We are running deployment scripts using pstrami. Part of the deployment is to execute database migrations. The migrations are using an connection string with Integrated Security.
When the script executes on the remote machine the migrations fail with a sql error saying Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
The person executing the script is a domain administrator. Other deployments that we run execute the remote scripts with the user who started the process.
The problem is that the credentials are not hopping to SQL Server for integrated security. You need to do the following:
On the server (the one that is making the SQL Server connection, as administrator run:
Enable-WSManCredSSP -Role server
On the client machine, as administrator run:
Enable-WSManCredSSP -Role client -DelegateComputer YOUR_SERVER_NAME
To open this up to all servers, you can run:
Enable-WSManCredSSP -Role client -DelegateComputer *
Finally, your invoke command make sure you run -authentication credssp. An example:
invoke-command -computername $remoteServer -authentication credssp -scriptblock { write-host "hello!" } -credential $credentials
This is the scenario:
You run the pstrami(deployment) script from desktopA. The script pushes your installation files to serverA. Then on serverA the scripts are run remotely as the person inititating the script from desktopA. One of the steps is to run a sql database upate with fluentmigrator using a connection string paramter using "integrated security" and the database is on serverB.
Connection string example:
$migration_db_connection = Data Source=serverB;Initial Catalog=PropertyDb;Integrated Security=SSPI;
.\migrate.exe /conn "$migration_db_connection" /db SqlServer /a $migration_assembly /profile DEBUG
Pstrami uses the powershell command invoke-command which uses the account you are running the script under as the default user. So, what happens is that when you run the script from desktopA as "jonDoe" it then authenticates on serverA. So your pstrami scripts run under "jonDoe" on serverA. When you execute the fluentmigrator script on serverA as "jonDoe", fluentmigrator returns an error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur. When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a Windows security measure kicks in and doesn't allow your site to access resources on any network servers. (http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx)
This is how I got around the Windows Authentication and the Double Hop problem I ran into. Run your migration scripts directly on your sql database server and include it as a server target in your pstrami environments.
Example:
Environment "dev" -servers #(
Server "serverA" #("InstallWeb")
Server "serverB" #("RunMigrations")
)
More on Double Hop
http://www.spdoctor.net/Pages/message.aspx?name=login-failed-for-user-bdc
http://www.sqlservercentral.com/blogs/sqlsandwiches/2011/06/20/double-hop-of-doom/
I am not able to comment on your question and posting this as an answer. I will update the same later.
It may be due to SQL Server not having the login account for your windows login account. If that is the problem please add the logged in user to the SQL Server in the remote machine.
If this is already addressed, then you have the option of giving Rights as DB_Owner to " NT AUTHORITY\ANONYMOUS LOGON " on the SQL Server as well as on the specific database you are using.
Related
On my test environment (Windows Server 2016 with SQL Server 2017), I have a working Powershell DSC configuration in push mode using SqlServerDsc, in which I add logins to the server, add database users to database roles etc. I don't use PsDscRunAsCredential so the Local Configuration Manager on the server uses SYSTEM to connect to the SQL Server instance. In SQL Server, I can see the connection coming in as domainname\computername$. No surprises there.
What I don't understand is how this can work, as domainname\computername$ is not configured as a login, nor are 'NT AUTHORITY\SYSTEM' and 'BUILTIN\Administrators'. EXEC xp_logininfo 'domainname\computername$', 'all';, EXEC xp_logininfo 'NT AUTHORITY\SYSTEM', 'all'; and EXEC xp_logininfo 'BUILTIN\Administrators', 'all'; return empty. I've also run a bunch of security report scripts I've found online, but none of them include useful information.
The SQL Server service runs under a low-privileged domain account.
Does 'NT AUTHORITY\SYSTEM' have some kind of implicit sysadmin permissions in SQL Server? I've been working with SQL Server for quite a few years now, but I can't figure this one out. The only way I can make DSC stop working ('Failed to connect to SQL instance') is by creating a login for 'NT AUTHORITY\SYSTEM' and disabling it, which somehow overrides the implicit permissions (if that's what it is).
Any ideas or pointers? Thanks!
Update: The behavior is the same on a freshly installed instance.
I created a SQL Server Agent job and here is the job detail.
The job owner is my windows domain login.
The type is OS (cmdExec)
Run as SQL Server Agent Service Account
Command:
powershell.exe -executionpolicy bypass -file "D:\MyFolder\myFile.ps1".
When I ran the job it returned an error stating "D:\MyFolder\myFile.ps1" does not exist.
When I run the same command from cmd prompt it works find.
My question is what can I do to make SQL Server Agent Service Account "see" the file?
Thanks,
It's a privilege issue. I just granted read/execute permission to the Network Service login which SQL Server Agent uses.
It works now.
And thanks for all your responses.
