Accessing Network Shares Using Impersonation And Configuring Delegation
Oct 29, 2007
I'm having trouble trying to access a network share that comes via a UNIX server running SAMBA. In the first case, I'm running on my local workstation (A), connected to a remote server (B), and attempting to access directory information for a path like:
\a0amsimmsworkseaborg argets11as2981
This path is fully accessible by me from the workstation (A) and the server (B). The files and directories below "work" in the above path are also wide open on the UNIX side (meaning r-xr-xrwx permissions). However, if I attempt to do something like this:
Code Block
WindowsIdentity newID = SqlContext.WindowsIdentity;
WindowsImpersonationContext impersonatedUser = newID.Impersonate();
bool sim_dir_exists = false;
try
{
impusername = Environment.UserName;
Directory.GetFiles(mdcfullpath);
}
catch (Exception e)
{
impersonatedUser.Undo();
SqlContext.Pipe.Send("Exception getting data: " + e.ToString());
SqlContext.Pipe.Send("CWD is: " + Directory.GetCurrentDirectory());
SqlContext.Pipe.Send("User is: " + impusername);
}
finally
{
impersonatedUser.Undo();
}
The "GetFiles" fails with the following exception:
Exception getting data: System.UnauthorizedAccessException: Access to the path '\a0amsimmsworkseaborg argets11as2981' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption)
at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption)
at System.IO.Directory.GetFiles(String path)
at StoredProcedures.mdcinfo(Int32 sim_id, String mdc_base)
CWD is: C:WINDOWSsystem32
User is: amsimms
Initial is: dbserver
Interestingly, if I run the procedure directly on the server (B), I do not get the exception. So this seems to be more of a delegation problem. The server B's sql server instance is running as a domain account (dbserver), which has been enabled for delegation and an spn has been set up. Is there something beyond this either with the impersonate or delegation configuration that I need to do in order for this to work?
Thanks,
--Andrew
View 5 Replies
ADVERTISEMENT
Jul 23, 2005
Hi,My SQL server is short on disk space and I need to create a new instanceof SQLServer. I had another server running Linux with enough space leftso i create a new partition on it and shared it through SAMBA.Now I can use this shared disk in RW mode from the SQL server (tested OK).However, when i try to create another database on this network share,SQLServer denies the operation.Does anybody have a clue about what's going on?Isn't it possible to set database files on a network share?Regards.CH COLLIN
View 2 Replies
View Related
Jul 15, 2015
Any specific risks in placing database files on network shares on a windows server (2008 R2). I have read its a bad design, but unsure why, or what problems such a setup may cause?
View 4 Replies
View Related
Sep 21, 2007
We have some to-disk backups scheduled on our 2000 Enterprise machine - nightly fulls, hourly logs - that go to a network share located on another machine. They were originally stored directly on the same machine as SQL Server, but we changed them to a remote destination within the past few weeks. This works okay, but despite having the maintenance plan set to remove files older than 2 days, old files don't seem to be removed. Understandably, this gets to be a problem when the backup disk becomes filled.
Is there any obvious reason why this option wouldn't work against a network share? I've checked the directory permissions, and the SQL Agent domain account should have no trouble deleting the files.
View 1 Replies
View Related
Feb 29, 2008
Hi all,
I am struggling with configuring SSB network routes to a mirror database. What I want to accomplish is to configure a SSB application to work in a database mirroring setup but I am not looking for a load balancing solution.
According to SQL Server 2005 Books Online (http://msdn2.microsoft.com/en-us/library/ms166090.aspx) the typical routing configuration for a service hosted by a mirrored database is set by specifying the 'mirror_address' field but leaving the 'broker_instance' field empty (i.e. NULL) in the sys.routes table (see Example 3 in link above). I haven't seen how this is possible because if you specify the MIRROR_ADDRESS parameter in the CREATE/ALTER ROUTE command then you must also specify the BROKER_INSTANCE parameter.
I haven't found a way to set the mirror_address field to a valid value and the broker_instance field as NULL, is this possible? If not I must set the broker_instance as the guid of my broker instance but my understanding is that it should primarily be used for load balancing configuration. My preference would be to not set the BROKER_INSTANCE parameter, is this possible?
