SQL Security :: Connecting Linked Server Using Windows Credential
Sep 28, 2015
I have a scenario where I want to make a linked server query and report using windows service account credential. I can able to do link query if I RDP into the Server where linked server established using the service account and run query successfully  but local client SSMS with my credential fails connecting linked server or querying. Looks to be a sql double hoping problem if so configuration each client domain account to enable delegation will be challenging as mentioned in the following articles instead service account only might work if possible.
I have two SQL Server machines - RPTPROD and DATAPROD.
I wanted to create a linked server from RPTPROD pointing to DATAPROD using Windows Authentication. Â When I tried to create this linked server, I keep getting this error
"Login failed for user 'NT AUTHORITYANNOYMOUS LOGON' (Microsoft SQL Server,Error: 18456)". Â
On the "Security" page, I chose "Be made using the login's current security context". Â I'm sysadmin on both SQL Server machines. Â
i am using sql 2k5 . i want to connect with linked server using IP address . but its generating error that "
Could not find server '50.1.254.4' in sys.servers. Verify that the correct server name was specified. If necessary, execute the stored procedure sp_addlinkedserver to add the server to sys.servers."
but when i am using name of linked sql server its generating output. can any body help me that what is wrong with my first scenario.
i am giving my both query.
1 using name of linked server
select * from [REPORTSRVRSQL2005].GLobalDB.dbo.tblMCustomer
its working
2 using ip of linked server
select * from [50.1.254.4].GLobalDB.dbo.tblMCustomer
I have setup a linked server on the same computer but different instances of sql. When I call the sprocs an error occurs... The message is...
The OLE DB provider "SQLNCLI" for linked server LINKEDSQL does not contain the table ""product"."dbo"."AccountTable". The table either does not exist or the current user does not have persmissions on that table.
I've checked the table "AccountTable" and it does exist. The database exist also which is "product". I also configure the linked server's RPC to "true" and timeout to "200". The linked server is also configured to use a single username and password which exist on the instance of sql that the linked server is connecting. Also, I enabled the instances of sql to allow remote connections and use mixed authentications.
The mode of access is that different client pc will call a method created with .NET, which in turn, call the sprocs on the linked server. Should I add all the client pc that will be calling the method? Any help or advice please... Thanks
hi, i've currently created a linked server using sql server management studio express (it connects to an oracle database to draw data), i can query it all fine using the query analyzer with sql server etc. how can i start using the linked server data with visual studio 2005? i can't seem to find the linked server anywhere inside the server explorer, am i suppose to import it / connect to it any specific way so i can start using the data retreived from the linked server? thanks in advance!
I'm currently trying to access data from a Cache DB using MSSQL. I havelinked the Cache server through an ODBC connection. I can see in the LinkedServerexpansion all the tables in Cache for the File(?) I want to access.Here is my problem: Normally to access a linked sever I would do thefollowing:select *from ServerName.DatabaseName.dbo.TableNameI have triedselect *from ServerName.DSN.dbo.TableNameselect *from ServerName.DSN.SQLUser.TableName ("SQLUser" is the owner in Cache)None have worked (error no such object...)What is the syntax to select data on a linked sever via an ODBC connection?In the Linked server set up I have also check the RPC and RPC Out options...My ultimate goal is join tables in Cache and MSSQL into MSSQL.Any help would be greatly appreciated!Thanks,-p
In my architecture I have a Domain Controller with Active Directory (DOMAIN_A), IIS 6.0 (WEBSERVER) and SqlServer 2000 (SQLDBSERVER).
The WEBSERVER has a .NET application with windows authentication. The .NET application interacts with the database server. I want to use Integrated Security to pass in the users login credentials to the database to run any database calls so that I can audit who is making what calls on the database.
The connection string I am using for this is as follows:
The problem arises after I login to the web application (I use the user DOMAIN_ASomeUser where SomeUser is a user who has permissions set up to make all of the database calls). After logging in however, when I go to a page that makes a database call I get the following error:
System.Data.SqlClient.SqlException: Login failed for user 'DOMAIN_AWEBSERVER$'. It seems that for some reason, .NET is not passing the login name SomeUser, but instead is passing SERVERNAME$. Would anyone pls have any ideas how I can implement this. Any guide or references would be much appreciated.
