I'm trying to configure Team Foundation Reporting but without any success.
The App Tier and the Data Tier are in separate servers.
I guess it's not a port/firewall problem, because I opened port 135, and I can see the established connection by using TCPView (from Sysinternals) whenever I click "Populate URLs" in the Reports tab in TFS Administration Console. I can also telnet servername 135 without any problems.
I also checked if WMI service is started in the Data-Tier. And for SQL Server Reporting Services. Also checked for RPC and RPC Locator in both servers. They're all started and automatic.
I also set tfs app user as admin in sql reporting services. Added all kinds of permissions to the tfs user in the Data-Tier server.
I set all user permissions in dcomcnfg.
Allowed all WMI namespaces permissions to the user. (Computer Management -> WMI Control)
Deactivated Windows Firewall in both servers temporarily.
No luck.
However, in the app-tier, when I click Computer Management -> Connect to another computer, and type the data-tier IP, i can't connect. I get the message "Computer xxx cannot be managed. The network path was not found". How is that ? Tried IP, name, and FQDN. I also tried browsing and selecting the computer. Nothing changed.
I'm lost, what could possibly be happening ?
Thanks in Advance!
i'm betting that you're having the double-hop issue. try having your system admin set an spn for the website on the sql server.
you also need the AD permission 'trust for delegation' on the AD Service Account, right?
do that and SetSpn with the service account, that should help I think that the SPN option was spot on
See this answer:
IIS to SQL Server kerberos auth issues
which links to an old but user-friendly troubleshooting web app called DelegConfig. It can try to run the SetSpn commands for you, at least giving you an idea of what they need to be.
I ran into SPN issues when using an externally-accessible URL (+SSL) everywhere.
Related
The company requires we use SQL Server 2016 Reporting Services to generate reports. I attempted to restore a database from a backup, but have encountered permission errors when I go to the web portal URL.
I found some advice online about making sure I had the right permissions enabled, however despite making the http web portal url trusted, a domain account with sysadmin permissions, and running the browser as administrator I still encounter the same error - see images for what I'm dealing with.
I'm simply flummoxed as to what my next step should be.
web service
web portal
I've tried adding the permissions within SSMS and adding my domain account to the sysadmin level, but it hasn't changed anything. I think I must be missing some key setting or misunderstanding where I need to enable a permission.
It turned out to be some error in the registry, we did a full clean and reinstall and it worked.
I have just finished the development of my application on asp.net mvc connected with SQL server, and I will love to deploy it. I want to use Azure App service, but I got an error "Unable to connect to master or target server 'DATABASE_NAME'. You must have a user with the same password in master or target server 'DATABASE_NAME'". I have tried every thing I found online like modifying the SSDT, but nothing changed.
Please is there any recommendation to fix this issue? If not, Please what are other ways for me to launch the application. The application will be used internally for Sales purpose and I don't need any fancy hosting. Thank you in advance.
Did you setup the sql azure firewall to accept connections from your computer?
Even if you set it up once, it is possible that your internet provider attributed a different IP address to your computer. So you must redo your firewall set up again for your computer to be accepted.
It is important to know that only sql logins/passwords are accepted here. So you must give the login/password of the admin user that you mentioned at the moment of creation of you sql server azure (there is a step that sets it up when you create your azure database), or the login/password of a user you created and granted in this database.
Here is what happened. I run a web application on windows server 2008 R2. The app pool it uses runs under LocalSystem account. The application complained about "NT Authority\SYSTEM" not having access to my database, so i added that user to the database. It all worked fine until yesterday, when the application started complaining about "Development\MyMachineName$" not having access to my database. The app pool still is running under "LocalSystem" account. I am confused why is it now changed the identity.
While playing around i ended up removing my username from sql server security. My sql server 2012 instance is running in windows authentication mode. now i cant connect to the sql instance. to fix this found someone suggested to use "psexec -i -s ssms" to launch management studio under "NT Authority\System" account. when i tried this the management studio tries to log on with "Development\MyMachineName$" as well. i am now wondering what happened to "NT Authority\SYSTEM" identity.
Thanks in advance for the upcoming help :)
EDIT:
My SQL Server instance is on same machine as the web application. i.e. its a dev machine where is have iis and sql server running for development.
Lots of stuff going on here, so hopefully this will clarify things for you.
I run a web application on windows server 2008 R2. The app pool it
uses runs under LocalSystem account. The application complained about
"NT Authority\SYSTEM" not having access to my database, so i added
that user to the database.
