in SQL Server 2005 I have an application role that is being used to limit access to my server data from third party applications. Everything is working well, except changing the Application role password.
I set up a small form that allows an administrator to change the App Role password through the front end app. I cannot, however, seem to get the Password field in my approle to accept a parameter.
For example:
declare @newpassword varchar(128)
set @newpassword = 'foo'
ALTER APPLICATION ROLE MyApplicationRole
with PASSWORD = @newpassword
This procedure gives me a syntax error in the last line. It will accept a string in quotes but not a varchar parameter.
I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.
After reading Books Online, I am still confused with Database Role vs Application role.
My intention is to control the end users' authority on the database, where the end users will access through Winforms client application. With proper assignment of schema and database roles to an user, I believe this will enough to control the permisison of an user.
If this is the case, why Application role exists? When and why should I use Application Role? How is it different from Fixed Database Role?
I have 2 users emp_rw (read write) and emp_ro in the database through which application accesses the database.
Now I would like to replace this users with roles and assign emp_rw, emp_ro to roles. Which roles should be created - database roles or application roles what is the difference between application and database roles.
currently I execute the below statement to grant rights on database objects to emp and emp_ro users, can this be changed to grant rights to role instead of user.
grant execute on <function name, procedure name> to emp_ro
Can anyone point me to a good tutorial or give me a run down on using Sql Application roles from my asp.net application. Books Online only give a run down on how to set it up - not how to implement or use it from my code. MSDN no help. Google - same thing.
We have a distributed app that creates it's own instance of sqlexpress when installing. This prevents anyone with sa rights on another instance from accessing our data directly (HIPAA compliance concerns). We are currently looking into making our app easier to install, and want to be able to attach our database to existing instance (if one exists), but still prevent the sa account of that instance from directly accessing/viewing our data. Are application roles the way to accomplish this, is there another way, or is this even possible?
We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter.
Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble.
I may need to setup an application role(s) fro a SQL 2000 db that is being front-ended by VB6. There are 2 types of functions needed, and admin role with access to all tables, and a user role with access to only specific tables. I know from just a straight db roles, I could set up 2 roles, set their rights, and then add the users to these roles. My questions is if I need the same functionality for an Application role, do I need 2 Application roles, one for the admin, and the other for the user?
We have an an application that was written using OLE DB (ADO) against a SQL 2000 Server that uses an Application role to give rights to the database objects. It connects, calls sp_setapprole and goes on. If the database needs to LOCK a record, it is creating a new ADO Connection and instantiating the Approle again. This model has been working fine up til now.
Now we are installing a SQL 2005 server for the latest version of the product we are working on and are running into an error. The error is Error: 18059, Severity: 20, State: 1. The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online.
It's happening when the second ADO Connection for locking a record is being created and the sp_setapprole is being executed.
One of my questions is what is the problem with executing the approle on a different connection? Our code has not changed, so obviously SQL 2005 is doing something different. The other is What can we do to correct this?
Is the resource pooling different? We had problems in the beginning with approles and figured out through research that we needed to add OLE DB Services=-2 to the connection string to turn off resource pooling.
Is there an extra step to using Approles in SQL 2005?
Any help would be greatly appreciated as we need to resolve this ASAP.
I want to test Application Roles security for our project, I guess it serves the purpose. But the quesion I have is if a developer who can look at the application code know's the "Password" can he set the password from Query Analyser and get acess to the database.
Hi Nerds There are 2 production servers (SQL Server 6.5). One is publisher and the other one is subscriber. Data is replicated from publisher to subscriber which is a transaction based replication. Each day at 8:00PM data comes into publisher and the updations,replication,backup,reporting are carried out till 11:00AM next day. The subscriber server is used as a reporting server and the publishing server is used as the data warehouse server. I want to cleanup a table on the publisher. Since it is replicated on the subscriber, can I do delete operation on the subscriber, make the subscriber server a publisher and the publisher server a subscriber, do replication from publisher(new) to subscriber(new) and again change publisher to subscriber and subscriber to publisher without affecting the production line of the databases. I have to do this between 11:00AM to 8:00PM. Pranav.
Hi, Am migrating my SQL 2000 legacy app to SQL2005 and am dealing with restrictions on the underlying system tables. Have taken advice that Granting VIEW state to all users is heavy handed (especially meta data access at SERVER level). Now looking at Module signing which is great. I can supply SP's which target the few System table/ information schema fields that I require. Now I Sign the Sp's cool, now I grant exec rights to the application role (doesn't work). Create a db role and put my users in it, okay grant role exec on Sp's (fine they work).
However my application runs under an application role always, so my users rights are ignored and it appears that its only the users not the approles who can benefit from the module signing ? I know I can switch too and from approle using cookies but I seem to be going round in cirlces here.
