i have a cluster running win2k and SQL server2k, the app on the server uses kerberos authentication. all works fine until we need to flip the cluster over - then the registration of the SPN fails - this means we need to keep registering the SPN manually - a bit of a pain and sometimes people foget to register it causing us lots of grief.
does anyone know of a way we can get the SPN to register automatically?
I use DNS alias to access my database server:
server name is -> SRV100
DNS Alias is -> SQLPROD
I've noticed that, using Windows authentication, if I connect to the server using its server name, the DB Engine uses Kerberos authentication scheme (as it is supposed to do) but if I use Kerberos authentication, I see that the DB Engine uses the NTLM authentication
scheme
select client_net_address,auth_scheme from sys.dm_exec_connectionsÂ
I need to use DNS alias to connect to my server and I want to use Kerberso auth scheme.
Hi,
View 3 Replies View RelatedHi,
We are using SQLServer 2005 SP2. I successfully registered SPN and TCP is enabled and order of protocol are
Shared Memory 1
TCP 2
Names Pipes 3
when I am running
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
still getting NTLM. I disabled all protocol in local client except TCP with no avail.
Interstingly when I am using SQLServer 2000 client where TCP is enabled and first in order in Clinet netwrok it is working OK and I am getting KERBEROS.
Please help to resolve.
Thanks
--
Farhan
I have a strange problem.
On almost all clients I can connect to mys database server using sqlcmd -S <server> and the connection is authenticated using kerberos.
One one of my clients the command fails. When I have Named Pipes enabled the connection works fine but is made with NTLM authentication.
All servers and clinets are members of the same domain and thay are ll on the same LAN segment. No firewalls are active anywhere.
Where do I look for a solution?
Hi,
For last 2 days, I'm struggling to integrate WSS 3.0 with SP1 with SQL Server 2005 Reporting Services with SP2 with Kerberose authentication.
And finally I'm stuck
At the moment I've got 2 issues, one is when "Set defaults" on Central Administration site, second is when I'm trying to browse the reporting server for report €“ using Report Viewer webpart configuration (when selecting "Report").
Before I will go futher with errors message, here is my configuration:
WSS 3.0 with SP1 and Reporting Services Add-in:
Computer: SharePoint02 | SharePoint02.led.local
Portal url: http://sharepoint02 | http://sharepoint02.led.local
Admin url: http://sharepointadmin02 | http://sharepointadmin02.led.local
Portal App Pool: LEDSPContentPool
Admin App Pool: LEDSPConfigAcct
SQL Server 2005 with SP2, Reporting Services with SP2, WSS 3.0 with SP1 Front End:
Computer: SharePointDB | SharePointDB.led.local
Front End Portal url: http://sharepointdb | http://sharepointdb.led.local
URL to reporting services: http://sharepointdb/SPSReportServer | http://sharepointdb.led.local/SPSReportServer
Front End App Pool: LEDSPContentPool
Reporting Services App Pool: LEDSPConfigAcct
Report Server Service Account: LEDSPConfigAcct
SQL Server Account: LEDSPConfigAcct
I know I should have separate account.
Service Principals (SPContentPool):
Registered ServicePrincipalNames for CN=SPContentPool,CN=Users,DC=LED,DC=LOCAL:
HTTP/sharepoint02
HTTP/sharepoint02.led.local
Service Principals (SPConfigAcct):
Registered ServicePrincipalNames for CN=SPConfigAcct,CN=Users,DC=LED,DC=LOCAL:
HTTP/sharepointdb
HTTP/sharepointdb.led.local
MSSQLSrv/sharepointdb.led.local:1433
HTTP/sharepointadmin02.led.local
HTTP/sharepointadmin02
Reporting add-in is activated, I'm able to specify the report server (http://sharepointdb.led.local/SPSReportServer) and to grant permission.
1) FIRST ISSUE
However when I'm trying to set the defaults for Reporting Services from Central administration I'm getting following error:
The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it. ---> The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it.
Reporting Server error message is:
w3wp!library!1!03/12/2008-12:15:23:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ContainerTypeNotSupportedException: The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it., ;
Info: Microsoft.ReportingServices.Diagnostics.Utilities.ContainerTypeNotSupportedException: The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it.
w3wp!library!1!03/12/2008-12:15:39:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!5!03/12/2008-12:15:49:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:15:52:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:15:55:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:16:07:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:16:59:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:17:11:: Call to GetPermissionsAction(http://sharepoint02.led.local/lrs/Reports/TestSharepoint.rdl).
This error message then repeats few times, usually always after:
w3wp!library!5!03/12/2008-11:18:16:: Call to GetSystemPropertiesAction().
2) SECOND ISSUE
When the I'm trying to add Report Viewer (I'm logged as Portal administrator) and then select the report from web part settings, I'm getting:
Server was unable to process request. ---> The request failed with HTTP status 401: Unauthorized.