If the database server is local to the IIS server, that's fine (though I would still use a domain account to run the app pool). If the database server is remote from the IIS Server then the "local system" pool with attempt to authenticate a network resource which will transition to using the computer account Domain\Computer$ (as would network service).
It all worked fine until yesterday, when the application started
complaining about "Development\MyMachineName$" not having access to my
database. The app pool still is running under "LocalSystem" account.
I can't tell from your question if these are the same server or not, more clarification would be needed.
While playing around i ended up removing my username from sql server
security. My sql server 2012 instance is running in windows
authentication mode. now i cant connect to the sql instance. to fix
this found someone suggested to use "psexec -i -s ssms" to launch
management studio under "NT Authority\System" account. when i tried
this the management studio tries to log on with
"Development\MyMachineName$" as well. i am now wondering what happened
to "NT Authority\SYSTEM" identity.
NT Authority\System is a special built in identity and does not traverse network resources, if it needs to it auths as the computer account Domain\Computer$. I don't know the whole setup from your text but for the psexec to work, it'd have to start ssms on the database server or it will continue to use the computer account. If you need access back, be a member of the server admins windows group and start SQL Server up in single user mode - connect with windows authentication (locally) and add your login back in.
We'd need a infrastructure diagram to get more into it, but the basics are:
Built in identities and accounts can't authenticate on a network unless they use the computer object.
Built in identities and accounts are only good for the server they are on and local to.
Giving permissions to anyone who could access that computer (through the computer object) is grossly over-provisioning permissions.
If you are running an application, the identity if yours so you could have been authenticating with your account the whole time testing. While individual threads can have different identities, most applications inherit the identity that spawned the process and in this case is most likely yours.
I think i figured it out. The reason was that when connection string uses computer name then it forwards "MACHINE$" as identity but when it is using localhost then it forwards "SYSTEM" as identity.
I had recently installed SQL server 2012 and I used mostly the default settings. Database works fine and I can happily connect using SSMS (SQL Server Management Studio) but when I connect to the Integration Services Server I get this message
Connecting to the Integration Services service on the computer
"localhost" failed with the following error: "Access is denied."
By default, only administrators have access to the Integration
Services service. On Windows Vista and later, the process must be
running with administrative privileges in order to connect to the
Integration Services service. See the help topic for information on
how to configure access to the service.
here is the screenshot
I am not sure why but I am the domain admin and have full rights over the server. Also why when I connect from my Desktop it can successfully connect, only if I connect from the server itself which gives me this issues. How do I fix this so that I can make SSMS on the server connect to its Integration Services instance.
As I understand it, User Access Control, or UAC, can basically intercept requests for your group membership so in this case, it appears it was preventing your membership getting passed to SQL Server.
Others have noted in their comments that you may still need to right click and run SSMS as an Administrator.
As noted by an astute observer "This is a quick-fix, not a real solution. People shouldn't just be running stuff as administrator. These security walls are in place for a reason" And I agree. UAC is designed to get Windows users into a Principle of least privilege mindset - only escalate to a powerful account when required. The issue is that SSMS is known to not "play well" with UAC. As I see it, this leaves you with three options
You can turn off UAC and get your work done
Leave UAC on and tell your boss you are unable to work
Write your own query tool that is not affected by UAC
Go to all programs Click on Microsoft SQL Server 2012 folder Right click on SQL Server Management Studio Click on Run as Administrator
This should take care of problem for now. (With this you need to always repeat the same process). To avoid this every time and for a more persistent solution you need to get permission(s). Please do the following process and you should be good.
In previous versions of SQL Server, by default when you installed SQL Server all users in the Users group had access to the Integration Services service. When you install the current release of SQL Server, users do not have access to the Integration Services service. The service is secure by default. After SQL Server is installed, the administrator must grant access to the service.
To grant access to the Integration Services service
Run Dcomcnfg.exe. Dcomcnfg.exe provides a user interface for modifying certain settings in the registry.
In the Component Services dialog, expand the Component Services > Computers > My Computer > DCOM Config node.
Right-click Microsoft SQL Server Integration Services 11.0, and then click Properties.
On the Security tab, click Edit in the Launch and Activation Permissions area.
Add users and assign appropriate permissions, and then click Ok.
Repeat steps 4 - 5 for Access Permissions.
Restart SQL Server Management Studio.
Restart the Integration Services Service.