Best regards,
Oli
View 1 Replies
View Related
May 2, 2014
I've been trying to access the file table shares exposed on a server (I can select, delete, update, etc via SQL) via untransacted access with no luck (the share just sits there doing something when I try to access it, no error message of any kind).
So I thought I'd look to see if there were any open file handles via
SELECT * FROM sys.dm_filestream_non_transacted_handles;
I found there were 10 non transacted handles open, and they've been open for 3 days for automated processes and the files are about 1-2Kb in size.
so I tried to kill them via
exec sp_kill_filestream_non_transacted_handles
that's normally not something that takes very long (in fact when I cleared two for a different database it took just a second or two).
So leaving the stored proc running, I figured I'd connect and fire up Adam Mechanic's sp_whoisactive.
I see the processes to kill the open file handles, with a wait state of FFT_NSO_FILEOBJECT
View 2 Replies
View Related
Feb 26, 2005
can any 1 give info on "Security Account Delegation"
thanks in advance
View 1 Replies
View Related
Oct 22, 2006
Hi world,
I have a question, but first I need to give you some background:
My network works with Active Directory on Windows 2000, and I have web servers running on windows 2003 and SQL Servers 2000 running on Windows 2003.
I wanted to enable account delegation and I found a bunch of information.
Everything seemed "easy", but I tried to test it first on my test servers anyways and this is what happened:
We created the SPN for the SQL Server
Account is trusted for delegation check box was selected for the service account of SQL Server.
Account is sensitive and cannot be delegated check box was not selected for the user requesting delegation.
But when we checked the box Computer is trusted for delegation (and only this box !!) in the server running an instance of SQL Server 2000, the role of this server changed magically (just like this guys, it was magic) from "server" to "Domain Controller".
We were intrigued about this change, but we "trusted" the white paper that we had in front of us.
http://support.microsoft.com/kb/319723
After some hours, the production web servers (of the whole network) and many workstations stopped working:
The IIS on this web servers will show an empty list of websites
The network and dial-up connections were missing on the web servers and also on the workstations.
The web servers and the workstations affected were "isolated" from the network, the command ping was not finding any of this computers.
Anyway, it was a nightmare, it took a while to fix the mess, we reverted the changes in Active Directory, and this makes me thing that the magical "promotion" of the SQL server to Domain Controller had to do with all this.
the questions is:
Do you have an idea about what could have caused all this? I mean, I still need to enable this account delegation thing. But I would like to know first if someone has done it before in a similar environment or if someone has run into one of the problems described before.
Thanks world.
View 3 Replies
View Related
Jul 9, 2007
I am trying to implement a linked server that uses integrated authentication on a 64 bit Wndows 2003 SP1 server. I have both Sql Server 2005 and Sql Server installed, and have successfully created database link that is able to use double hop authentiction on the Sql Server 2005 instance. I am unable to do the same usign the Sql Server 2000 instance. Does anyone know if double hop uathentication using Kerberos is supported on Sql Server 2000. The linked server on Sql Server 2005 is created using this syntax
"EXEC sp_addlinkedserver @server=€™LinkedServer€™,
@srvproduct=''",
@provider='SQLNCLI',
@datasrc=€™SQLB€™,--the data source
@provstr="Integrated Security=SSPI; "
"exec sp_addlinkedsrvlogin €˜LinkedServer€™, 'true'"
SPN's and domain accounts have been created as documented and those same accounts are used in both the Sql Server 2005 and Sql Server 2000 instances.
The error message going from a Sql Server 2000 or 2005 client, to the Sql Server 2000 instance that has the linked server using the SQLNCLI provider is
Server: Msg 7399, Level 16, State 1, Line 1
OLE DB provider 'SQLNCLI' reported an error. Authentication failed.
[OLE/DB provider returned message: Communication link failure]
[OLE/DB provider returned message: Named Pipes Provider: No process is on the other end of the pipe.
]
[OLE/DB provider returned message: Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.]
OLE DB error trace [OLE/DB Provider 'SQLNCLI' IDBInitialize::Initialize returned 0x80040e4d: Authentication failed.].
If I use the Sql Server 2000 OLEDB provider when creating the link I get this error
Server: Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
The same link using the SQLNCLI provider in Sql Server 2005
works and I am able to use double hop authentication.
My question is , does anyone know if double hop authentication is supported using a Sql Server 2000 linked server?
