authentication mode, and use domain accounts for authentication. The sa-account is the quick and dirty way.
If you have the exact same security setup on both servers, the link between them should work if you select "Be made using the login's current security context" in the linked server properties. That way, the account will be "inherited" in the connection to the linked server.
Check under Security - Logins on each of the server so that the same account is added to both servers. Also check the properties of both entries, under Server Roles you can try to add the sysadmin-role to make sure the accounts will have access to all databases on the server. You should however limit this access in live environments :)