SQL Server 2008 Linked Server Security - sql-server

From server1, I've created a connection to a remote server (server2) with the Linked Server facilities. Both servers are on the same domain. When I log to server1 I can successfully execute my stored procedures from SQL Server Management Studio but when I execute my stored procedures from my browser application I get the following error on server 2.
Error: 18456, Severity: 14, State: 58.
Login failed for user 'sa'. An attempt to login using SQL authentication failed.
Server is configured for Windows authentication only.
I've searched the Internet and Stackoverflow for solutions but I'm not sure what's the best way to solve this issue. I'm sure it involves adding/changing database security settings but I'm unsure where to make these changes.
Thanks in advance.

Right-click the server in Enterprise Manager, select properties, goto Security, and change to SQL Server and Windows Authentication mode.
Mixed mode is required if you want to use sa or any other sql-account for authentication. However i believe that the recommended way is to keep the server at Windows authentication mode, and use domain accounts for authentication. The sa-account is the quick and dirty way.
If you have the exact same security setup on both servers, the link between them should work if you select "Be made using the login's current security context" in the linked server properties. That way, the account will be "inherited" in the connection to the linked server.
Check under Security - Logins on each of the server so that the same account is added to both servers. Also check the properties of both entries, under Server Roles you can try to add the sysadmin-role to make sure the accounts will have access to all databases on the server. You should however limit this access in live environments :)

Related

Attempting to use an NT account name with SQL Server authentication

The authentication mode is "Mixed" for my SQL Server 2016.
I'm using SSMS to run cross-server queries.
I've checked the user account & have ensured that the account has proper authority. I can use a different account and run cross-server queries as expected. The account has proper authority to the databases in question and it has authority to them. I've tried everything I've seen on the internet searches I've done and no luck. The account can login using SSMS.
My linked server properties are:
The account's login properties are:
Has anyone else seen this & have a resolution?
** EDIT: rebooting the target server fixed the issue
When creating a linked server you choose the authentication mechanism by which the remote connection will be made. If you select the fourth option (pictured), the remote login must be a Sql Server authenticated login. It cannot be a windows login.
The only way to connect through a linked server using windows authentication is to forward the credentials of the login on the local server. There is no option to specify a windows username and password.
Indeed, there is no way, ever, to specify a password when connecting to a Sql Server with windows credentials, since the whole point of windows credentials is that you're already authenticated. That happened when you logged in to windows in the morning*
You can only (and must always) specify a password if you are using Sql Server authentication.
What seems to be going on in your case is that the linked server may have been created with the wrong security options. This is just easier to explain with an image:
* More precisely, a connection will be made using the account that the client is running under. If you start SSMS using a "runas /user ..." command, then the windows credentials used to connect to servers will be the credentials specified in runas

Attempt to migrate SQL Server database to Azure fails with login failed

In SSMS, I'm trying to use the "Deploy Database to SQL Azure Database" utility.
I'm moving a small local database in SQL Server 2012 to Azure for hosting. But after entering the host database server connection parameters I always get a "Login Failed for user,...." error, referencing the name of the local database to be created on the server.
Why this would fail is unclear, since the database does not exist on the cloud server yet. Here is what I have done:
Set up a firewall exception for my local IP address.
Confirmed my server administrator user name and password
So now I am left guessing... Locally I use Windows Authentication. If a database is to be moved to the server, does it have to have SQL Server authentication, as is required on Azure host?
You need to have the SQL server Authentication enabled in order to be able to login to your database when you move it to Azure.
Once, you login through SQL server authentication, you can create your users then and have different logins for different users.
Hope this helps!

Microsoft SQL Data Sync Agent: Server and Database

I'm struggling with Microsoft SQL Data Sync Agent, which I need to setup the windows Azure platform.
In the ms sql data sync agent preview, the "Ping Sync Service" is successfully executed.
My windows firewall is allowing ingoing via port 1433.
The problem is, when I want to "Register":
First, I'm not sure that I enter the correct "Server" and "Database" names.
Second, I'm not sure whether I should use "SQL" or "Windows" Authentication
Third, how do I ensure that the Client Sync Agent has appropriate rights to the database?
Among alot of other trials, my best guess is:
Server " .\SQLEXPRESS"
Database "SiteSqlServer"
but still I get the following 2 error messages:
1) Unable to connect to the Database. PLease check if service account has connectivity, credentials and permissions to connect. Server: "XXX\SQLEXPRESS". Database: "SiteSqlServer".
2) Connection faild. Please check database credentials along with permissions for Microsoft SQL Data Sync Windows service logon account to connect to database with specified credentials.
Other reasons for failure:
Windows Azure SQL databases have to be added on the SQL Data Sync portal.
SQL Server databases lower than SQL Server 2005 SP2 are not supported on the SQL Data Sync.
I'm using: dotnetnuke CMS system and Microsoft webmatrix.
Any idea on how to proceed from here is warmly welcomed!
Thanks!
It seems you are trying to sync SQL Azure with SQL Express which is not supported and not tested. That's why when you try as described above you get that error. Based on my experiences there are issues using with SQL Express and SQL DataSync and SQL Express is not listed helow:
http://msdn.microsoft.com/en-us/library/windowsazure/hh456371.aspx
There are a few articles on internet where a few folks who went ahead and hacked the system to work with some vers'on of SQL Express so you are your own if you wish to try further. An article I found is here:

