Risks Of Single MSSQL Domain Account For Mult Servers?
Jul 20, 2005
Greetings:
I am trying to conceive what risks might be created by running
multiple SQL servers within a domain under a single domain account, as
opposed to 1) running under the local service account or 2) multiple
domain service accounts.
In this case, all the SQL servers are SQL2000 running on Win2003. The
service account is assigned only to the "Domain Users" group.
We do use linked server calls, and I have played and suceeded getting
Kereberos up to avoid double hop issues when using Windows Auth. In
fact, this is one of the reasons that sparked the question in my mind
-- in all the MS Kerebos SQL<->SQL examples, the SQL servers run under
a unique service account.
As an aside, most of the servers are "line of business" servers, but
HR runs under a unique server with more sensitive information. I don't
really think that merits a seperate service account, but again, I
could well be missing something.
I mostly looking for food for thought, but concrete examples of
gotchas would be appreciated.
I have been tasked with changing our local domian name from .com to .local. I want to make sure I understand the risks to SQL server 2000 when i make this change. We use SQL for Great Plains version 8, here is my simple plan:
1. Dis-join all workstations from .com domain 2. Make a full backup of all databases iin SQL server 2000 -- all databases use the SA account and not NT authentication 3. Dis-join SQL server 4. Change domain name 5. Re-join SQL server box and workstations 6. Launch Great Plains and go home happy!
I am having trouble identifying the risk to my plan and am wondering if:
1. SQL will launch under the new domain 2. Will the backup I made restore under the new domian 3. Will I experience authentication problems even though we use the SA account?
I am not a DB admin and am feeling a little unsure about this task any help on the risks or links to "how to" guides would be appreciated.
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
Doing webforms in ASP.NET and i have a connection string in the webconfig that connects to a locally created SQL Server user account.
This is fine however when i try to connect to a domain account created by the IT administrator for me, it wont work.
The User name and password he supplied are correct as i logged into my PC (Win 2000) using it to test it. However when i try to connect to this remote network domain account by changing my connection string it fails... anyone any ideas, or am i missing a subtlety of ASP.NET and SQL connectionstrings?
Heres the connection string that works... ConnectionString = value="Server=MY-SERVER;Network Library=DBMSSOCN;Initial Catalog=MYDATABASE2;User ID=MrLocalUser;Password=password;"
Heres the connection string that fails... ConnectionString = value="Server=MY-SERVER;Network Library=DBMSSOCN;Initial Catalog=MYDATABASE2;User ID=DOMAINMrDomainUser;Password=password;"
I doing some testing with security and ran into the following problem.I want to log into the SQL server (from Query Analyzer) using mydomain account. To allow this, I went into Logins section inEnterprise Manager and added my user account as a Windows User.If I set Analyzer to use Windows authentication I am to log in with noproblems. But if it is set to SQL Server authentication and I type inmy username (in the format domainusername or username@domain) andpassword I get a login error.Is there a way to login in to SQL using domain account without usingwindows authentication?Thanks,Jason
New to SQL Server. Plan to install SQL Server 2005 standard edition on Windows 2k3. After searched a lot of places, still don't understand what exactly "domain user account" is. Could someone explain it to me? 1. Is this a OS account where SQL Server is running? 2. Or, is this an account under domain controller on other machine? Is this an account on DNS srver? How do I create it? 3. Or, is this an account in SQL Server?
Where is this account located? How do I manage it?
I am seeing a couple of domain/username accounts trying to access SQL 2k5 SP2 and get the error above. The concern I have is these accounts shouldn't be trying to access SQL at all and do not exist is SQL hence the error The question I have is how can I track down what is trying to use this account and connect to sql? Thanks in advance.
John
SQL Server Log:
Message Login failed for user 'DOMAIN ampbell'. [CLIENT: <named pipe>]
I have two servers that are setup to use their local system account. They are in the same workgroup, but aren't on a domain. Is there a way to setup replication without a domain? If so, how?
I recenly installed SP1 on 2 servers. For some strange reason I am unable to run the SQL service or the SQL Agent service using the normal SQL service domain account. It has always worked and is currently running on the other server without a problem.
