I have a set of reports that read from an Analysis Services cube. Permissions are managed at the cube level since different users should look at the same report but different data. This is why for those reports, the data source has Windows Integrated Security set.
Those same users should be able to subscribe to those reports, the problem is that for subscriptions to work, the data sources must store the credentials. This means the filtered reports are lost since the stored account will show all the reports for all users.
Is there any way of generating "filtered subscriptions"?
Can we implement a table level (object) security on the groups of the windows NT domain using the integrated windows NT security so that one group has the permission over one table to update ,select ,delete the information and other group has permission has for some other table.
In my architecture I have a Domain Controller with Active Directory (DOMAIN_A), IIS 6.0 (WEBSERVER) and SqlServer 2000 (SQLDBSERVER).
The WEBSERVER has a .NET application with windows authentication. The .NET application interacts with the database server. I want to use Integrated Security to pass in the users login credentials to the database to run any database calls so that I can audit who is making what calls on the database.
The connection string I am using for this is as follows:
The problem arises after I login to the web application (I use the user DOMAIN_ASomeUser where SomeUser is a user who has permissions set up to make all of the database calls). After logging in however, when I go to a page that makes a database call I get the following error:
System.Data.SqlClient.SqlException: Login failed for user 'DOMAIN_AWEBSERVER$'. It seems that for some reason, .NET is not passing the login name SomeUser, but instead is passing SERVERNAME$. Would anyone pls have any ideas how I can implement this. Any guide or references would be much appreciated.
I am having a problem in applying subscription to a report.
Here is my case:
I have a datasource with 'Windows integrated security ' authentication, yes....I am using windows domain authentication, so login info is not stored in DB but its authenticated from domain. Now the report I want to use subscription on is using this DS. I read it somwehere that I can use rsconfig -e -u -p option to assign user to unattended reports.
I think, this is the unattended report. I tried with rsconfig and then clicked on 'new subscription option'...and i got error (again) saying 'Subscription can not be created because the credentials used to run the report are not stored...or if linked report.....blah blah...'
I want to use subscription to this report but with 'Windows integrated security', is there any way I can do it ?? How can I assign some user to this report without changing authentiation method and use subscription ?
Help me ...I am stuck, this is the last milestone in my project !!!
We have a SQL Server Reporting Services instance running SP2. I have attempted to add a domain group in a trusted domain to the server to enable regular users to access reports. I have added this group to the instance folder as a SYSTEM USER and home as BROWSER. I am allowing those settings to be inherited down through the folders (reports and data sources) to the reports. My test user in this report receives:
The permissions granted to user 'DOMAINuser' are insufficient for performing this operation. (log shows HTTP 500)
when the user attempts to use the URL to go directly to the report. If we try to navigate from HOME and walk the folders the user sees a blank HOME page.
I have used other groups with no problem.
Is there something I am missing in setting up the security environment? Any help would be greatly appreciated.
Server: Windows 2003, SQL 2005, on a domain Client: Windows 2008 Beta, not on any domain
I created an account with the same user name as the domain user on the client machine. And then I logged in as that user and went to Manage Network Password. I entered the correct domain credentials. Verified that this worked for file shares. However, SQL does not appear to be recognizing this and it tells me:
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
I have verified that this domain account is working properly with SQL when the client is also on the domain.
How can I get this Windows authentication scenario to work where the client is not on the domain and the SQL server is on the domain?
Hi , I am trying to connect to MS Sql server 2000 from Java (1.4.2 /1.5 ). I installed my Sql Server(8.00.382) from the one supplied withVS.NET 2001. When I installed it on my laptop it did not ask me for auser name and password. After install when I re-started my machine Isee the server started up with a green light. Now when I connect to theserver from VS.NET it works fine. This is because VS uses windowsintegrated security. I now need to connect using Java , so I downloadedthe microsoft drivers for SQL2000-JDBC sp3 from the microsoft site. Iadded the jar files to my Java project classpath. I manage to registerthe driver in java :Class dbClass = ClassLoader.getSystemClassLoader().loadClass("com.microsoft.jdbc.sqlserver.SQLServerDriver");DriverManager.registerDriver((Driver) dbClass.newInstance() );Connection conn =DriverManager.getConnection("jdbc:microsoft:sqlserver://localhost:1433;_integrated security=SSPI");but cannot seem to get a connection as it gives an SQLException sayingthat it is unable to connect:java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]Errorestablishing socket.I cant seem to figure it out.Can some one help ??I am a newbie to sqlserver so couldnt quite figure out how to changeadmin password or create a new user with the tools provided with thisversion of sql (SQL Server Desktop Engine).Any help will be appreciated.Ebby
I am trying to connect SQL database through code but I get this error,I have spent days to solve it but unfortunately I couldn't...Here is my code in VB express(OP:windows 2000 with SP4)I am new to VB,so it makes the situation more difficult for me.
my code is:
Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim conn1 As SqlConnection = _
New SqlConnection("Data Source=.SQLEXPRESS;" & _
"Integrated Security=SSPI;" & _
"database=deneme3_database;")
'Open connection
conn1.Open()
MessageBox.Show("Connection succeeded.")