When I'm looking at the Event log in SharePointDB I see Anonymous login:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/03/2008
Time: 12:13:07
User: NT AUTHORITYANONYMOUS LOGON
Computer: SHAREPOINTDB
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x12C0209E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SHAREPOINT02
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.192.65.67
Source Port: 1705
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Is there any chance to solve these issues? What did I done wrong?
I would really appreciate any help!
Cheers,
Jakub G
Hello,
I have configured Kerberos delegation for several web services. One of the web service calls SSIS packages, but the packages don't run with the expected impersonate user : the package starts with the imporsonate user, but continue with ASPNET user (which is not allowed to execute SSIS and connect to DB).
If the web service is called directly (no delegation), SSIS packages run with the correct user. It looks like than there is an autenthicate issue, but kerberos is configured and web services can run from one to another with the impersonate user. The issue occured only when I call SSIS packages.
Here is a extract of the SSIS log file :
Code Snippet <dtslog>
<record>
<event>PackageStart</event>
<message>Beginning of package execution.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAPascal.Brun</operator>
<source>ImportMonthlyCSV</source>
<sourceid>{D053CB99-FDE4-492D-83BC-821E1B34704B}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>0</datacode>
<databytes>0x</databytes>
</record>
<record>
<event>OnError</event>
<message>SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER. The AcquireConnection method call to the connection manager "Data Warehouse" failed with error code 0xC0202009. There may be error messages posted before this with more information on why the AcquireConnection method call failed.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAASPNET</operator>
<source>Import CSV</source>
<sourceid>{284D3166-F372-4B03-86C1-75A4D8DC9A5C}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>-1071611876</datacode>
<databytes>0x</databytes>
</record>
...
Any help is required.
Thanks in advance.
Like many others, I am have trouble getting this to work, and none of the solutions I have found on the inter-tubes seems to work for me:
"An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode. --> The request failed with HTTP status 401: Unauthorized."
The Setup:
MOSS/SSRS (Integration Mode) running on a server farm on a single server: myserver.mydomain.org
Service Account for all Services: mydomainmyaccount (trusted for delegation, member of IIS_WPG)
myserver trusted for delegation
SSAS running under Local System on ssas.mydomain.org.
SETSPN -L mydomainmyaccount results:
HTTP/myserver.mydomain.org
HTTP/myserver
MOSS Authentication Settings
Authentication Type = Windows
Default Authentication Provider = Negotiate (Kerberos)
Anonymous access not enabled
IIS Settings
SSRS on Default Web Site: Port 8080
Application Pool Identity mydomainmyaccount
NTAuthenticationProviders="Negotiate,NTLM"
Security: Windows Authentication
MOSS on Sharepoint-80 Site: Port 80
Application Pool Identity mydomainmyaccount
NTAuthenticationProviders="Negotiate,NTLM"
Security: Basic Authentication except _vti_bin/ReportServer is Windows Authentication
The idea is to use kerberos to pass credentials from SSRS reports running on myserver.mydomain.org to SSAS on ssas.mydomain.org.
Hi all,
I have an issue with an SQL cluster.
I have two MS Windows 2003 Server Ent Ed. SP2 in cluster. They have MS SQL Server 2005 in cluster.
I have created and endpoint and when I try to access I get the attached error in client machine. This problem only occurs in cluster configuration, because the same installation in an SQL (no cluster) works fine.
EventID: 4 Source: Kerberos
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/fra-lille-hel03.ea.holcim.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (EA.HOLCIM.NET), and the client realm. Please contact your system administrator.
Anybody knows how to solve it?
Thanks in advanced.
I ran into a Kerberos authentication issue because of a missing AOAG SPN. Some of the tickets that granted me access to the nodes of the AOAG cluster were using the encryption type that I would expect. However, the MSSQLSvc SPNs were not using what I would expect!
klist
#XX> Client Somebody@somedomain.com
Server: RPCSS/MySQLServer@somedomain.com
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
#XX> Client Somebody@somedomain.com
Server: MSSQLSvc/MySQLServer@somedomain.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
#XX> Client Somebody@somedomain.com
Server: MSSQLSvc/MyAOAGListener@somedomain.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
I can't seem to figure out what the next step should be, and the infrastructure admins are stumped as well. How to proceed?
We have a large number of SSISDB packages running happily, connecting to our SQL Servers using ADO.Net or Sql Native Client, making their connection using NTLM. (We don't have our SQL Server SPNs correctly configured to support Kerberos).
The SSISDB packages are hosted on and run on a dedicated SQL server, different to the SQL Servers they are connecting to.