View 1 Replies
View Related
Sep 4, 2007
I am having a problem implementing constrained delegation for SSRS. I have followed the (very good) instructions located here:
http://sqlblogcasts.com/blogs/stevechowles/archive/2007/06/08/reporting-services-2005-for-the-dba-iis-security.aspx
I have chosen the option of running the application pool for SSRS under a domain user account. This is the same account that I use to run the SSRS service.
I have the authentication providers for the site set to "Negotiate,NTLM".
I also made sure that the application pool user account has rights on the ReportManager and ReportServer directories.
If browse to the URL while logged on to the SSRS server then I am able to access the site
My problem is when I try to access the site from anywhere but locally on the SSRS server:
I get a logon prompt if I try to access the SSRS URL from a different workstation. After three tries to login I get: "You are not authorized to view this page". Even with an account that is local admin on the SSRS Server.
If I set the authentication providers for the site to "NTLM" then I am able to access the site from a different workstation but of couse constrained delegation does not work.
Have i overlooked something? What could be causing the login prompt?
View 3 Replies
View Related
Aug 10, 2007
Hello,
I have configured Kerberos delegation for several web services. One of the web service calls SSIS packages, but the packages don't run with the expected impersonate user : the package starts with the imporsonate user, but continue with ASPNET user (which is not allowed to execute SSIS and connect to DB).
If the web service is called directly (no delegation), SSIS packages run with the correct user. It looks like than there is an autenthicate issue, but kerberos is configured and web services can run from one to another with the impersonate user. The issue occured only when I call SSIS packages.
Here is a extract of the SSIS log file :
Code Snippet <dtslog>
<record>
<event>PackageStart</event>
<message>Beginning of package execution.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAPascal.Brun</operator>
<source>ImportMonthlyCSV</source>
<sourceid>{D053CB99-FDE4-492D-83BC-821E1B34704B}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>0</datacode>
<databytes>0x</databytes>
</record>
<record>
<event>OnError</event>
<message>SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER. The AcquireConnection method call to the connection manager "Data Warehouse" failed with error code 0xC0202009. There may be error messages posted before this with more information on why the AcquireConnection method call failed.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAASPNET</operator>
<source>Import CSV</source>
<sourceid>{284D3166-F372-4B03-86C1-75A4D8DC9A5C}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>-1071611876</datacode>
<databytes>0x</databytes>
</record>
...
Any help is required.
Thanks in advance.
View 4 Replies
View Related
Sep 12, 2007
Hi,
I've just installed SQL 2005 SP2 Rollup 3 Package (Build 3186) on a 2 node X64 W2K3 Cluster.
Everything went fine, although after the install, the SQLAgent Services of my instances started to complain about delegation not enabled for the domain account used for the SQLAgent Service.
SPN's were already registered, so I've enabled unconstrained delegation & no errors anymore..
Apparently we're obliged to enable delegation as soon as this hotfix is installed
(maybe due to fix 938086 included in it ?)
To make this setup more secure, we would like to enable constrained delegation.
This does not seem to work, as soon as we choose constrained delegation by adding the SPN of the clustername to the domain user account we're running with & restart the sql agent, it fails with the same error as when no delegation was configured:
! [298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146892987, 'The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.' [SQLSTATE 42000]
! [442] ConnConnectAndSetCryptoForXpstar failed (0).
Summary:
With Unconstrained delegation enabled for computer account & user account, everything goes fine.
As soon as constrained delegation is chosen, by adding the SPN's to the domain user account of SQL Agent, SQL agent fails to start.
We use a domain account for the SQL Agent.
This account has an 2 SPN registered on it
MSSQLSvc/<FQDN SQL instance network name>:1433
MSSQLSvc/<FQDN SQL instance network name>
Connections to SQL go fine, authorization scheme is Kerberos even when SQL Agent fails to start due to this delegation failure.
Domain account has "act as part of operating system" & "impersonate a client after authorzation"
Anyone an idea ?
View 25 Replies
View Related
Jan 12, 2007
Problem:
I am trying to create an asp.net website with integrated windows authentication
to access SQL databases. IIS resides on WinXP and SQL Server
on Win2000 SRV. Both are in the same NT Domain. IIS and SQL Server cannot
reside on the same machine and a stand alone web server is
ideal as the website needs to access multiple SQL Servers. IIS is set to
Integrated Windows Authentication. The machine running IIS & the SQL Server
are set to be "trusted for delegation" in active directory. The domain user
accounts that will be accessing the databases are not marked as "Account
is sensitive and cannot be delegated".