'Close connection
conn1.Close()
MessageBox.Show("Connection closed.")
End Sub
The error message is,it is in german but it is clear I guess:)
" Die von der Anmeldung angeforderte "deneme3_database"-Datenbank kann nicht geöffnet werden. Fehler bei der Anmeldung. Fehler bei der Anmeldung für den Benutzer 'ADPLANatalay'. "
I am trying to connect to an SQL database with a Java program compiled in NetBeans IDE. I have copied the proper .dll in the auth folder to the same folder as the .jar file required. I have tried a lot of things for a lot of hours, and am still coming up with the message "Driver is not configured for integrated security and "could not load the xxxxx.dll
Has anyone come up with a solution or a workaround to this problem. Please help. I have read the documentation until I am blue in the face. Please only respond if you have a 64 bit machine.
I have been struggling with this problem for a while with SQL 2005. I have never had such login problem with SQL 2000. Here is the scenario:
I have installed SQL2005 standard version on a XP Pro box and I am trying to access it from another XP Pro machine. I can access it using a SQL user name and password that I set up on the server, but I have not had luck with using Windows NT Integrated security. When I try to connect to it (e.g. by a UDL file), I get an error saying Login failed for user €˜HP-AMD64Guest€™ where €˜HP-AMD64€™ is the name of the PC running the SQL 2005. I can access the files on the machine without any problem. I do not understand why it uses €˜Guest€™ that is not what I use to log on my machine. Does anyone have any clue to offer me?
I know from searching this forum that there have been many variations of the issue I'm currently suffering, but I haven't found anything quite like mine or a solution to solve it. The issue I'm running into is that I am unable to log on to Reporting Services using Management Studio or the web interface when Windows Integrated Security is enabled. I have full functionality using basic security, but the risks involved make it impossible to deploy basic authentication out into production. The error I'm receiving in Management Studio is The request failed with HTTP status 401: Unauthorized. (Microsoft.SqlServer.Management.UI.RSClient). I recieve the same error when I try the web interface.
I've looked the most recent logfile in WindowsSystem32LogFilesW3SVC1 and these entries match up to the time I attempted my authentication.
Code Snippet 2008-05-12 20:30:42 <Edited: Server IP> GET /reports - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:42 <Edited: Server IP> GET /reports - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 301 0 0 2008-05-12 20:30:42 <Edited: Server IP> GET /reports/ - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:46 <Edited: Server IP> GET /reports/home.aspx - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 302 0 0 2008-05-12 20:30:46 <Edited: Server IP> GET /reports/Pages/Folder.aspx - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:47 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 2 2148074254 2008-05-12 20:30:47 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 1 0 2008-05-12 20:30:47 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 1 2148074248 2008-05-12 20:30:49 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 2 2148074254 2008-05-12 20:30:49 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 1 0 2008-05-12 20:30:49 127.0.0.1 POST /ReportServer/ReportService2005.asmx - 80 - 127.0.0.1 - 401 1 2148074248 2008-05-12 20:30:50 <Edited: Server IP> GET /reports/Pages/Folder.aspx - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 500 0 0 2008-05-12 20:30:50 <Edited: Server IP> GET /Reports/js/ReportingServices.js - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:50 <Edited: Server IP> GET /Reports/js/ReportingServices.js - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/styles/ReportingServices.css - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/images/blank.gif - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/images/blank.gif - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/images/48error.jpg - 80 - <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/styles/ReportingServices.css - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0 2008-05-12 20:30:54 <Edited: Server IP> GET /Reports/images/48error.jpg - 80 DomainUserName <Edited: Server IP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0 2008-05-12 20:31:07 127.0.0.1 GET /reports/ - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:31:07 127.0.0.1 GET /reports/ - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 0 2008-05-12 20:31:13 127.0.0.1 GET /reports/ - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2008-05-12 20:31:13 127.0.0.1 GET /reports/ - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 0
I tried to highlight one of each of the HTTP errors I am getting. 401.2 and 401.1 are the ones I kind of expected, but have no idea why I'm getting them. The 500 0 error is a bit troubling, because unless I'm mistaken thats a server side error.
Here's my current setup. As far as I can tell, I've done everything to set up correctly for Windows Integerated security.
My Specs The server machine running all SQL 2005 services. It resides in a domain. All Clients are in the same domain.
