Is there any way to use SQL Server Auditing when the primary database interaction is from a website without impersonation?
All database actions come from a web application whose connection string uses a single logon / password. In the website, user authentication / creation comes from the membership provider, but is not passed through to the SQL Server. I would like to audit which website user performed which action on the SQL Server using the built-in audit mechanism.
Related
I have a SQL Server database for many users. All users connect to the same database using the same connection string (ie. via the same user ID/pwd which is hard coded into the client side application software).
From a processing perspective on the server, will it make any difference connecting to the database with each user having its own USER name configured on the database where the access rights to the database will be the same for all?
The Oracle Wallet Manager allows admins to store and manage database login credentials securely by wrapping the them in a password-protected container. I have used this in the past to run VBScripts that update tables in an Oracle database, without prompting the user for a password or storing the password in cleartext in the script itself.
Now, I have written some Powershell scripts that update a SQL Server database, but I have had to store the passwords in cleartext in the scripts.
I was wondering if there was an equivalent to the Oracle Wallet feature in SQL Server? Or would I have to store passwords in a text file and encrypt it using Powershell's ConvertFrom-SecureString? I'm looking for a secure and flexible solution.
The easy way for one-off scripts, accessing specific databases, is to use scheduled tasks. You set them to run as a specific account which has the appropriate permissions, then you don't have to worry about SQL Logins or passwords.
If you want something similar to Oracle's Wallet manager, then you should look at Credentials, and Proxies in MS SQL server.
See: Security Questions: Logins Credentials and Proxies
The Credential allows you to store and manage Login information.
A proxy is used by SQL Server Agent to map credentials to SQL Server Agent subsystems (i.e. PowerShell or SSIS).
Here is a link to a detailed guide on creating Credentials and Proxies and: Run Operating System Commands in SQL Agent using PowerShell
I am getting the following error when trying to deploy my SSRS reports on our SQL 2008 R2 Server "The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database...". Most of the solutions on the Web suggest to delete the encryption keys, then reconfigure the datasources. I am still a beginner in SSRS, Is there another solution to fix this issue, Thanks
After checking this link Microsoft support link, it seems that this is a know issue in SSRS reports. And it seems the only way to fix it is to delete the Encryption keys.
Open Reporting Services Configuration Tool ( Programs->Microsoft SQL
Server 2008 R2 -> Configuration tools -> Reporting Services
Configuration Manager)
Go to Encryption Keys
Click Delete.
This solved my problem
I ran into this with a Microsoft Dynamics CRM 2016 Reporting Extensions Setup after changing the SQL Server Reporting Services account from services.msc. This is because the Microsoft Dynamics CRM 2016 Reporting Extensions Setup requires a non-local service account. https://technet.microsoft.com/en-us/library/hh699754.aspx The key trigger here that is likely the root cause seen in the Haasan's question was the changing of the SQL Server Reporting Services service account without backing up the encryption key. While what he did with deleting encryption keys worked, it has drawbacks of losing that encryption information and if possible, you should use the steps below to revert back to the original service account user and then change the service account using the steps documented below and in the reference article.
The identity account running the instance of Microsoft SQL Server Reporting Services where the Microsoft Dynamics CRM Reporting Extensions are running can’t be the local system or a virtual account. This is required for Microsoft Dynamics CRM reporting to work because the identity account must be added to the PrivReportingGroup Active Directory security group that is used by Microsoft Dynamics CRM.
The long story here is that when changing the SQL Server Reporting Services account, you need to do that from the SQL Server Services Reporting Manager as that will prompt you to back up the Symmetric encryption key that SQL Server Reporting Services uses and restore it with the new service account user.
The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.
This will be doing the following when changing the service account from the SQL Server Reporting Services Reporting Manager:
Automatically adds the new account to the report server group created on the local computer. This group is specified in the access control lists (ACLs) that secure Reporting Services files.
Automatically updates the login permissions on the SQL Server Database Engine instance used to host the report server database. The new account will be added to the RSExecRole.
The database login for the old account will not be removed automatically. Be sure to remove accounts that are no longer in use. For more information, see Administer a Report Server Database (SSRS Native Mode) in SQL Server Books Online.
Granting database permissions to new service account only occurs if you configured the report server database connection to use the service account in the first place. If you configured the report server database connection to use a domain user account or a SQL Server database login, the connection information is not affected by the service account update.
Automatically updates the encryption key to include the profile information of the new account.
If like in my scenario, you happen to know what the previous service account user was, the fix is to change the SQL Server Report Service account user back to the originally specified account and then to use the SQL Server Reporting Services Reporting Manager to change the account and to ensure that you backup the encryption key as that process automates the restore of the encryption key when the new service account user is set.
References: https://msdn.microsoft.com/en-us/library/ms160340.aspx - Configure the Report Server Service Account (SSRS Configuration Manager)
https://support.microsoft.com/en-us/kb/842421 - You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service (This is an old KB article, but the general problem and resolution still applies with newer versions of SQL Reporting Services)
Hopefully this might save someone some time if deleting the key is not an option.
I ran into this issue after moving the ReportServer and ReportServerTempDB from a working server to a different environment running Reporting Services. Deleting the encryption keys was not an option and I knew the password used to create the encryption key, so I took a backup of the key from the working server and restored it using Reporting Services Configuration Manager on the new environment. Refreshed the page and the error went away.
I'm want to create a SQl Server login for a IIS web application. Since the Web Application using IIS 7.5 identity, and in addition in production the Sql Server may be in a separate machine, I'm looking for use a user and password based connection string.
Now, I'm a little confused how to create this login in Sql Server 2008 R2. Should I use databawse specific User, or a global login? Should I Database Role or Application Role?
What are the best practices to get a login for an IIS application that don't use Stored Procedures, but makes a use of an ORM tool, like NHibernate?
The following article:
http://msdn.microsoft.com/en-us/library/bb882673.aspx
recommends using Integrated Security to connect to the database.
To cut a long story short: As part of an online database access system I'm writing I want to use the new BLOB access features in SQL 2008 - this means I have to use Windows Authentication when logging into the SQL Server; however due to it's very nature the website front end to all this uses Forms authentication with the membership data stored on that SQL server.
How do I get the web application to impersonate a user account so it can connect to the SQL server, i.e. I don't want to use the account of a user logged into the website. (Not that you could do this as the membership details are stored on the SQL server)
The webserver and the SQL server are on different machines on the same network, there is a user account set up just for the web application to use.
The connection string should look something like:
< add name="MyConnectionString" connectionString="Data Source=THESQLSERVER;Initial Catalog=TheDatabase;Persist Security Info=True; Integrated Security=True;Application Name=CRM.Sales" providerName=""/>
Where you use Integrated Security. Then your application pool should use an identity that has access to your sql server.
You would grant rights to that identity.