We are migrating our database from one server to another. we user the script provided by Microsoft. The script generates CREATE LOGIN statements with SID for SQL logins and it's successful in this bit. however, it didn't generate SID for windows authentication logins. I understand that those login used windows SID instead. is there anyway to transfer those logins and preserving SIDs?
If you are afraid of orphan users on the new server this is not a problem with windows authenticated logins. There should be no problem to just copy them over as the sid is what ties the login to the sql login user but not in the case of windows authenticated ones.
If there are other reasons for wanting to transfer the sid for auth users this might not be right but I don't see the need for it.
There's no need. The "FROM WINDOWS" clause in the script tells SQL Server to ask the OS for the SID. As long as the new server is in the same domain as the old, it'll get the right SIDs from OS / AD. If the new server is in a different domain, the SIDs will be different and you then have to resolve...see KB 240872 for that.
You can use Transfer Logins task in SSIS (Sql Server Integration Services)
Related
The authentication mode is "Mixed" for my SQL Server 2016.
I'm using SSMS to run cross-server queries.
I've checked the user account & have ensured that the account has proper authority. I can use a different account and run cross-server queries as expected. The account has proper authority to the databases in question and it has authority to them. I've tried everything I've seen on the internet searches I've done and no luck. The account can login using SSMS.
My linked server properties are:
The account's login properties are:
Has anyone else seen this & have a resolution?
** EDIT: rebooting the target server fixed the issue
When creating a linked server you choose the authentication mechanism by which the remote connection will be made. If you select the fourth option (pictured), the remote login must be a Sql Server authenticated login. It cannot be a windows login.
The only way to connect through a linked server using windows authentication is to forward the credentials of the login on the local server. There is no option to specify a windows username and password.
Indeed, there is no way, ever, to specify a password when connecting to a Sql Server with windows credentials, since the whole point of windows credentials is that you're already authenticated. That happened when you logged in to windows in the morning*
You can only (and must always) specify a password if you are using Sql Server authentication.
What seems to be going on in your case is that the linked server may have been created with the wrong security options. This is just easier to explain with an image:
* More precisely, a connection will be made using the account that the client is running under. If you start SSMS using a "runas /user ..." command, then the windows credentials used to connect to servers will be the credentials specified in runas
Using the example below, which is in my App.Config file, are the uid and password values for the SQL Server, or the SQL Server instance, or for the database that is on the SQL Server?
value="server=localhost;database=myDb;uid=myUser;password=myPass;"
Thanks,
ADawn
Sql Server separates the concept of a login from a user. A server instance itself has logins. Individual databases hosted on a server instance have users.
When you want to run a query or otherwise interact with a database, you generally first connect to the server. You supply a username (uid) and password that match a server login. This login in turn maps to a user in one (or more!) databases hosted by that server.
You can see the user mappings by opening Sql Server Management Studio and connecting to your server. In the Object Explorer area expand the Security and then Login folders (just under "Databases"). Double-click a login to open it's Properties window, and find the User Mappings section.
The connection string also includes a database. The purpose here is (again) because a login might map to more than one database. Specifying a database as part of the connection provides context, so you don't need a database name with every table reference in your SQL code.
There's also Windows/Active Directory authentication (Integrated Security). This makes things even messier, because you can set up Active Directory groups (in addition to users) as server logins to manage access for a number of people at once. An Active Directory user can belong to more than one of these groups... and thus map to more than one user in a single database. In my experience, when this happens you tend to get the union of the set of permissions from every database user you could claim, but I haven't studied that situation thoroughly.
server=localhost;
This is the location of the server. You can use the IP address or the name of the computer. Localhost means this code is on the same machine as the SQL server
database=myDb;
This is your database. Such as master (which is a system one)
uid=myUser;
This is a login on the SQL server. Make sure that login has permissions to the database you are trying to access (and subsequent tables). See the picture below, that is a login abc_test.
password=myPass;
The password for the above user
It is possible to have those Logins as Windows Authenticated logins but in my experience in code it's usually SQL Server authentication (mixed mode) logins.
As sniperd said You can create a new login with a new username and password by right clicking on Logins. Or you can use an existing Login name and change its password. Hope this gonna work!
Does anyone have some insight into switching the authentication mode of Logins in SQL Server for sql server authentication to windows authentication by script?
We have too many to simply run through each in SSMS.
The T-SQL solution I've arrived at is to recreate the logins new (and then recreating the users, and the roles ...) but with WINDOWS auth, and remove the old ones (and users...) but this is fraught with risks.
In the spirit of final solutions and closure - I'll bring in the windows accounts through AD groups, with the groups mapped to databases+roles, and do tons of clean-up with the existing SQL server login and user accounts
I created one, but for some reason, I can't either log into it from ssms, either from my computer or another one on the same network.
Will appreciate some help!
If the user you added is a SQL Server User, make sure that the Server instance has been configured to allow SQL Server Authentication. Depending on the Instance installation, it might be set to Windows Authentication Mode, in which case it'll only accept Windows Auth. SQL Users with username and password won't be able to log in.
Could somebody explain how you can have different databases/security when connecting in via Windows Authentication from when someone connects via SQL authentication?
I have a customer who had to put a computer onto their network. When they did this, the computer name changed. When connecting into SQL it now has a different server name.
The thing is if I connect using a SQL username and password, I get the databases that were installed before. However If I connect using windows authentication, I do not get the database.
I would like to know what needs to be changed in order for windows authentication to see the same as a user logging in via SQL authentication.
How can I go about changing the permissions of windows authentication?
Within SQL Server, there are Logins (at the server level) and Users (at the database level). Your SQL Server login obviously has permission to the database(s) you want to see. The logins can also be windows users and/or groups. So, if you add a named windows user as a server login, you can extend that login as users in different databases. You can do the same thing with a group. So, you could have a single login to your sql server that represents all authenticated users in your domain, etc...
So, I think you need to get into SSMS (SQL Server Management Studio) and see what logins and users are defined on your SQL Server.