Intel Dual Processor 3.20 gig Xenon
Windows Server 2003 w/ SP2
Microsoft Sql Server 2005 w/ SP2 Reporting Services Setup The virtual directories Reports and ReportServer are set to Windows Integrated Security with Anonymous Access disabled. All other checkboxes in Directory Security are unchecked. For permissions in Reports, I have:
Administrators (servernameAdministrators) - Full Control
ASP.NET Machine Account - Modify, Read & Execute, List Folder Contents, Read, Write
Domain Users - Read & Execute, List Folder Contents, Read
SQLServer2005ReportingServices]WebServiceUsers$... - Read & Execute, List Folder Contents, Read
SQLServer2005ReportServerUsers$... - Read & Execute, List Folder Contents, Read
SYSTEM - Full Control
Users (CompNameUsers) - Read & Execute, List Folder Contents, Read In ReportServer I have the same permissions except Authenticated Users is absent.
At one point, I even added the account Everybody and gave it full control, and I still recieved a HTTP 401 error. Any help at what I might be missing would be a godsend.
We have 64 bit MOSS with integrated SRS. This works quite well. You lose data-driven subscriptions until the release of SQL 2008. We want to build a custom subscription/workflow solution that renders reports and pops them into SharePoint lists. What we want to do is render thousands of reports into SharePoint document libraries and use workflow rules to route them to file shares, emails, approvals, etc.
This can be done manaully by right clicking the RDL in a report library and selecting Manage Subscriptions. This brings up a web page listing existing subscriptions (_layouts/ReportServer/ManageSubscriptions.aspx). This page does not write to a SharePoint list, but a set of tables in the ReportServerIntegrated database. I can see the tables and stored procedures that do the work. I cannot find a programming interface to create the subscriptions in code. I guess I can just call these stored procedures.
I have Sql Server Express installed on Vista (service pack 2)
I have Visual Studio 2005 with an application that I'm trying to access it with within a WCF service.
The login ID of the service is added to the database.
The database has remote access turned on.
The ID is granted access to all databases within the server.
The thread is being set with WindowsProvider and the services set their thread to WindowsProvider.
The dataserver is set with using Windows Authentication for security.
When I open my connection to the database, though, it reports the typically useless message that the connection is not allowed and that the server may not allow remote connections.
How to I get past this? I've done everything right.
if one connects to SQL server (2005) with integrated security, does sql server connect to ADS in order to verify the credentials or does windows handle the authentification mechanism ?
Does anyone know how to impersonate a user and then use integrated security with SQL server? Every place I've looked so far only shows how to use integrated security through IIS. For some reason, everytime I impersonate a user account, SQL server identifies me as "NT AUTHORITYANONYMOUS LOGON" Is this by design? or am I doing something wrong?
If one connects to sql server (2005) with integrated security, does sql server connects to ADS in order to verify credentials or does windows handle the authentification mechanism ?
Hello, I'm new to ASP, but developping in Sql for years. What we would like to have is that the user is accessing the database over it's own Windows Logon. Our triggers log quite some changes and are using UserName() for this. I've treid to force the IIS to accept Windows Integration only, the SqlDataSource users a connection that has Integrated Security = True. But when connection to the site i'm gatting error that there is no trusted connection for the user . (dot) ... I suppose i'm missing something but could you give me a hint where to start looking..... THX
We have a a DTS package set up to run against another SQL Server. Using an integrated login is there a way to map an NT Authenticated users is the sql server login id mapping to this attached server. The DB we are going against only uses NT authentication to attach to.
We are using a VB application with a "dsnless" connection. It is not able to connect to the SQL box using integrated WinNT authentication. Receive the below error message:
We can connect to our test SQL box with using the same application with no problem. The only difference we can see is the clustering on the "real" box.
We are using the following program string to connect to both boxes with the exception of the server we connect to:
We've encountered a problem on one of our SQL servers running integrated security where MS Security Manager errors out with "An error occured executing sp_addlogin using Domain_nameusername - " is not a valid name since itbegins with an invalid character." We think it is because the domain has the underscore character in it name. Can anyone confirm or point to other possible configuration issues?
Ideally, I'd like to move away from using SQL-based logins for our internal applications and take advantage of integrated security instead.
Defining AD groups and their permissions in SQL is simple and getting the application to work with that is not an issue.
Where I'm having difficulty, though, is in isolating the accessibility in integrated security. Because the SQL-based login was isolated from the windows user, they could only get access to the sql server via our app -- their normal windows accounts had no access.
If we switch to use only windows authentication, the user would be able connect fine from our application and have rights to various tables. The issue is that they could also connect via Enterprise Manager, Excel, or any other tool. Is there any way to limit the exposure so that we can take use of AD for our access but further limit to allow connections based upon the application? I realize that this could be impersonated, but it's still better than nothing...