The connection string that the web app uses to connect to SQL database is:
"Data Source=PWSSQLT;Integrated Security=SSPI;Initial Catalog=Pace_Master;Persist Security Info=true"
with which the user credentials should be flown to the SQL database.
But instead the delegation fails and results in the following ANONYMOUS authentication failure error:
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.
--------------------------------------------------------------------------------------------------------------------
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
Source Error:
// Open the connection, and return it
oConn.Open();
return oConn;
Source File: e:ING eIMSApp_CodeDataAccessConnectionManager.cs
Stack Trace:
[SqlException (0x80131904): Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.]
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader
dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject,
SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity,
SqlConnectionString connectionOptions, Object providerInfo, String newPassword,
SqlConnection owningObject, Boolean redirectedUserInstance)
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options,
Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection
owningConnection, DbConnectionPool pool, DbConnectionOptions options)
System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection,
DbConnectionFactory connectionFactory) +105
System.Data.SqlClient.SqlConnection.Open()
INGRS.DataAccess.ConnectionManager.GetConnection() in e:ING eIMSApp_CodeDataAccessConnectionManager.cs:
DAActivity.Page_Load(Object sender, EventArgs e) in e:ING eIMSDADAStatusDAActivity.aspx.cs
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
System.Web.UI.Control.OnLoad(EventArgs e)
System.Web.UI.Control.LoadRecursive()
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
_______________
Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.210
---------------------
View 6 Replies
View Related
Nov 7, 2007
I want a user to be able to call a stored procedure, that will call an assembly, that will logon on to another SQL Server, perform some functions (calculations), and return the results. I want the user's credantals passed, NOT the SQL Server Account. So in some research, I created this:
Imports System.Data
Imports System.Data.SqlClient
Imports Microsoft.SqlServer.Server
Imports System.Security.Principal
Public Class SomeName
<Microsoft.SqlServer.Server.SqlProcedure()> _
Public Shared Sub LinkedServer()
Dim cmd As SqlCommand
Dim dr As SqlDataReader
Dim clientId As WindowsIdentity
Dim impersonatedUser As WindowsImpersonationContext
clientId = SqlContext.WindowsIdentity
impersonatedUser = clientId.Impersonate()
Try
Try
impersonatedUser = clientId.Impersonate()
If impersonatedUser IsNot Nothing Then
' as usual, connection strings shouldn't be hardcoded for production code
Using conn As New SqlConnection( _
"Data Source=SERVER1; Initial Catalog=master; Integrated Security=SSPI")
conn.Open()
cmd = New SqlCommand( _
"SOME QUERY", conn)
dr = cmd.ExecuteReader()
SqlContext.Pipe.Send(dr)
End Using
End If
Finally
If impersonatedUser IsNot Nothing Then
impersonatedUser.Undo()
End If
End Try
Catch ex As Exception
SqlContext.Pipe.Send("Error: " & ex.Message)
End Try
End Sub
End Class
Now the issue is that I get this message when I execute this code with the Impersonation code.
Msg 10312, Level 16, State 49, Procedure spr_SQLServerAccess, Line 0
.NET Framework execution was aborted. The UDP/UDF/UDT did not revert thread token.
When I exclude the impersonation code, everything works, BUT executes under the SQL Server Account.
I have used this code to create the Assembly and Stored Procedure:
-- Register the assembly
CREATE ASSEMBLY SQLServerAccess
FROM 'c:linkedserver.dll'
WITH PERMISSION_SET=EXTERNAL_ACCESS
GO
-- Register the stored-procedure
CREATE PROCEDURE spr_SQLServerAccess
AS
EXTERNAL NAME SQLServerAccess.SomeName.LinkedServer
Any idea's on the error message that is being thrown by SQL WITH the Impersonation code?
View 3 Replies
View Related
May 2, 2007
Hi,
I like to use impersonation using multiple databases and a user with no login.