Essentially is there any 'EASY' and 'CONTROLLED' way that my application user who has no rights, who immediately switches to the application role can see the dbName (All rows ) from master.sysdatabases ?
I have an application that segregates data into two differentdatabases. Database A has stored procs that perform joins betweentables in database A and database B. I am thinking that I have reachedthe limits of Application Roles, but correct me if I am wrong.My application creates a connection to database A as 'testuser' withread only access, then executes sp_setapprole to gain read writepermissions. Even then the only way 'testuser' can get data out of thedatabases is via stored procs or views, no access to tables directly.Anyone know of a solution? Here is the error I get:Server: Msg 916, Level 14, State 1, Procedure pr_GetLocationInfo, Line38Server user 'testuser' is not a valid user in database 'DatabaseB'The system user is in fact in database A and B.thanksJason Schaitel
[Posting this in the security forum because in this forum I found a related post.]
I have a problem with SQL Server 2005 and application roles and pooling. I needed to use application roles and I needed to use pooling at the same time for an application. I am using sp_setapprole and sp_unsetapprole. In order to ensure that the application role is always set and unset by the application, I actually developed a custom Data Provider based on the SqlClient Data Provider. I have a custom Connection and Command class that wrap the SqlClient versions. Upon opening my custom Connection class, I execute the sp_setapprole stored procedure. Upon closing or disposing the connection, I call sp_unsetapprole.
This works fine in 99% of my tests. However, I have three or four methods (always the same ones, but one only fails ever so often) that fail, but only under the following circumstances:
Pooling is turned on (but pool size doesn't matter)
I am using my custom Data Provider (using System.Data.SqlClient does not cause this issue... but I am also not using approles then)
When other tests have run in the same test run. I.e. when I run the failing methods by themselves in a test run, there is no problem. So it seems to me that the problem is related to using application roles with pooling turned on. For scalability reasons, we cannot turn pooling off. When the methods fail, I see the following two (2) entries in the SQL Log:
Error: 18059, Severity: 20, State 1.
The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online. I understand the error message somewhat. However, I am not sure why the "reset" of the connection occurs. My code does not call reset anywhere, so it must be something that happens in the background.
I am reviewing code to see if there is possibly a situation where the sp_unsetapprole procedure does not get called or does not get called successfully, but there is a lot of code (in many custom components).
I would like to know if anyone has a suggestion on how to solve this problem, or, find the code that may be causing the problem.
I`m running SQL 6.5 with standard security. We`re running NT 4.0. I am a member of the NT Admin group - which, of course, has sa privileges in SQL Server. I changed the sa password (via Enterpise Manager on my client machine); and it worked. I tested the password change by connecting to ISQL/w - both on my client machine and at the server machine.
However, when I attempted to connect to the server via Enterprise Manager (SEM) - on my client machine - my login attempt failed. But at the server machine, I connected just fine.
Somehow, even though we`re using standard security, I`m getting locked out of SEM because of the new password. Changing the sa password back to what it had been resolved the problem; but the old password was only meant to be temporary.
2.Web app: ================ a.Hard coded into .asp and .aspx b..inc files that have collective connection strings. c.Possible use of file DSNs d.Possibly use of system DSNs
3.Ad-hoc Queries by Users ===============================
4.Maintenance Plans and Jobs etc. ======================================= a. DTS packages b. Replication
Is there anything else that you can add to this list will be helpful. Regards Paresh
After I have changed the SA password and attempt to login I get the following error.
A connection was successfully established with the server, but then an error occurred during the login process. (provider:Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error:233)
If I change the password back I can login without any problems. I need to change the SA password.
When I changed the SQL sa account password (it was blank) and then tried to connect to SMS remotely via SMS Administrator Console, I get Connection Failed. It seemed to work for a about 20 minutes and then I get "Connection Failed" when I try to run the console remotely. I used the SQL Enterprise Manager to change the sa password and then I used the SMS Administrator Console to set its SQL Server account to sa with the new password under Site Properties. When I switched it to a blank password in SQL and SMS, it started working again.
From the Application Event Log I seem to be getting a lot of these messages (even now - and it's working): "The description for Event ID ( 1001 ) in Source ( SQLCTR70 ) could not be found. It contains the following insertion string(s): SQL Server not running."
I have also gotten: "The Open Procedure for service "NM" in DLL "nmperf.dll" failed. Performance data for this service will not be available. Status code returned is DWORD 0. "
I don't see any messages from SMS in Event Viewer.
Can the user change their password in Enterprise Manager? When they follow the documentation, this does not seem to work unless they are sa: (I know about sp_password....we are trying to find a GUI method for typical user.)