We're having a bit of a problem getting Integrated Security to work with a .Net 2.0 application and SQL 2005. While we're tweaking permissions on the SQL-side, we came across an account "Application Login" and wondered what its role is. First, our problem:
Currently, the users in the AD group get a connection error. This group is defined as follows at the instance level:
role: public user mapping: to the database without any default schema securables: none status: grant and enabled
At the database security level:
general: none securables: execute on all (100+) stored procedures
And we gave them "Execute" on the database itself.
A little background: we had detached and copied this database from one server to another. So we suspect that the Application Login may have been modified/corrupted, even though it appears to be identical between the original and the copied databases. So we redefined it on the copied DB to match the original. Another group, which is defined as dbo on the database, has no problem at all connecting and running the application.
The Application Login has Execute permissions on all stored procedures and Delete, Insert, Select, Update, and View Definition on the ChangeLog table. It also has db_DataReader, db_DataWriter, and db_ddlAdmin roles associated with it.
Is there another SQL login required for initial connection to the database even though Integrated Security=SSPI is used in the connection string?
Does anyone see where we may be missing a security setting for the non-dbo user group to connect to the database?
Thanks very much for any suggestions, ideas .... Cheers, Tess
I'm looking for a best practices document or microsoft book that explains proper database security design for applications accessing sql using integrated security.
I am an application developer at a shop that has been using sql authentication to connect to sql servers. We have an sql login and user setup for each application. This sql user has read/write access to that applications database. The (human) users have no idea what the login is, we have a special generic dll that feeds the sql logins and passwords to our applications at run time for each app. Operations is pushing to move out of mixed mode and into full integraded security mode. Microsoft best practices push integrated security so I understand the move. What I'm trying to locate is some microsoft documentation on security design.
This is what I have pieced together so far regarding the windows authenciated approach to applications accessing databases. With windows security, users will be able to bypass our applications all together and use tools like access and excel to hit the databases even if we don't want them going in there. Their windows security will allow them to do this with integrated security. This is assuming we don't have the app "run as windows user x" and that we grant the user groups permissions on the database objects. This means instead of granting user groups generic read/write on the entire database like we could with sql security we need to consider what groups use the application and consider what permissions need to exist on each database object for that group. In addition we will need to almost exclusively use views and stored procedures to get data as these will act as filters to only allow users to touch what they should be allowed to touch. Having select and update statements within apps would require users have table rights, which is basically the same as allowing them to do anything. Each view and procedure will need to be set up with special consideration so that if a user where to hit them directly we would be ok with it...Basically the application layer which contains a multitude of validation logic on user entry controls can be skipped by a "smart" user who decides to "fool around" in access"
. A solution to fix this would be to have our apps run as a special windows user id but operations has refused to allow this. And honestly this would be nearly identical to just using sql authentication. We are looking at a security redesign of over 60 systems and a multitude of reports. I'm looking for a best practices document or microsoft book that I can use to help demonstrate the amount of redesign work making this move will require and shed more light on how this all works.
I have already looked at the following security documents which do not have what I am looking for, so i figured I better ask.
Hi all,I use the following connectionstring connect to sqlservserver=(local); database=mydata;Integrated Security=trueIf I tried browse the website in VS Web Developer 2005 environment, it's ok. After I compiled the site and access through IIS server, can not connect to sqlserver , I need to use login and password to connect. How can I connect wihtout using LogID and password.Thanks
Hello, I started profiling a website that i'm developing yesterday (asp.net 2.0) and noticed that sqlconnection.open is ridiculously slow (between 3-10 seconds) when using integrated security=true in the connection string. If I use SQL authentication instead and pass the username and password in the connection string, sqlconnection.open is instantaneous. My enviornment is as follows:
I am using windows impersonation in a CLR that is retrieving folder structure. In order to use impersonation I need to pass the windows credential to the SQL server so I am trying to use "integrated security=SSPI" and I also tried "integrated security=true" as well with the same result...I get the error: Login failed for user ''. The user is not associated with a trusted SQL Server connection. The SQL Server and IIS are located in different un-trusted domain. I am however able to connect to the SQL Server using user id and password. In my web.config file: <add name="ConnectionName1" connectionString="Data Source=IpAddress,Port#;Initial Catalog=DatabaseName;Integrated Security=true;persist security info=False; Trusted_Connection=Yes;" providerName="System.Data.SqlClient"/> à Doesn’t work <add name="ConnectionName2" connectionString="Data Source=IpAddress,Port#;Initial Catalog=DatabaseName;uid=user;pwd=password;" providerName="System.Data.SqlClient"/> à WorksBased on the error message it looks like there is no user passed to the SQL server. What am I missing? At this point I am thankful for any input…