I'm working with Powerbuilder 10. I can change users using the command Execute Immediate "EXECUTE AS USER = 'username'". Unfortunately, I can't execute the command 'REVERT' from Powerbuilders Execute Immediate command. The Execute Immediate command prefixes the 'REVERT' command with a exec. ie. exec REVERT.
I thought I could encapsulate the REVERT command in a procedure and run the procedure using Execute Immediate. But, I'm new to SQL Server and I'm not sure if I can.
Does anyone know how to solve this problem? Thanks.
TF
View 3 Replies
View Related
Mar 3, 2008
What's the correct way to set up impersonation & SQLExpress
Here's the error I'm getting:Cannot open database "aspnetdb" requested by the login. The login failed. Login failed for user '***ASPDATA'.
SQL Express in installed on C: aspnetdb was set up from aspnet_regsql.exe, on IIS manager - asp.net tab - edit configuration this string is there: data source=.SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true The aspnetdb is located in C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLDataThe ASP.Net web is on D: webconfig file has: <add name="LocalSQLServer" connectionString="Server=.SQLEXPRESS;Database=aspnetdb;Trusted_Connection=Yes;" /> <authentication mode="Windows" /> <identity impersonate="true" userName=aspdata@xxx.org password="xxx" />
Should I take a copy of aspnetdb and put it in the web app_data folder?Jess
View 1 Replies
View Related
Sep 29, 2007
I am having a Linked server from SQL 2005 to SQL 2000. Linked server is configured with Local account and remote account "remote_user".
When application hits the linked server, it fails with message "login failed for remote_user".
Any idea how to solve this, i don't have access to remote server.
Regards
View 2 Replies
View Related
May 21, 2008
Hello all-
Before I go any further, I have followed http://msdn.microsoft.com/en-us/library/ms188304.aspx as best possible. I am attempting to send mail through a DML trigger. We'll call the database 'DB', and it is owned by a domain account named 'DOMAINAcct'. The trigger simply blocks any CUD operations on a table which we'll call 'Tbl', and sends an email. Hence, it looks something like...
CREATE TRIGGER [dbo].[TR_Tbl_BlockChanges]
ON [dbo].[Tbl]
WITH EXECUTE AS OWNER
INSTEAD OF INSERT,DELETE,UPDATE
AS
EXEC [msdb].[dbo].[sp_send_dbmail] @profile_name = 'AcctMail', @recipients = 'foo@bar.com', @subject = N'CUD operations not allowed on Tbl', @body = N'Blocked'
AcctMail is a valid profile and operates correctly. I have created the DOMAINAcct user in msdb, given it the AUTHENTICATE permission, and added it to the DatabaseMailUserRole. When the trigger fires, according to the article, the security context should switch to dbo (DOMAINAcct), then be successful when attempting to execute the msdb sproc. Instead I get the usual:
Msg 229, Level 14, State 5, Procedure sp_send_dbmail, Line 1
The EXECUTE permission was denied on the object 'sp_send_dbmail', database 'msdb', schema 'dbo'.
Thoughts?
View 4 Replies
View Related
Dec 12, 2007
I am installing an application that is a WCF service host running as a windows service under the Network Service account. As part of its configuration I am creating a connectionstring in a config file that will allow the WCF services to access SQL Server. I would like this access to be done using windows authentication not sql server authentication.
connectionString="Server=MYSQLServer;Initial Catalog=MyDatabase;Integrated Security=True;"
So since the windows service is running Logged in under the Network Service account using the above connection string would try to connect to sql server using Network service account. Instead I would like to impersonate another domain account which has has a sql server login and is a user in the database.
Is there a way to configure the connection string to use integrated security but to impersonate another domain user?
Thanks
-- Steven
View 1 Replies
View Related
Jul 8, 2006
In the following scenario, I am getting the message 'Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection'.
I am running a Windows Server 2003 with development environment and Sql Server Management Studio in a workgroup on a virtual PC.
My SQL Server 2000 is running on a domain server.
On the virtual Pc I have setup my user login and password to be the same as my domain login and password. Why is the Management Studio not using impersonation and allowing me to connect to the SQL server on the domain?
View 4 Replies
View Related
Jul 16, 2006
This is driving me nuts, below is the C# for the proc as well as the runtime error upon calling EXEC on it. Any help would be appreciated. Using UNSAFE Permission Set.