Hi all, I have seen in documents that I can install SS2K on a machine without network domain connection using a domain account.It said that domain accounts are prefered according to some reasons and it is not limited to machines on a domain so you should do it on a single PC. I tried this during installation and entered many different things but no chance: <OS_account> <machine_name>/<OS_account> ... Would you please telling me what should I enter as service starter account if I want to use domain users? -Thanks in advance
Hi, I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far.. On the machine that is the Domain Controller: - installed SQL 2005 as a domain admin
- created a domain user account using Active Directory Users and Computers. This user is only
"Member of" domain users; not any Administrators group.
- added this user to SQL Server Management Studio->Logins and in Server Roles assigned
sysadmin role. Question 1: Do I need to give any additional permissions to this user to work with SQL? Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql? Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.
I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomaingrpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.
However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomainandy) to the folders, he can see them and execute the reports.
After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.
I apologize for the newbie question but I'm looking for the correct answer. We have 4 production SQL servers at this time. When we had originally set them up the "sa" account belonged to the domain administrators group. Since we have a SQL admin team and a domain admin team we would like to remove this privilege. Is this something we can and should do? Our SQL servers use mixed mode authentication and some databases are configured for Windows authentication. I would appreciate any input from the community.
I've done some searching, but have found no definite answer yet. Our SQL 2005 servers are members of Active Directory Services. We want to run SQL services using an ADS account.
I see 7 SQL services in the SQL Server Configuration Manager: Integration Services, FullText Search, SQL Server, Analysis Services, Reporting Services, Browser, and Agent.
Question: Is it a bad move to run them all using the same domain account? I mean, wouldn't this give, say the Browser service, more privileges than it needs by allowing its account access to the same resources as, for example, the Agent service? What I'm concerned about is a vulnerability in one service compromising another service.
I would like to be able to use one domain account for all 7 services on two SQL servers, but I have a feeling this is a poor choice.
What is the best method for running SQL services using a domain account?
Hi am i am facing problem adding a domain group to the reporting services. while setting the security of a report, i am getting the rsUnknownUserName error while adding a domain group. the group is valid and it does exists. i tried creating a windows group on the machine running reporting services and tried adding the domain group and it accepted. but the reporting services is not accepting. can somebody tell me whats the problem with this. i am able to add other domain group belonging to the same domain and the SSRS accepts but not this particular domain group which is like any other domain group.
- first machine holds MOSS 2007 - second machine SQL 2005 SP2+MOSS Web Front
MOSS config. database is on Sql server. I'm trying to configure Reporting Services on SQL server in Sharepoint Integration Mode. As per Microsoft tutorials I've set up domain accounts for Sql services. When I use Reporting Services Configuration to configure Web Service Identity to use an App. Pool that runs under a domain account i get this error: "ReportServicesConfigUI.WMIProvider.WMIProviderException: An unknown error has occurred in the WMI Provider. Error Code 800708AC at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.SetWebServiceIdentity(String applicationPool)"
Database Setup and Windows Service Identity work fine using domain account. I've searched many forums, Microsoft "How To" to no avail.
I am running a SQL 2008r2 install while logged onto the server with a local admin account, not a domain account. I am specifying a domain account to run the SQL service. The install fails saying the service account credentials are invalid but I am 99.9% sure they are right.My theory - the local admin account running Setup cannot validate the service account creds against AD. Is it a requirement to run Setup while logged on with a domain account?
Hello,My server is part of a W2K domain. What do you advice me as account torun my SQL*Server, service started with a domain user account or aslocal system ?I need advices from a security point of view.Thank's in advance
I have SQL 2005 installed in a virtual (ESX) environment with a separate DC. Every minute or so an event shows up in the Application Event Log that says:
Type: Failure Audit
User: dgtestdc1$
Computer: sql1
Source: MSSQLSERVER
Category: (4)
Event ID: 18456
Description:
Login failed for user 'dgtestdc1$'. [Client: <ip address>]
I have a package that needs to be executed from a webpage, which I can get to INITIATE fine. The page calls a stored procedure which in turn starts a package (use DTExec and xp_cmdshell). The problem is that the package reads/writes to flat files that the most accounts do not have rights to. That being the case I get errors that the file doesn't exists. The package was developed by using a domain account which does have access to the files so it obviously runs fine in BIDS.