Very occasionally, the connection attempt is made using Kerberos instead of NTLM, and the connection attempt to sql server fails. (This is going by the Windows Security event log, which reveals a Kerberos login - a successful one at the Windows level - at the precise time that the calling agent job is informed of a connection timeout and fails, approx 23 seconds after the job starts).
The correct configuration of our SPNs is something we may wish to look into for security best practice, and would of course fix this. However, that may not be my decision to make.
I folks.I Have installed sql server 2005 express and choosed windowsauthentication on instalation, but i make a mistake and now i needmixed authentication, how can i modify this whithout uninstall andinstall again the application?thanks for the help.
View 2 Replies View RelatedHow to give authentication for Send Mail Task component?
View 4 Replies View RelatedHi there,I have installed MS SQL Server 2005 on my machine with windows authentication. But now I want to switch the authentication mode to SQL Authentication. I am unable to switch, I can’t find the proper way to do so here in 2005.Could any one help me in doing this?Thank you,-Ahsan
View 1 Replies View RelatedHello,
(Using win2k, sqlserver2k, framework 1.1)
I have an fairly data-heavy application that uses Windows authentication (Trusted connection/aspnet account) to connect to Sql Server. The site uses IIS basic authentication.
On the dev server everything works fine but when I move to the live server things get strange and it starts to crawl along. (Pages load OK but then it just crawls as it loads the datagrids etc. Sometimes it brings back incomplete/incorrect data )
BUT When I use Sql Authentication to connect to Sql Server and there is no problem at all!
Ok, there is something obviously wrong with the live server (which is identical setup to dev)but I dont know where to start.
Any ideas??
Hi all,
I've got two applications which both have a database on my MS SQL 2000 server. The problem is, one application must use Windows Integrated Authentication (which it is currently using and cannot be changed) whilst the other application which I'm trying to configure must use a SQL password.
Since the server has already been configured to use Windows Integrated Authentication for the existing database and application, how do I configure the other database to use the SQL password?
Thanks.
Hi all,
My work is using a shared application
which accesses a MSSQL 2000 database. To access the application, the
folder on the Windows 2003 Server is shared and users can access the
folder through a shared drive.
For the application to access the
database, it uses an ODBC connection to the MSSQL server which
originally used the SA password.
We have recently switched to using
Windows Integrated Authentication because we believe it offers a
higher level of security. However the only way in which we have been
able to enable this is to add the windows users to the SQL server.
The problem with this is that the
application sets permissions for individual users on what records
they can see within the database. We have found that by adding the
windows users to the SQL Server, they can bypass the permissions the
set by the application by simply using any application that can use
an ODBC connection, such as Enterprise Manager, and see all the
database.
One way around this would be to set up
domains of users with access privileges to the tables which reflect
the permissions set by the application, and configuring a view of the
data so they may only see the records that they have permissions to.
However to do this would require a high administrative cost to ensure
that changes made in the application are reflected in the privileges
of the SQL server.
Instead, is there a way the SQL server
can authenticate that the ODBC connection is coming from the correct
application using Windows Integrated Authentication?
This would allow the applcation to
determine security, and stop users from connecting to the SQL server
using other applications.
Alternatively, can the SQL server,
using Windows Integrated Authentication, also ask the application to
supply a username and password?
Any help with this matter would be
greatly appreciated.
Thanks!
Hi,I'm using SQL Server 2005. My Connection String looks like that at the moment: <add name="LocalSqlServer" connectionString="Data Source=xx;Initial Catalog=xx;Persist Security Info=True;User ID=xx;Password=xx" providerName="System.Data.SqlClient"/> Now I'd like to change this kind of authentication to Integrated Windows AuthenticationI added the WorkerProcess IIS_WPG to the permitted Users but it didn't help.Changed the Connection String to this:connectionString="Server=xx;Database=xx;Trusted_Connection=True;"All I'm getting is that my NetworkService is not permitted to access DB when I try to connect to the DB in ASP.NET.How can I properly configure that? Thanks!
View 4 Replies View RelatedHello
Can anyone tell me what is the difference between sql authentication and windows authentication.
Examples of each would be very useful
Many thanks in advance
Steve
Would anyone please help me out here. which of the 2 modes of authentication is better and why??
View 3 Replies View RelatedHi,
Say, I have configured my SQL to use Mixed Authentication. Now, I have a applicaiton which uses my SQL Server. The application just creates a database in SQL Server and uses the database to store its information.
This application also has a SYSTEM DSN under ODBC through which it accesses the database. For the application to access this database, should I only use SA (as my SQL instance is configured to use Mixed Authentication) or can I use Windows Authentcation too...
If I should only use SA, do we have a documentation which talks about this.
Thanks
Santhosh
For using different services of SQL SERVER 2005 which is better...
Windows Authentication or SQL Server Authentication?
what are the advantages and disadvantages of both?