(Source MSDN)
I hope this will help
Right Click on the Sql Server Management Studio and select Run as Administrator and try to connect
if it is installed on the local instance
You should check to see what user the SSIS Service is running under. Go to Start > Run > Type "services.msc" and scroll down to the SQL Server Integration Services 11.0 entry. Right click and check the properties to find out what user it's running under. The second tab should be the LogOn tab. Since you're just running on a local instance, you can set your user as the LogOn User account and SSIS will have the same permissions that you do.
Lost a day of work on that problem. My package has a .NET script task to copy file from a shared network folder to a local folder and I was stuck with the "access denied" exception every time I tried to execute the package from the server (Through SQL Studio). The package works fine when running locally.
Tried many things picked up here and there and at the end of the day what worked is to create a Job (owner is sa) which execute the package as SSISExecutor.
I have to mention that the file on the network has read access for everyone, and that I still don't understand what was wrong.
I recently installed Microsoft SQL Server 2012 on a fresh Windows 7 installation, but whenever I want to run the server, I get the following error:
Error 1069: The service did not start due to a logon failure.
The following user is configured to start the service: NT Service\MSSQL$SQLEXPRESS
How can I fix this problem?
The answer to this may be identical to the problem with full blown SQL Server (NTService\MSSQLSERVER) and this is to reset the password. The ironic thing is, there is no password.
Steps are:
Right click on the Service in the Services mmc
Click Properties
Click on the Log On tab
The password fields will appear to have entries in them...
Blank out both Password fields
Click "OK"
This should re-grant access to the service and it should start up again. Weird?
NOTE: if the problem comes back after a few hours or days, then you probably have a group policy which is overriding your settings and it's coming and taking the right away again.
This happened to me. A policy on the domain was taking away the SQL Server user account's "Log on as a service" rights. You can work around this using JLo's solution, but does not address the group policy problem specifically and it will return next time the group policies are refreshed on the machine.
The specific policy causing the issue for me was:
Under, Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments: Log on as a service
You can see which policies are being applied to your machine by running the command "rsop" from the command line. Follow the path to the policy listed above and you will see its current value as well as which GPO set the value.
While ("run as SYSTEM") works, people should be advised this means going from a minimum-permissions type account to an account which has all permissions in the world. Which is very much not a recommended setup best practices or security-wise.
If you know what you are doing and know your SQL Server will always be run in an isolated environment (i.e. not on hotel or airport wifi) it's probably fine, but this creates a very real attack vector which can completely compromise a machine if on open internets.
This seems to be an error on Microsoft's part and people should be aware of the implications of the workaround posted.
Short answer:
install Remote Server Administration tools on your SQL Server (it's an optional feature of Windows Server), reboot, then run SQL Server configuration manager, access the service settings for each of the services whose logon account starts with "NT Service...", clear out the password fields and restart the service. Under the covers, SQL Server Config manager will assign these virtual accounts the Log On as a Service right, and you'll be on your way.
tl;dr;
There is a catch-22 between default settings for a windows domain and default install of SQL Server 2012.
As mentioned above, default Windows domain setup will indeed prevent you from defining the "log on as a service" right via Group Policy Edit at the local machine (via GUI at least; if you install Powershell ActiveDirectory module (via Remote Server Administration tools download) you can do it by scripting.
And, by default, SQL Server 2012 setup runs services in "virtual accounts" (NT Service\ prefix, e.g, NT Service\MSSQLServer. These are like local machine accounts, not domain accounts, but you still can't assign them log on as service rights if your server is joined to a domain. SQL Server setup attempts to assign the right at install, and the SQL Server Config Management tool likewise attempts to assign the right when you change logon account.
And the beautiful catch-22 is this: SQL Server tools depend on (some component of) RSAT to assign the logon as service right. If you don't happen to have RSAT installed on your member server, SQL Server Config Manager fails silently trying to apply the setting (despite all the gaudy pre-installation verification it runs) and you end up with services that won't start.
The one hint of this requirement that I was able to find in the blizzard of SQL Server and Virtual Account doc was this: https://msdn.microsoft.com/en-us/library/ms143504.aspx#New_Accounts, search for RSAT.
I had a similar issue that was resolved with the following:
In Services.MSC click on the Log On tab and add the user with minimum privileges and password (on the service that is throwing the login error)
By Starting Sql Server to run as Administrator
If the user is a domain user use Domain username and password
One possibility is when installed sql server data tools Bi,
while sql server was already set up.
Solution:-
1.Just Repair the sql server with the set up instance
if solution does not work ,
than its worth your time meddling with services.msc
I don't know how good of a solution this is it, but after following some of the other answer to this question without success, i resolved setting the connection user of the service MSSQLSERVER to "Local Service".
N.B: i'm using SQL Server 2017.