Using Xp_cmdshell To Run Application That Uses Domain Credentials
Jul 27, 2006
I using MS SQLServer as a secure method of setting up system tasks and
processes for automated running. The intent is that all logins (ids
and passwords) are in a secure database table and are not sitting
around in batch files on the server.
Some of the tasks make use of network authentication, and this is where
the problem arises.
If I execute the command line from within SQLServer (via xp_cmdshell),
I get an error that says that the userid is missing. If I execute that
same command vid the CMD window, it works.
It appears that the shell that xp_cmdshell kicks off does not inherit
the domain authentication.
Aside from questions on why I am doing things this way as opposed to
using the windows scheduler or other tools, what do I need to do to
make sure that my domain credentials are passed?
In the SSMS, is it possible to allow a user to log into the DB engine using alternate Domain credentials. There are fields that allow you to log in with SQL credentials but I don't see a way to do it with Doman credentials. It's always passthrough authentication.
This is a two part question. We are currently using the ODBC method SQLConnect to connect to an existing DSN:
m_retcode = SQLConnect(
m_hDbc,
(SQLTCHAR*)datasource,
(SWORD)_tcslen(datasource),
(SQLTCHAR*)username,
(SWORD)_tcslen(username),
(SQLTCHAR*)password,
(SWORD)_tcslen(password) );
using a SQL user created for that purpose (and yes the password is encrypted elsewhere). I have had a request to be able to use a Windows domain account in the same setting however it does not appear that i can simply enter either "domainusername" or "username" (SQL Server and the login machine are in the same domain.
Is it possible to accomplish this with this function or should I use a different routine to obtain a connection? How would I accomplish this if I instead wanted to use integrated login?
The "client" is running Windows XP, 2000, 2003, or Vista (Business). The database server is running SQL 200 or 2005 on Windows 2003 Server (or possibly Windows 2000 Server).
We are having our SSRS (Sql Server Reporting Services) Servers deployed in Domain1 to connect to the Domain1 data sources. Now, when we configure the SSRS datasources (which is in Domain1) to run under €śDomain2/User€? credentials , it€™s taking 60 minutes to render a report whereas when we configure the SSRS datasources to run under €śDomain1/User€? account it€™s taking only 5 seconds.
I would like to know €śWhy there is a latency difference while configuring the SSRS data sources with different domain credentials (Domain1Domain2)?€?
Any pointers to Support KB or any other related articles would be really great.
Hi guys,I'm not sure if I'm just bad at googling but I can't seem to find a way to set an ASP.NET 2.0 web application to connect to SQL Server 2005 using the current client's user credentials. My web application is using Integrated Windows Authentication so its Page.User.Identity is set to a DOMAINusername value... I want to pass that to my connectionstring or have my connections pick up the identity automatically and use that Identity when accessing the db server.Oh and another thing, my IIS Application Pool is using a specific Identity itself, so I don't know if that might affect the above.Hope someone could help.
Hi: We have one dedicated server, and have 3 different web applications, one of them is located in www folder which is default path, my question is: how do I set different path so all 3 web applications can be accessed by different URL? Say: www.mywebname1.com, www.mywebname2.com www.mywebname3.com , I need those three URL to find the correct files from my server. Thanks a lot. (the DBA in my company has just left, so I need to make these works, however, I have very limited knowledge for this, do you have any suggestion what kind of book I need to read and start with?) jt
Hi all,I have posted the same topic under ASP-NET-Developers but had no reply;I then posted it under ASP.Net Community and had also no reply.Hence, i'm posting it here to prevent the impression of spam post ...I have created a SqlContextTrigger using ADO.NET 2.0 to create atrigger onSQL Server 2005.In the class, I create a file and specify its path to be in theApplicationDomain base directory such as:String Path = AppDomain.CurrentDomain.BaseDirectory.ToString()However, the path is always the SQL Server Binn Directory. I'd like totellthe program that I want the path to be related not to SQL Server BinnDirectory but to Visual Studio Solution's Project Bin Directory.How do I do that?Best regards
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master) -A sql server 2005 on a win server 2003 in "sub domain" AD -A linked server to "sub domain" AD -A linked server login using a "sub domain" admin acccount -A view to this linked server -A grant on masterDomain/Domain Users to the database -A grant on subDomain/Domain Users to the database -We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts. Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT * FROM OPENQUERY(ADSI, 'SELECT displayname, givenName, sn, cn (etc...) FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com'' WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error: Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any  password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
I'm trying to run a test from my test environment which is a non-domain Windows 2000 server to access my domain 2003 with SQL2005. I have install 2005 tools to try to access the SQL server.