Dear mems, I have a problem, and i don't khow how to resolve, pls help me:
My server is Windows XP (not domain), I work with SQL Server 2005, installed on my server, I configurate my SQL SERVER connection is "Windows Authentication mode", I add user "MyComputerguest" to MyServerSecutityLogins to accept connections from local network I have many databases: Db1, Db2, Db3...
But, I don't know to configurate my SQL Server to achive these: 1) My clients using "SQL Server Managment Studio" connect to Databases Db2, Db3... on my Server, they can expand, modify, add new all Tables, Sp, functions of Db2, Db3. 2) My clients are not allow to access Db1. 2) My clients can add new Databases Db4, Db5, Db6... in the future and they have full permission on every Database which they create without my interfere.
if you run the following script it takes access from the windows admin from getting into sql server through windows auth. The issue is that the files that are attached logging as SA after that are read only. Is there any solution? When you try and switch the file to read write sql server gives an error saying that it cant read the mdf and ldf--gives a windows access error....
USE [master] GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'BUILTINUsers') EXEC sp_dropsrvrolemember [BUILTINUsers], sysadmin DENY CONNECT SQL TO [BUILTINUsers] CASCADE GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'BUILTINAdministrators') EXEC sp_dropsrvrolemember [BUILTINAdministrators], sysadmin DENY CONNECT SQL TO [BUILTINAdministrators] CASCADE GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'NT AUTHORITYSYSTEM') EXEC sp_dropsrvrolemember [NT AUTHORITYSYSTEM], sysadmin DENY CONNECT SQL TO [NT AUTHORITYSYSTEM] CASCADE GO
Hi,I'm planning to develop a small intranet to provide our organizationwith documents online. I've decided to do this using jsp/servletsusing a tomcat server. For an operating system, I have chosen red hatlinux. However, I'd like to keep a small database on a sql server asa datasource. However, this sql server is already part of ourorganization's windows domain. I suspect I'll need to configure sambaso that other terminals on the windows domain will be able to reachthe intranet. What's the best manner in which to connect my linuxservlets to this sql server database? I suspect this may bedifficult, considering the sql server exists within a windows domain,but as a beginner, what do I know. Perhaps someone could point me inthe right direction.
This very same string, and variations of it, work in a vs2005 winforms app, but not a windows mobile 5. I'm (obviously) using system.data.sqlclient. MS documentation says it's supported on both platforms with no syntax changes. Any suggestions?
I am trying to pull data from an Oracle 9i database to my SQL Server 2005 sp1 database on Windows 2003 64bit Itanium server. Each time I try to use the import wizard, select the Microsoft OLE DB driver for Oracle, I get an error message telling me that the Oracle client tools are not installed. This happened after I had already installed the 9i tools, tested the connection using TNSPING and confirmed the tnsnames file was correct. So, I uninstalled the 9i tools and then installed the 10g client tools. Tested everything after the install and then tried the import again selecting the MS OLE DB driver for Oracle. I again got the error message that the Oracle tools were not installed.
has anyone ran into this problem and if so, were you able to fix it?
What is the practical difference between using "Not be made" and "Be made without using a security context"?
I've searched and it seems that if you are serious about NOT wanting anyone except a single login to be able to access the linked server that you ought to use "Not be made", however it seems that elsewhere it suggests that "Be made without using a security context" will accomplish the same thing.
Is that right?
If so, then what is the point?
Ex: I'm trying to apply the fewest settings on a sql server B linked to sql server A, but I only want login ZZZ to be able to access B through A, so I figure I ought use "Not be made", however reading various places it seems that "Be made without using a security context" is suggested to do the same thing.
This quote from - http://www.microsoft.com/technet/prodtechnol/sql/2000/books/c08ppcsq.mspx
"Be Made Without Using A Security Context Blocks access to all logins not explicitly mapped to the linked server."
I have 2 sql servers server1 and server2. I need to setup a linked server from server1 to server2. I want to limit the access for 1 user to be able to use this linked server from server1. I also want a login/password for the linked server connection to be setup for the access.
I am not clear about thedifferent security levels and not sure which one I can use
When I run a query against the linked server (SELECT * FROM TestLink.master.sys.servers) using my domain account, I get the following error:
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
OLE DB provider "SQLNCLI" for linked server "TestLink" returned message "Invalid connection string attribute".