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Security;
using System.Security.Principal;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure()]
public static void uspExternalConnection()
{
WindowsIdentity newIdentity = null;
WindowsImpersonationContext newContext = null;
try
{
//impersonate the caller
newIdentity = SqlContext.WindowsIdentity;
newContext = newIdentity.Impersonate();
if(newContext != null)
{
using (SqlConnection oConn =
new SqlConnection("Server=.\sqlexpress;" +
"Integrated Security=true;"))
{
SqlCommand oCmd =
new SqlCommand("SELECT * FROM AdventureWorks.HumanResources.Employee", oConn);
oConn.Open();
SqlDataReader oRead =
oCmd.ExecuteReader(CommandBehavior.CloseConnection);
SqlContext.Pipe.Send(oRead);
}
}
else
{
throw new Exception("user impersonation has failed");
}
}
catch (Exception ex)
{
SqlContext.Pipe.Send(ex.Message.ToString());
}
finally
{
if (newContext != null)
{
newContext.Undo();
}
}
}
};
Msg 6522, Level 16, State 1, Procedure uspExternalConnection, Line 0
A .NET Framework error occurred during execution of user defined routine or aggregate 'uspExternalConnection':
System.InvalidOperationException: Data access is not allowed in this context. Either the context is a function or method not marked with DataAccessKind.Read or SystemDataAccessKind.Read, is a callback to obtain data from FillRow method of a Table Valued Function, or is a UDT validation method.
System.InvalidOperationException:
at System.Data.SqlServer.Internal.ClrLevelContext.CheckSqlAccessReturnCode(SqlAccessApiReturnCode eRc)
at System.Data.SqlServer.Internal.ClrLevelContext.GetCurrentContext(SmiEventSink sink, Boolean throwIfNotASqlClrThread, Boolean fAllowImpersonation)
at Microsoft.SqlServer.Server.InProcLink.GetCurrentContext(SmiEventSink eventSink)
at Microsoft.SqlServer.Server.SmiContextFactory.GetCurrentContext()
at Microsoft.SqlServer.Server.SqlContext.get_CurrentContext()
at Microsoft.SqlServer.Server.SqlContext.get_Pipe()
at StoredProcedures.uspExternalConnection()
View 1 Replies
View Related
Apr 9, 2008
I am testing RS2008 CTP6.
When I view a Adventureworks sample report (e.g. company sales) I get this errormessage when I use the option "Impersonate the authenticated user after a connection has been made to the data source" :
Cannot create a connection to data source 'AdventureWorks'.
Must declare the scalar variable "@ImpersonatedUser".
All other connection options without impersonate works fine.
Any idea what can cause this problem?
Thanks in advance.
View 1 Replies
View Related
Jul 28, 2006
I want to Access External resources inside the CLR Code... But I am getting Security Exception
I have marked Assembly with External Access... here is the way I am doing..
I read articles and MSDN .. everywhere is written to use impersonation like
using (WindowsIdentity id = SqlContext.WindowsIdentity)
{
WindowsImpersonationContext c = id.Impersonate();
//perform operations with external resources and then undo
c.Undo();
}
In above case .. I tried both Windows Authentications and SQL Authentications ...
In case of Windows.. I am have a domain login to logon to my pc, while sql server is at another machine and Active directory is at different machine .. when connect to Database .. it says cannot find user Domainnameuser
and the SqlContext.WindowsIdentity is always null or it has exception User.Toked thew Security exception.
After that .. I tried to user custome Identity .. using IIdentity =GenericIdentity("UserName","Windows");
But there is now difference .. still same exception .. as given below..
[Microsoft.SqlServer.Server.SqlProcedure]
public static void MyProcedure()
{
Process[] p = Process.GetProcessesByName("YPager"); //Yahoo messanger exe .. a process
p[0].kill();
}
A .NET Framework error occurred during execution of user defined routine or aggregate 'MyProcedure': System.Security.SecurityException: Request failed.
System.Security.SecurityException:
at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Assembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
at System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Object assemblyOrString, SecurityAction action, Boolean throwException)
at System.Security.CodeAccessSecurityEngine.CheckSetHelper(CompressedStack cs, PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Assembly asm, SecurityAction action)
at DatFileGenerator.StoredProcedures.'MyProcedure'()
.
No rows affected.