- I have try following the KB265808 - no success. - Reading alot of blogs and it seems all are pointing to the same problem. "Remote access" but the settign is enabled.Error Message:
TITLE: Connect to Server ------------------------------
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=53&LinkId=20476
Question: Could Windows 2003 security be blocking access? I'm using sa account to access.
Also, sa account does not seems to work for remote access. It is ok when accessing locally.
Hi all,it happen to me a strange problem:i have a mdb file (in Access 2K) with SQL Server 2K linked tables whoruns on a workstation which is on a different domain that the SQLServer. It works.If i create a mdb file from a workstation which is a the domain of theSQL Server and then i run it a my non-domain workstation i have errormessage:Login failed for user '(null)'. Reason: Not associated with a trustedSQL Server connectionBut if i reattached my tables it works.If someone have an idea....PS: same ODBC on both machines
I have a stored procedure which needs to access the files on a remote server... a server which does not belong to the same domain as the SQL Server 2005 machine.
I have an account which has access to the remote server. If the account name is "NewAccountAccountName", how can I execute the stored procedure using that account? Is this possible?
have SQL Server 2005 std edition SP1 installed on Windows 2003 Std edition .Configured Transactional (single Publisher and no clustered environment.) Replication past two months working fine, Now 1.Distrib.exe application err is coming.
Due to which my job is failing (Distributor to Subscriber). Iam attaching thw file. Thanks Sandeep
On to the next understanding topic. I understand the concept of credentials and why they are needed with the isolation of machine admin authority and running a SQL Server instance. I had a question on the purpose of the system credentials.
##MS_SQLResourceSigningCertificate## is the credential utilized by the instance itself to gain access to Windows for such things as reading and writing to database files, network stacks, writing to the error logs/event logs, etc. ##MS_AgentSigningCertificate## is the credential that is used by SQL Server Agent for accessing any necessary Windows resources. ##MS_SQLReplicationSigningCertificate## is used only by the replication engine to allow it to access Windows resources. ##MS_SQLAuthenticatorCertificate## is used during the authentication process for SQL Logins to provide authenticator services and is also used to access the Windows security API.
Each of the credentials is a certificate which is loaded into the instance and you can find the corresponding certificate within the data folder for the instance. I'm assuming that a mechanism is already in place to prevent someone from mucking with the certificates on the OS to gain access back into the SQL Server by comparing the signature already stored within the instance with the signature of the certificate on the OS. (This is also part of the larger discussion of certificate use within SQL Server itself and explains why you can't change the service account/password using the Service Control Applet.)
Did I get that correct, am I way off base, or is this one of those "no comment" items?
I'm trying to create a login screen that will verify a user's username and password from within a SQL table. If the credentials are found in the table, they should be sent to a Main Menu screen. If the credentials are not found, I will throw a message on the screen. Does anyone have code to accomplish this? I am at a total standstill.
CREATE CREDENTIAL myCredentials WITH IDENTITY = 'domain.user', SECRET = 'password'; Now, I would like to execute query with this credentials: SELECT a.* FROM OPENROWSET('SQLNCLI', 'Server=Seattle1;Trusted_Connection=yes;', 'SELECT col1 FROM [myServer].[myDb].[dbo].[myTable]' ) AS a;
How can I do that?There is no EXECUTE AS 'myCredentials'...Should I create some new login first, bind it to this credentials and then : EXECUTE AS 'myLogin'
I'm trying to create a subscription to automatically generate a report daily and put a resulting pdf into a folder on the drive. Users will then receive an email notification with a link to the report so they can just click on it and see the report.
When creating the subscription, I am prompted for a set of "credentials used to access the file share" (user name and password). But I don't want my users to have to supply any credentials, I just want them to click on the link and get the report. Is there a way to disable the requirement for the credentials?
Get this when selecting parameter value in Report Manager
Report is working fine in preview
Up to me, it has nothing to do with credentials
I have some analysis server reports.
I have a single value report parameter, the report runs fine with the default value, when I select another value than the default one, I get above message immediately.
I got the error since I rebuild the report with SP2 CTP.
Strange thing is that the other single value parameter of the report works fine (year)
And that I get the error also with other reports, and on the same dimension (Organisation)
And that I do not have the error when I change the parameter to multi-value (but as the report is not written for multiple values...)