How do I force the stored package to run under that account when being called by a stored procedure? I've done this with scheduled jobs because I can use a proxy account. Is there something simlilar that I can do vis DTExec?
I`m trying to connect to the Analysis Services (AS 2000 Enterprise Edition SP4 on Windows Server 2003 EE, respository is in Access DB) throught Analysis Manager over HTTPS(HTTP) connection. I dont want to use domain account.
I need to specify USER_ID and PASSWORD to the Analysis Manager, but in registration of new server is only IP address or HTTP adress (for http://server) - but it doesn´t work - it says Unauthorized. But I`ve tried to use Anonymous account and it doesn`t work (client wan`t able to make connection)... I would like to use Basic Authentification.... Thise account is member of OLAP_Administrators... but the problem is where should I put USER_ID and PASSWORD???
It works perfect in Excel 2003.... MSOLAP.asp work fine in IE...
Installed sql server 2012 enterprise. Runs with the built in account fine.
I tried entering a domain account to run as the service account from sql configuration it fails with the error "the specified network password is not correct".
I tried from services.msc and entered successfully but when I try to restart it fails that the log in credentials are wrong.
the domain account and password I entered are just fine. What's it I should do or missing?
I am installing SQL Server 2005 on a server (Windows Server Enterprise Edition 2003 SP2) that is not domain controller and on the screen "Service Account" I checked the box "Customize for each service account" and typed a domain account (it has permission to "logon as a service"), its password and domain, and when I click the "Next" button, I am getting the error below:"SQL Server Setup could not validate the service accounts. Either the service accounts have not been provided for all of the services being installed, or the specified username or password is incorrect. For each service, specify a valid username, password, and domain, or specify a built-in system account. "
I have a SQL Server 2005 Express edition instance set up on one server, and IIS on another server.
The SQL Server process account is a domain user account, which I have added to the local groups that SQL Server created during installation (I originally used a local user account instead of domain account; however, the problem occurs with both).
SQL Server runs fine, and if I set my IIS application pool identity to a domain admin, my web app can access the database and retrieve the data necessary.
However, I have a domain user account that I want to use to run the app pool and retrieve the data. The domain user account is added to the IIS_WPG group on the web server. On the database server, I have created a login for the account, as well as added it to the db_datareader role of the database that is used for the site.
However, the user is not able to connect to the SQL Server. I get the "Login failed for user <user account>" error in ASP.NET. I also tried connecting with SQL Server Management Studio, and I get the same error. I checked and the user has connect permission to the database server.
With admin accounts, there are no problems logging in, etc.
Any pointers are appreciated,
Thanks,
SA.
Edit: I was able to find out that the State is 11 for the error. According to http://blogs.msdn.com/sql_protocols/archive/2006/02/21/536201.aspx, this indicates "Valid login but server access failure." I am not sure how to resolve this.
I have an instance of SSRS that will not run my report subscriptions if it is using a dedicated domain account I made for the express purpose of using it to run this service.
If I have SSRS use my personal domain account as the service account, my subscriptions run correctly. If I have SSRS use this other domain account, the subscriptions do not run.
What else do I have to configure to make this run correctly not on my personal account?
Error message below.
"ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service account doesn't have rights to check domain user SIDs., Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. ;"
I am working with a client who is rolling out 50+ VM's based of a template we created. This is SQL 2012 CU1 running on Windows Server 2008 R2. Using the default service account the installer has it registers fine and we get the following in the SQL log.
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/server.domain.com:1433 ] for the SQL Server service.
When we change to a domain service account through SQL configuration manager we see the following and cannot connect remote using integrated authentication The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/server.domain.com:1433 ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
My understanding is you should and could change service accounts using the SQL Server Configuration Manager and it would set all permissions. Is there something we need to do in addition to get this up and working?
I installed an NT SQL Server and ran the SQL Enterprise Manager, From mamual bar Select Server, then click Register Server, a Register Server dialog box show up.
I than click servers.. and hoped to see the active servers on the NT domain. I saw nothing, even if I click refresh. I knew there are serveral SQL server running on the same domain, Did I do something wrong during the SQL server installation process ?
Is there an issue with using domain IDs with linked servers in 2KSP3 ? For some reason I get login failures using domain ids across linked servers, but sql logins with the exact permissions work fine. ?????