(0 row(s) returned)
@RETURN_VALUE =
Finished running [dbo].['MyProcedure'].
How could I go ahead... what I should do to accompilsh the task...
Kindlly .. suggestions and ideas..
Thanks,
Muna
View 14 Replies
View Related
Nov 11, 2015
I have a user who is trying to run a job (call an Stored Procedure) which connects to a Linked Server. He can run it OK using EXEC SP_Name but when he runs from the SQL Jobs it gives him the error:Â Linked servers cannot be used under impersonation without a mapping for the impersonated login.[SQLSTATE 42000] (Error 7437). Â The step failed.The Linked Server was setup using another account. Would this be fixed if I add the new user to the Security section of Linked Server without breaking the current configuration?Â
View 6 Replies
View Related
Jan 29, 2007
As a bit of background first, I'm trying to write a CLR stored proc that will start/stop a Windows Service using the ServiceController class.
The problem I'm having is that the stored proc gets run as NT AUTHORITYNETWORK SERVICE - ie the user the SQLServer Windows Service runs as. This user doesn't have adequate permissions to start/stop a Windows Service (the user only has permission to view the service's status).
The Window's user who is connected to the db - executing the stored proc, does however have adequate permission to start/stop the Windows Service. I'd like to have someway of running the code in the stored proc as if it were this user. If someone could point me in the right direction I'd appreciate it.
View 1 Replies
View Related
Apr 9, 2008
When publishing to a file share using Reporting Services (no service pack 2 yet) the following error occurs:
Failure writing file NewFile.mhtml : An impersonation error occurred using the security context of the current user.
I have tried publishing to both Windows XP and Server 2000.
The Reporting Services box is Server 2003.
Publishing account is Local Administrator on both Reporting Services and target boxes.
Logon Locally has been granted on both Reporting Services and target boxes.
Any thoughts?
View 7 Replies
View Related
May 24, 2006
Hello All,
Login failed for user '(null)'.
I know this issue is all over the forum, however i have not found any posts that help me resolve the issue.
Situation:
I have an ASP.NET 2.0 application hosted currently on XP pro(will be moving to 2003 Server) which connects to a SQL 2000 database that resides on a different server. I have taken the following step to implement my security.
Given my account permissions to the database
Put the following in my web.config
<add name="MyName" connectionString="Data Source=MyServer;Initial Catalog=MyDatabase;Integrated Security=SSPI" providerName="System.Data.SqlClient" />
<authentication mode="Windows" />
<identity impersonate ="true" />
I have set IIS to use integrated authentication and removed anonymous. The application works when run from the web server but not when run from a remote machine.
Thank you for any asistance,
George
View 1 Replies
View Related
Sep 30, 2004
Hello all,
We have a Windows 2003 Web Edition server serving a site through IIS. It connects to a Windows 2003 Standard Edition server running SQL 2000 SP3a.
This site receives the following error as seen in the topic:
[DBNETLIB][ConnectionRead (recv()).]General network error. Check your network documentation.
We've configured the server network utility to only allow TCP/IP connections. The connection string for the site is as follows:
<%
' FileName="Connection_ado_conn_string.htm"
' Type="ADO"
' HTTP="false"
' Catalog=""
' Schema=""
MM_connSpankMSSQL_STRING = "Provider=sqloledb;Data Source=SERVER_IP,1433;Network Library=DBMSSOCN;Initial Catalog=ourmaindb_1;User ID=ourmaindb_1;Password=hotcookies;"
%>
Any ideas or tips on solving this issue? We've noticed it is due to larger queries as smaller ones do work with no problems.
The servers are behind a BSD box running iptables, has 1433,1434 along with standard web ports wide open. Anything outbound is allowed.
Some further testing via ODBC on the IIS server improved things. No more connection pooling for the SQL Server driver allows for 1/3 of the query to run. Still 2/3s of it doesn't show up, and that general network error message appears.
Should have 330 rows if it works right.
View 2 Replies
View Related
May 19, 2004
Hi
While running a DTS, many times the error message: "[DBNETLIB][ConnetionWrite (WrapperWrite()).]General network error. Check your network documentation." appears.
Does somebody knows why?
I am running the DTS from a computer (not the server where the DTS is stored) and it is connected without any problem when this happens.
Thanks!!
Regards
Lautaro - Argentina.