MDX queries are as follows:
SELECT NON EMPTY { KPIValue("KPINewBiz"), KPIGoal("KPINewBiz"), KPIStatus("KPINewBiz"), KPITrend("KPINewBiz") } ON COLUMNS,
NONEMPTY
([Reps].[Organisation].[Organisation].ALLMEMBERS
*[Reps].[Rep].[Rep].ALLMEMBERS
*[Date].[Year].[Year].ALLMEMBERS
*[Date].[Month].[Month].ALLMEMBERS
,[Measures].[Gross Sales]
)
DIMENSION PROPERTIES MEMBER_CAPTION, MEMBER_UNIQUE_NAME ON ROWS
FROM ( SELECT ( STRTOSET(@ByYear, CONSTRAINED) ) ON COLUMNS FROM ( SELECT ( STRTOSET(@ByOrganisation, CONSTRAINED) ) ON COLUMNS FROM [Sales])) CELL PROPERTIES VALUE, BACK_COLOR, FORE_COLOR, FORMATTED_VALUE, FORMAT_STRING, FONT_NAME, FONT_SIZE, FONT_FLAGS
WITH MEMBER [Measures].[ParameterCaption] AS '[Reps].[Organisation].CURRENTMEMBER.MEMBER_CAPTION' MEMBER [Measures].[ParameterValue] AS '[Reps].[Organisation].CURRENTMEMBER.UNIQUENAME' MEMBER [Measures].[ParameterLevel] AS '[Reps].[Organisation].CURRENTMEMBER.LEVEL.ORDINAL' SELECT {[Measures].[ParameterCaption], [Measures].[ParameterValue], [Measures].[ParameterLevel]} ON COLUMNS ,
NONEMPTY([Reps].[Organisation].[Organisation].ALLMEMBERS,[Measures].[Gross Sales]) ON ROWS FROM [Sales]
WITH MEMBER [Measures].[ParameterCaption] AS '[Date].[Year].CURRENTMEMBER.MEMBER_CAPTION' MEMBER [Measures].[ParameterValue] AS '[Date].[Year].CURRENTMEMBER.UNIQUENAME' MEMBER [Measures].[ParameterLevel] AS '[Date].[Year].CURRENTMEMBER.LEVEL.ORDINAL' SELECT {[Measures].[ParameterCaption], [Measures].[ParameterValue], [Measures].[ParameterLevel]} ON COLUMNS , NONEMPTY([Date].[Year].[Year].ALLMEMBERS,[Measures].[Gross Sales]) ON ROWS FROM [Sales]
Discovered something else that is very strange, you change the value of the parameter, you get the error, you hit the back button, and you can run the report with the new parameter
Did one more test, changed the order of the parameters, is now going wrong on the other parameter, Year.
So, it is always on the first parameter.
Correction, I have put a multi-value parameter as first, I still have the problem, it is always on the first single value parameter
I have the same problem.
Up to me, it has nothing to do with credentials
I have some analysis server reports.
I have a single value report parameter, the report runs fine with the default value, when I select another value than the default one, I get above message immediately.
I got the error since I rebuild the report with SP2 CTP.
Strange thing is that the other single value parameter of the report works fine (year)
And that I get the error also with other reports, and on the same dimension (Organisation)
And that I do not have the error when I change the parameter to multi-value (but as the report is not written for multiple values...)
MDX queries are as follows:
SELECT NON EMPTY { KPIValue("KPINewBiz"), KPIGoal("KPINewBiz"), KPIStatus("KPINewBiz"), KPITrend("KPINewBiz") } ON COLUMNS,
NONEMPTY
([Reps].[Organisation].[Organisation].ALLMEMBERS
*[Reps].[Rep].[Rep].ALLMEMBERS
*[Date].[Year].[Year].ALLMEMBERS
*[Date].[Month].[Month].ALLMEMBERS
,[Measures].[Gross Sales]
)
DIMENSION PROPERTIES MEMBER_CAPTION, MEMBER_UNIQUE_NAME ON ROWS
FROM ( SELECT ( STRTOSET(@ByYear, CONSTRAINED) ) ON COLUMNS FROM ( SELECT ( STRTOSET(@ByOrganisation, CONSTRAINED) ) ON COLUMNS FROM [Sales])) CELL PROPERTIES VALUE, BACK_COLOR, FORE_COLOR, FORMATTED_VALUE, FORMAT_STRING, FONT_NAME, FONT_SIZE, FONT_FLAGS
WITH MEMBER [Measures].[ParameterCaption] AS '[Reps].[Organisation].CURRENTMEMBER.MEMBER_CAPTION' MEMBER [Measures].[ParameterValue] AS '[Reps].[Organisation].CURRENTMEMBER.UNIQUENAME' MEMBER [Measures].[ParameterLevel] AS '[Reps].[Organisation].CURRENTMEMBER.LEVEL.ORDINAL' SELECT {[Measures].[ParameterCaption], [Measures].[ParameterValue], [Measures].[ParameterLevel]} ON COLUMNS ,
NONEMPTY([Reps].[Organisation].[Organisation].ALLMEMBERS,[Measures].[Gross Sales]) ON ROWS FROM [Sales]
WITH MEMBER [Measures].[ParameterCaption] AS '[Date].[Year].CURRENTMEMBER.MEMBER_CAPTION' MEMBER [Measures].[ParameterValue] AS '[Date].[Year].CURRENTMEMBER.UNIQUENAME' MEMBER [Measures].[ParameterLevel] AS '[Date].[Year].CURRENTMEMBER.LEVEL.ORDINAL' SELECT {[Measures].[ParameterCaption], [Measures].[ParameterValue], [Measures].[ParameterLevel]} ON COLUMNS , NONEMPTY([Date].[Year].[Year].ALLMEMBERS,[Measures].[Gross Sales]) ON ROWS FROM [Sales]
Discovered something else that is very strange, you change the value of the parameter, you get the error, you hit the back button, and you can run the report with the new parameter
I have created several reports in SQL Server 2005 reporting services and I am viewing those reports in my C# application using a report viewer control. I want to pass the credentials for each report through my applications. I do not want to use any web service.