Hi.
I wonder if it is possible to set forms authentication for report manager but leave report server "as it is". I need to authenticate users from external LDAP and can't use windows authentication for report manager, but I would also like to leave report server open for anonymous users. In that way authenticated administrators could create reports which anonymous users could read.
I tested the Security Extension Sample and got it working when I rewrote the authentication part with my own LDAP authentication.
If I have understood correctly, the report manager is just application inside report server so is it possible to use forms authentication with one application but still leave the report server with Windows authentication?
Hi,
I need to figure out what kind of Authentication , I need to use for following applicaiton
Product : -
1 ) It resides on a its Domain and has access to Database on that Domain.
2 ) We have a application level login , n based on application login id
display specific pages.
The question that bother me is this
Q ) If i use NT authentication , then a user will be required to
a ) Login to domain (with userid and password) first and then
b ) Then i would require to again login to applicaiton with application
level login and password.(different levels of login as there)
Based on the application level login i will display only specific
asp pages. They have different access rights..and roles.
Requirment is to login only once..and it should authenticate to application display specific pages and authenticate to SQl server database also..
Is there any way thru which i can map my application level login to SQl server.. and what authentication should i use..
Thanks,
Teny
I am in the process of rolling out a sql server 2005 enterprise install and had a question regarding authentication. We will be providing sql hosting for a number of groups on our campus, many who are not using our campus-wide active directory, though they all have an AD account.
Windows authentication via the management studio appears to use your AD authentication tokens and will not allow them to enter a username/password combo. Is there any way to configure this?
I would like to use our campus AD for obvious reasons but if there is a requirement for passing tokens this isn't going to work right? It's also going to make database mirroring more of a challenge.
Thanks
Hi all,
My SQL Server 7.0 is now running in a mixed mode authentication. I understand
that this method of authentication is not safe. So, Ive planned to change my
server's method of authentication from mixed to NT-only mode.
Kindly tell me what are the points I should consider for doing this, so that,
the existing data and the users are not affected.
Cheers and thanx in advance
Parasuraman
We recently moved our SQL Server services to a dedicated machine, and things have gone relatively smoothly.
My boss's major concern is that now when he runs some scripts in another application that updates sales data with the newest info from the database, it pops up a login box with the correct information in it already, but they have to hit OK to finish running the script. This was not happening on the old server. I've double-checked the ODBC data sources are correct, and have compared the security for the 2 servers and they appear to be identical still. Has anyone seen this before or knows what I'm doing wrong?
Thanks in advance,
Jeff
My sql server is configured for W NT security.Whenever I am running from program from VB6, & the user name is prompted for, even if I enter a user that is not defined as an NT user, SQL lets it connect to the database. WHY?
Thanks n advance!
Adie
Hello !
I am having a problem with NT trusted connections. I am running a front-end from Access 97 with linked tables to an SQL Server. Whenever I open a form, I will be prompted for login. Since I am already on an NT domain, I make use of 'trusted connection'. However, whenever the form is refreshed or a requery is sent, I am always prompted for login again. Using an SQL user login does not give me the problem and it's a one time login.
Q : How do I configure SQL such that it doesn't prompt me for login everytime whenever I choose 'trusted connection' ?
Thanks.
Rgds,
Alvyn
I am reviewing the requirements for NT Authentication for SQL Server 7.0. I want to take advantage of window NT user security. I also want just a single security point.
My question is that I can make several NT groups for various users (DBA, development, accounting, finance, sales, etc.) but how are SQL Server roles, permissions, and passwords applied to these NT groups? There are no groups in 7.0, right?
We're having a small problem with our Authentication on SQL. We set SQL up to use NT Authentication only. We then created a group on the NT Server and gave it the necessary permissions to make changes to the MSSQL7DATA directory on the SQL Server. Next we created the NT Logins on SQL. We're using Access 97 & ODBC to connect to SQL. Problem is that the first time the users open an Access 97 table, they get a prompt asking for an SQL Username/Password, or a checkbox option to use NT Authentication. I've just been having them click the "Use Trusted Connection." Is there a way to force NT Authentication and avoid having that popup box show each time Access is opened? I'd like it so that the user does not see any boxes when they open the table. I have a feeling we've left something out on the SQL side. Thanks for any help you can provide.
View 2 Replies View RelatedHi there,
Is there any sp or xp which can help me out to change the sql server authentication mode to
'SQL Server and Windows' . I need to do this from only through a sql script.
Thanks
Paul
Hi,
How is it possible to use NT authentication in 'WORKGROUP' environment.
I have my SQL server in one workgroup. And I want to access this server from a workstation which is in another workgroup. I am able to do this by using SQL authentication and passing the username and password. How can I do the same, with NT authentication?
Regards
Chakri