Windows authentication trusted connection not working

MSSQL Server is in the "abc" domain and have mixed mode authentication.
I am connecting from the machine which is not in domain or in a domain "xyz" but with in the same network using MSSQL Jdbc driver 2.0. I have logged in as admin or account in xyz domain.
It works fine using following url for connection for "sa" or SQL Mode Authentication.
jdbc:sqlserver://%DB_IP%:%DB_PORT%;SelectMethod=cursor;DatabaseName=dbname
It doesn't work For window authentication using credential "MSSQLDomain\username" i.e "abc\username", using following url
jdbc:sqlserver://%DB_IP%:%DB_PORT%;SelectMethod=cursor;integratedSecurity=true;DatabaseName=dbname;
Gives following error.
Login failed for user ''. The user is not associated with a trusted
SQL Server connection.
I have tried adding property Trusted_Connection=Yes to url, but still gives same error.
I don't want to map the drive of the SQL Server. I am able to access the any shared folder of the SQL Server Machine by providing "MSSQLDomain\username" and password.
It works fine for both authentication mode, if both machine is in same domain.
If I am using jtDS Driver from the machine which is not in domain or in "xyz" domain within same network i.e same subnet, it works fine.
This is the deliberate and correct behaviour of Windows Authentication.
It is because the Domain from which you are connecting from, is not the same Windows Domain as the one where your SQL Server instance resides.
I believe there are methods for bridging the Domains so to speak, however they require custom and tricky implementation. You also will have to configure a trust relationship between the domains.
The following thread contains discussions which you will likely find useful.
http://sql-server-performance.com/Community/forums/p/24601/137574.aspx
Changing the login credentials might help,
use SQL authentication instead of nt authentication
https://support.microsoft.com/en-us/kb/555332
Symptoms
After you install Microsoft SQL Server 2014, SQL Server 2012, SQL Server 2008, SQL Server 2005, or SQL Server 2000 and you try to connect to the server that is running SQL Server, you receive one of the following error messages:
Login failed for user '%.*ls'. The login is a SQL Server login and cannot be used with Windows Authentication.%.*ls
Login failed for user ''. The user is not associated with a trusted SQL Server connection. (Microsoft SQL Server, Error: 18452)
Login failed for user ''. (Microsoft SQL Server, Error: 18456)
Resolution
This problem occurs if the user tries to log in with credentials that cannot be validated. This problem can occur in the following scenarios:
Scenario 1:
The login may be a SQL Server login but the server only accepts Windows Authentication
To resolve this issue, configure SQL Server in Mixed Authentication Mode.
Scenario 2:
You are trying to connect by using SQL Server Authentication but the login used does not exist on SQL Server
To resolve this issue, verify that the SQL Server login exists. For more information, see Create a login in SQL Server Books Online.
Scenario 3:
The login may use Windows Authentication but the login is an unrecognized Windows principal
An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain. To resolve this issue, verify that you are logged in to the correct domain.
I have been involved with making a SQL server connection cross to domains like that, and it is exceptionally painful. In order to use credentials from another domain, the domain where you are assigning the permissions has to trust the domain, where the account is coming from. IT Pro's are generally VERY reluctant to trust another domain in this manner, and for good reason, so if this trust relationship has not been established it might not be very likely to convince the admins to do this.
Once you have the trust relationship established, you will probably need to register the SPN's for your SQL server in Active Directory, and assign delegation permissions. This type of environment is very difficult to setup, troubleshoot and maintain.
I hope that there is some other way that you can do this, because it sounds like you are headed for a very difficult scenario.
Hope it helps
Rihan

SQL Server linked servers

I want to create a linked server in one sql server to another using the sp_addlinkedserver procedure. When i access the remote server I would like it to logon as me (i.e. using my windows account). How do I do this?
You can do this with the sp_addlinkedsrvlogin procedure:
EXEC master.dbo.sp_addlinkedsrvlogin
#rmtsrvname=N'<your linked server name>',
#useself=N'True',
#locallogin=NULL,
#rmtuser=NULL,
#rmtpassword=NULL
This assumes you log in to the server on which the link was created using Windows authentication.
Following on from Ed Harper above:
You need to set "Security Account Delegation" for the SQL service account to enable it to pass through your login token.
Edit:
This is not a SQL problem. Delegation/pass through authentication is a Windows/AD feature.
It's also used to enable an intranet web site to use the end user windows login to authenticate onto the SQL box where (of course) the web server is a separate box.
In this scenario, you configure the web server for delegation.
In the OP's scenario, we are enabling the 1st SQL box to delegate credentials onto the 2nd box.
Edit2:
The other thread explains this too.
Finally, nothing to do with SQL logins.
This can be maddening to set up. Check this related question:
https://stackoverflow.com/questions/33153/sql-server-to-sql-server-linked-server-setup
With Sql Server 2005 on a 2K3 domain, the most secure way to set up a linked server, unfortunately, is probably to use an old fashioned Sql Login. You have to make a lot of what I consider risky changes to your domain security settings to get it to work with a domain account.
Use SQL Management Studio to see the properties for the linked server.
There you will find your logon information

Resources