Expand a server group; then expand a server. Expand Security; then click Logins. In the details pane, right-click the login to modify, and then click Properties. In Password, on the General tab, enter a new password. Confirm the password.
I am using Administrator to log in the WinNT and I have just changed the password of the Administrator. After that, I discover that I cannot use all function in the sql server. Althougt the server is still running, I cannot open the database, login the security manager.
I have checked that the SQL Executive in NT service is assigned to local system account. As you know, there is no place for inputting password. Where can I change the password in order to let the function of sql server run again?
I have SQL Server 2000 the Microsoft SQL Enterprise Mangaer version 8.0 and I don't know the password of sa account and I found this page where it shows how to change it and I tried it but it didnt work for me. Password didnt change So what to do? Is there any way to see the current pw?
I am working with MSDE, but some how the password for sa keep changing by itself. I can reset it by logging in windows authentication mode using osql, but the next day the password does not work again. Please give me some suggestions
A client of mine changed his SA password "because it hadn't been changed in a while". :mad: Now nobody can get into Enterprise Manager - opening EM or trying to right-click > Connect on the server yields an error:
A connection could not be established to SERVER1.
Reason: login failed for user 'sa'.
Please verify SQL Server is running and check your SQL Server Registration properties (by right-clicking on the SERVER1 node) and try again.
Of course, if I right-click on the SERVER1 node, I get the same message.
My client remembers the password he set; I managed to use it to get into Query Analyzer, which I thouhght was weird. But no luck with Enterprise Manager. It's just trying to log in as sa without prompting for a pw.
I already tried running sp_Password in Query Analyzer to change the pw back to what it was. Still can't connect to the SQL Server via Enterprise Manager.
Hi, I know this seems odd but is there any way to change the guest's password? I know this is paradoxical regarding the nature of guest user but if there is any way please clarify me! -Thanks
I just started a new job and no one seems to know the SA password.Here's my plan to change it:1. I've run a trace for a couple of days to verify that there are nojobs or processes that are connecting as SA and that would break if Ichanged the password.2. Before the changing the password I am going to bulk copy out thesysxlogins row for SA so that if things go wrong I can reinset the olddata with the old unknown password (will that work?).3. Log on to the console as Windows administrator and changing the SApassword.Does that make sense? Anyone have any other suggestions?Thanks.
that sounds obvious but I'm stuck... I have an ASP.net application which someone else started and I continue. on the SQL server there was a user X which was used to access the database from the ASP website. I accidently changed the password in the SQL server and now I cant restore the prior settings (trying to reset password to blank or embedding the username and password in the connection string didnt work). it stops on "connection.open" with - "SQLException Login failed for user 'X'" any ideas why that happens and how I can fix it?
Is there an automatic way of changing the Domain user password getting used for running the SQL Server as a Domain user account? I'm taking about EM---Security----Domain User name and the password getting used for running the SQL Server?
We are currently using continuous transactional replication from an OLTP type database to a Reporting database. We recently changed the 'sa' password for the first time since replication was introduced and now the Replication Log Reader job fails to start.
This is the error from the Job Log:
Message 2008-04-14 15:18:24.894 Copyright (c) 2005 Microsoft Corporation 2008-04-14 15:18:24.894 Microsoft SQL Server Replication Agent: logread 2008-04-14 15:18:24.894 2008-04-14 15:18:24.894 The timestamps prepended to the output lines are expressed in terms of UTC time. 2008-04-14 15:18:24.894 User-specified agent parameter values: -Publisher OASV-SQL1 -PublisherDB georgiaoas -Distributor OASV-SQL1 -DistributorSecurityMode 1 -Continuous -XJOBID 0xCE146F975BC43043AB1ECBF42F801C43 -XJOBNAME OASV-SQL1-georgiaoas-1 -XSTEPID 2 -XSUBSYSTEM LogReader -XSERVER OASV-SQL1 -XCMDLINE 0 -XCancelEventHandle 00000730 -XParentProcessHandle 0000075C 2008-04-14 15:18:25.034 Status: 0, code: 20015, text: 'Login failed for user 'sa'.'. 2008-04-14 15:18:25.034 Login failed for user 'sa'.
When we change the 'sa' password back to the previous value, we can start the Log Reader without issue.
We have tried restarting the SQL Server Agent process without success. We have not restarted the SQL Server process due to the server hosting production databases.
I have changed my windows password on my workstation, and the result is that I cannot now access the local databases and services resident on my workstation. I can still access all remote servers, but all attempts to access the local machine have failed. I even changed the password back to the original password, but this has had no effect.
Has anyone had any experience similar to this one? I am at a loss for things to try at this point.