I followed the instructions in the article "SQL Linked Server Query failed with €œLogin failed for user €¦€?" on the SQL Protocols blog, but I still am getting nowhere.
I've run out of ideas, and really need some help trying to figure out what is going wrong.
We have a SQL Server Reporting Services instance running SP2. I have attempted to add a domain group in a trusted domain to the server to enable regular users to access reports. I have added this group to the instance folder as a SYSTEM USER and home as BROWSER. I am allowing those settings to be inherited down through the folders (reports and data sources) to the reports. My test user in this report receives:
The permissions granted to user 'DOMAINuser' are insufficient for performing this operation. (log shows HTTP 500)
when the user attempts to use the URL to go directly to the report. If we try to navigate from HOME and walk the folders the user sees a blank HOME page.
I have used other groups with no problem.
Is there something I am missing in setting up the security environment? Any help would be greatly appreciated.
Hello!I'm migrating an IIS/SQL-Server application from Windows NT4.0 and SQL-Server 2000 to Windows 2003 Server and SQL-Server 2005.My problem is that it is not possible to connect local (IIS and SQL-Server 2005 are runnng on the same node) using ODBC. Running theapplikation on a remote IIS (XPPro) all works fine. I can't see anydifferences in the ODBC-configuration.Any idea?Thanks
I have installed SQL Server 2005 onto a server and then on my client machine I have installed SQL Server 2005 and the Server Management Studio.
When installing it on the server I chose all the defaults so have not setup an sql username or password to connect as I thought I could use Windows.
I go to the Server Management and registered servers, create a new one and enter the ip address of the server and choose Windows Authentication. The following error keeps appearing though and I am not sure what settings/where to check:
Login failed for user ''. The user is not associated with a trusted SQL Server connection. (.Net SqlClient Data Provider)
I have checked and think port 1443 is open on the server, tcpip is enabled but when I choose Windows authentication I cannot enter a username or password as it is greyed out. It has completed the username but no password and these are not the correct ones to connect to the server - I wish to wish the same one I use for RDC.
Or should I try SQL Authentication and if so how would I set this up? Cannot see on the server in SQL Configuration where I could set this?
Hope someone who knows a lot more than me on this can help!
Thanks for your time - this has been driving me mad for days now and everything I print off the internet is not help so any feed back or more useful links to loo up would be great.
I have a job owned by UserA on ServerA that selects data from ServerB. UserA also exists on ServerB with same ID and password. UserA is dbo on ServerA for all the databases. UserA is also member of the "System Administrators" server role on ServerA. The job works OK. But if I remove it from "System Administrators" server role and run the job, I get the following error message and the job step fails:
Remote access not allowed for Windows NT user activated by SETUSER. [SQLSTATE 42000] (Error 7410)
UserA on ServerB [remote server] has ReadOnly access. ServerB is linked to ServerA using "they will be mapped to" option and UserA.
I€™ve been working on getting a linked server through SQL 2005 to work with VFP 9. I get access denied for any and all security set ups on the linked server. I€™ve checked the folder-level security settings and see that the user I€™m logged in as, and have tried through security settings, and they seem to have access. What other security settings should I be checking?
How to change the Security Properties of a Linked Server.
In tsql, I need to setup a linked server and want to set the Properties -> Security -> For a login not defined in the list above, connections will: -> Not be made But I cannot figure out how to set it to Not be made. I manually set it in the GUI, and the scripted the linked server and when I ran the script to create it was set to Be made using the login's current security context. The create script did not even set it correctly.
I have looked around and all that I have found is a column in sys.linked_logins, uses_self_credential that looks promising. But I cannot change the system catalog.
how i can set the "For a login not defined in the list above" security property in tsql?
Domain = dm Windows User = dmTestUser, member of sysadmin on SQLFL and SQLNY SQL Server 2012 = SQLFL SQL Server 2012 = SQLNY Table = Product (exists in SQLNY and SQLFL) SP = spGetProduct() (resides on SQLFL) SQL Login = dbuser (on SQLNY, member of dbo on Product table)
I created a linked server on SQLFL pointing to SQLNY. Â The local server login to remote login mapping is as follows:
Local Login = dmTestUser Remote Login = dbuser
with "Be made without security context" option selected. Run spGetProduct() to get Product records from SQLNY and populate Product table on SQLFL via the linked server.Here are tests I did:I connected to SQLFL using dmTestUser in SSMS. Â I manually executed the stored procedure spGetProduct() without any issues. Â Procedure gets Product records from SQLNY and populates the Product table on SQLFL. Â Everything is good.