I am a local Admin on my machine. Same old thing, my account wasnt added when SQL Server was installed, and I don't want to have to reinstall SQL Server. I went through this blog and it worked until I tried to log and run the commands via SQLCMD or SSMS. I got the error message
"Login failed for user '/'. Reason: Server is in single user mode. Only one administrator can connect at this time.."
I found this blog and added the application name after the m switch http://sqlserver-help.com/2013/12/06/help-how-to-fix-error-reason-server-is-in-single-user-mode-only-one-administrator-can-connect-at-this-time/. But no dice, I still get the above error. The User Account looks fine I guess, I am an Administrator.
Also, I had to start the cmd prompt as an Admin to start sqlserver in single user mode. OR else I couldnt have access to the log files that the instance was using and it was giving me an error to that. So I ran the cmd prompt as admin. But still, I am the same admin trying to run SQLCMD or SSMS. It shoudlnt be telling me there is already an admin logged in, because I am that admin. What am I missing?
This is on SQLExpress, I dunno if that matters
Thanks!
First login to the server: "sqlcmd –A –d master"
.
connect to the master database with the DAC because master is guaranteed to be available if the instance of the Database Engine is started.
Shut down the database server and restart it with minimal configuration:
sqlservr.exe -f -s <instancename>
If it works fine, then you have a problem with your startup configurations and you need to find out which is causing you the issues.
I have a web site and I'm trying to setup a DSN instead of using a connection string because it seems more secure.
The following connection string works fine in my site:
"Server=servername; database=mydb; user id= web.account; password=PassW0rd!; Integrated Security=SSPI"
However, when I try to set up a DSN (using the 64-bit odbc admin) I get the following error:
Connection failed:
SQLState: '28000'
SQL Server Error: 18456
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'web.account'
Keep in mind, I'm using the same account and password I use in the connection string (which works). It's weird too because the error occurs right after I click 'Next' on the "How should SQL Server verify the authenticity of the login ID?" page.
It seems like the odbc admin does not even try to connect to the server to verify the credentials. What can I check to prove this / How can I fix this?
Things I've tried:
I have checked the server authentication mode, as proposed in other solutions, and that is set to "SQL Server and Windows Authentication mode", as it should be.
I have tried creating both a User and System DSN - both get the same error, this seems like further evidence that it's not trying to connect to the server to check the credentials.
I have tried the same DSN creation on multiple servers, all have the same problem. Is it possible the SQL Server is refusing these types of connections?
UPDATE 1:
The DBA just told me that the web.account is actually a Windows account, not an SQL account. I guess that's why the odbc isn't working, because it doesn't try to connect as a different windows user, only as the current windows user. So now the question is, how do I set up a DSN with a different windows account? Or, is that even possible?
This post has a response that says DSNs setup with NT authentication are specifically for the entire system, not a specific account, so a runas command could be used from cmd, like so:
runas /netonly /user:domain\web.account "C:\Windows\SysWOW64\odbcad.exe"
It will then ask you for the web.account password. Then you can create a DSN, and this should work.
UPDATE: I had to add the web.account user to my Administration Group using this fine how-to. Then I had to run cmd as my elevated account. Then ran the runas command I showed above. Then, I was finally able to create a non-native DSN, which allowed me to connect to the Data Server as a different Windows user.
Still waiting for DBA to check the logs to say this actually worked or not, but I feel pretty good about it. Will update after confirmation.
Try the following:
Data Source=servername;Initial Catalog=mydn;Persist Security Info=True;User ID=web.account;Password=Passw0rd
This is what I use to connect.
We have some deployment scripts that use a combination of dacpacs through sqlpackage and straight scripts using sqlcmd.
When I execute the sqlpackage dac\sqlpackage.exe /p:BlockOnPossibleDataLoss=False /p:BackupDatabaseBeforeChanges=True /a:Publish /sf:.\somedeploy.dacpac /tcs:"Data Source=MyDB;Initial Catalog=MyCatalog;Trusted_Connection=True;"
I get an error message *** Could not deploy package. Unable to connect to target server. I have login auditing turned on in sql and the message I am getting is Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 111.222.223.224]
However, I can run our sql scripts through sqlcmd no problem by using the -E argument.
sqlcmd -i Permissions\CreateSqlUser.sql -S MyDB -E
I am running from a commandline that is set to "Run As Administrator" and am currently signed in as the admin. This is running on a Windows Server 2012 VM. I am using sql 2014. We have other installs that haven't had problems but this is our first 2014 install so we are trying to determine if something changed or if we are missing something and if so what.
If I run from profiler I don't see any audit log error messages. I checked the filters and what events I'm listening for and they all look good. Inside sql when I run exec sys.sp_readerrorlog 0, 1, 'Login Failed' I do get the messgaes to show up. (I might be doign something wrong in profiler). Also they show up in the system event logs. I'm not seeing anyplace where it tells me anything about the user attempting to login though.
If don't use trusted connection for sqlpackage and instead use a username and password it works fine. However, part of what our deployment script does is create the users so our preference would be to not do this.