because my package does not run with SQL-Server-Agent, but without problems if started by "hand", I created a new credential which contains the information needed for the package. I did this as described on: http://msdn2.microsoft.com/en-us/library/ms190703.aspx .
After that i tried to create an proxy account, but when I chose the created credential, Management Studio says "Der Proxy "[name_of_credential] ist kein gĂĽltiger Windows-Benutzer(Microsoft SQL Server, Fehler: 14529)". This means something like: "This Proxy is not a valid windows-user. Error: 14529".
Any hints how to use a credential that is not a windows-user?
I'd like to programme the execution of a report through the execution property option. However, when I try to do it a message error appears related to credentials of the datasource.
The present action is impossible to complete, because the credentials of the user datasource needed to execute this report are not stored on report server database.
I created a report in SSRS, and deployed it. I have created security where when users run the on demand report, it will prompt them for a username and password. I went to the properties of the report then Execution, and tried to set up report execution snapshot and got an error 'Credentials used to run this report are not stored.' I get the same error if I go to History and try to select any of the options there.
I have made a CLR stored procedure which goes to a shared folder on a remote computer. I am having permission problems when executing the stored procedure. (In case anyone is wondering, I am using the .NET SYSTEM.IO class)
I have done the following:
CREATE CREDENTIAL myuser WITH IDENTITY = 'mydomainmyuser', SECRET = 'some56*Z';
CREATE LOGIN sam WITH PASSWORD = 'meowPw!a3';
ALTER LOGIN sam WITH CREDENTIAL = myuser;
...(other SQL so that SAM can execute the SP)
Now, I login to SQL Server using the new login, and when I try to execute the CLR stored procedure, I get "unknown username or bad password.".
I know 100% for sure that the account in the "MYUSER" credential has access. Is there something else I need to do?
Hello friends, In my web application I have saved my connection string into web.config file. Now I have to send this web application to the client in the form of web set up. The issue is that on the client side, user credentials for the database will be different. So can we do some setings that the web application whenever will run should ask for the server name, username & Password. If this can be done then the application can be run anywhere considering all compatibilities. Please let me know how this can be done. Thanks & RegardsGirish Nehte
I have developed an asp.net, vb.net web app and have integrated reporting services. Right now I am using url access but am not to crazy about showing the parameters in the querystring. I am using a dynamic stored procedure to get client data. I would like to use the rs web service to programatically set the parameters and send them invisably to the web service. Since the web app is not using windows authentication I would like to pass the parameters using a hard coded account that has been set up with browse privilages in the report manager. Is it possible to hard code the credentials that are sent to the reporting service instead of the System.Net.CredentialsCache.DefaultCredentials? The report returns a bar graph which I am hoping to display on the page. Reading some posts about some problems returning images I might be posting some more questions.
Are there any good walkthroughs or code examples using reporting services web service other than MSDN's limited supply?
Is it possible for me to login using windows login information that is separate from my current windows login? That is to say, can I login to a SQL server using windows athentication but actually specify the login and domain information? I woul like to login to a SQL server from a computer that is not part of the domain using my windows credentials and not a SQL user name.
On my SSIS package I have 2 connection managers, both are connecting to an Oracle db. I enter in the ID and Password then click 'test connection' I'm able to connect to the database fine. I then go to a data flow of one of my control flow task. Open up my OleDb Source and click preview. The SQL query executes with no issues. I can see the data from my connection manager source.
I then go and run the package and I get this error message:
[OLE DB Source [1]] Error: SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER. The AcquireConnection method call to the connection manager "OracleConnection" failed with error code 0xC0202009. There may be error messages posted before this with more information on why the AcquireConnection method call failed.
I've been racking my brain on this for a few days and still no luck on getting this to work.