I created a SQL Agent job called "Get NY Product" on SQLFL to execute spGetProduct(). Â I invoked this agent job and it executed successfully.However no data was loaded to the Product table on SQLFL. Â My stored procedure caught this error: Cannot initialize the data source object of OLE DB provider "SQLNCLI11" for linked server "SQLNY".
1. When sql agent job runs, which account does it use? Â Is the SQL Server Service or SQL Agent?I believe it's the sql agent. 2. What do I need to do to make this work?
I have this posted in the VFP section of the forums but the more I find out about the issue the more I think there is an SQL Server security issues.
What I am doing is trying to connect to a LinkedServer of my SQL Express 2005 database running on windows vista. I have the linked server set up to connect to a local FoxPro table using the VFPOLEDB provider. If I log in as the 'sa' account I am able to do my query. But if I log into the server using a trusted connection it doesn't work. I get the error [The OLE DB provider "VFPOLEDB" for linked server "sys" reported an error. The provider did not give any information about the error.]
So I went in and set the BUILTINUser login as the sysAdmin. I also made sure that all of the security settings in SQL server were set up the same between the trusted user and the 'sa' user.
My question is, What am I missing? Is there something that I need to set on windows or is there a setting in SQL server?
Hello, I do not succeed in authorizing the access of a group Windows NT to a linked server, on the other hand if I specify user's name it works. Please inform me. Pascal
As a database developer, I have so many databases that I "own" scattered across various servers that it''s getting difficult to remember where all of my databases reside. It doesn't work that the DBAs have taken to some very hard to remember server naming conventions.
I was going to create aliases via the configuration manager, but it turns out the DBAs overwrite my entries each night with THEIR aliases and they won't add any for my use.
So I decided to simply add some records to my host file so that instead of having to connect to "SERVER-AD_DADF-DAFDASS" I can just use "CustomerA".
This solution seems to work until I tried to access a linked server. If I connect to the main server via it's actual name, I can hit the remote/linked server with no issue. However, if I connect to the main server using it's alias, connection to the remote/linked server fails with: Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
The linked server is set up to use current security context and I'm not logging into the alias any differently that I do when using the actual server name.
Hi All, After I installed sql server 2005 64bit standard edition on Windows Server Enterprise 2008 64bit, I cannot connect to the sql instance using the sql management studio on the same machine! I verified that:
service is running,
in surface area configuration: remote connections to local and remote are enabled, for TCP/IP and named pipes.
ran the command netstat -avn| findstr 49279 to make sure that the server is listening.
firewall is off, but this does not matter since I'm connecting locally to local instance
I'm using domain controller account to login to sql server / also tried the sa account. what else can be wrong?
I have a msaccess linked server that I use to execute sql 2000 stored procedures from a front end in adp (access data project) format without any problem, if it is used on the same machine where the sql server resides (with any user logged on). In any other machine on the local network where I also need to use it, I get an ole/db error message saying that the microsoft jet database engine can not open the file because it's allready opened exclusivly or because it do not has permissions. I created the linked server with both UNC and normal path with the same result.
Is there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions.Â
We are having some commercial applications that are running on sql servers at different sites, all with sql security. The software vendor wants to copy data into staging tables on our BI server. But our BI server only support Integrated security.
But how can i say, in the definition of a linked server (at the remote machines) to swicth security system ?
If it is possible i could enter a fixed domain-account in that users fields, but i suppose that this field was intended for SqlServer security.
We are using Microsoft jdbc driver 4.1 connecting to SQL 2012, which has a linked server to another SQL 2012 server.Will linked server calls work with kerberos authentication using Microsoft jdbc driver 4.1? connection string looks like this:
jdbc:sqlserver://SQL01;database= product_db; integrated Security= true;authenticationScheme=JavaKerberos..We have the linked server connection configured to use "Be made using the login's current security context"
Date      8/3/2015 4:19:56 PM Log      SQL Server (Current - 8/3/2015 3:49:00 PM) Source      Logon
Message Login failed for user 'NT AUTHORITYANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT: 10.196.21.4]