View 4 Replies
View Related
Oct 4, 2007
Hi Every one,
I am using .Net 1.1 for my web application.
And my database server is SQL Server 2005.
My application is running fine, as i can login to it and also able to view pages. But when i open Order management(having 3K records) its give me error,
General Network Error. Check your network documentation
I have also searched many articles and tried following solutions but nothing working
- connectiontimeout = 0, max pool size = 7500/100, pooling = false
- SSL disabling enforce security false as mentioned in microsoft kb article.
And there's nothing any issue with hardware/firewall as my application's login and other forms are working fine(which use same database with same connection string)
Can any one please help me to solve this error?
With Regards,
View 3 Replies
View Related
Nov 15, 2006
Hello--
We have a current situation where analysts will be modeling a variety of problems, all stemming from the same source data (stored in a SQL-Server 2005 relational database).
Analysts that work on the same problem will only have access to:
- A sandbox relational database (which contains views into the same source database). The analyst is db_owner of the sandbox database, so she/he can create data transformations required, etc. The sandbox database contains views to the source database, but the analyst only has read-access to the specific data elements needed from the source DB. So, they are very restricted w.r.t. the source database, but are db_owners of their sandbox relational databases. Note that the analyst will connect to the database via Windows Authentication.
- An Analysis Services sandbox database to use for their modeling, etc. In this AS sandbox db, we've created a role called "Administrator" and checked the permissions: Full control (Administrator), Process database, and Read definition. The analyst's windows account is the "user" associated with this role.
Also, in this situation, the SQL Server 2005 Relational Engine and Analysis Services are running on a single machine. The goal of this security model is to provide analysts with the ability to work in their "workspaces" (both SQL and AS), but not to see other analysts work, etc.
I'm running into a problem when trying to build models using this security model by doing the following:
- Running Visual Studio
- Selecting File -> Open -> Analysis Services Database and choosing the AS DB that I have access to (this is the only one that appears in the drop-down, after specifying the AS server).
- I've created a data source pointing to the relational sandbox DB.
- I've created a data source view choosing the table/view needed for the case table.
- I created a mining structure with a decision tree model
When I process the mining structure, I'm getting the following errors:
- If the data source Impersonation is "Default" -- the error is "The datasource, '<DS name>', contains an ImpersonationMode that is not supported for processing operations."
- If the data source Impersonation is "Use the credentials of the current user" -- the error is the same as "Default" above -- "The datasource, '<DS name>', contains an ImpersonationMode that is not supported for processing operations."
- If I change the data source Impersonation to "Use the service account" and select "OK" in the "Data Source Designer" window, and error comes up with message: "The ImpersonationInfo for '<DS name>' contains an ImpersonationMode that can only be used by a server administrator.
Any suggestions or pointers to help implement this security model to provide analysts with AS and SQL Relational resources for their modeling?
Thanks,
- Paul
View 1 Replies
View Related
May 26, 2007
Hi We have a written a error log in Global.asax. which capture below mentioned error in the prodcution server. Same applications is working fine in some locations and some loactions we are getting the error.Any body knows why this error is occurs.Any body knows why this error is occurs. Error Message:General network error. Check your network documentation.Stack Trace: at System.Data.SqlClient.SqlInternalConnection.OpenAndLogin() at System.Data.SqlClient.SqlInternalConnection..ctor(SqlConnection connection, SqlConnectionString connectionOptions) at System.Data.SqlClient.SqlConnection.Open() at datalayer.sqldb.Execute(String ProcedureName, SqlParameter[] Parameters) at lms.User.GetUserDetails(String strUserid)ITs at LMS.Login.w_btn_Login_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
View 2 Replies
View Related
Oct 4, 2007
Hi,I am using .Net 1.1 for my web application.And my database server is SQL Server 2005. My application is running fine, as i can login to it and also able to view pages. But when i open Order management(having 3K records) its give me error,General Network Error. Check your network documentation I have also searched many articles and tried following solutions but nothing working- connectiontimeout = 0, max pool size = 7500/100, pooling = false- SSL disabling enforce security false as mentioned in microsoft kb article. And there's nothing any issue with hardware/firewall as my application's login and other forms are working fine(which use same database with same connection string) Can any one please help me to solve this error?
View 2 Replies
View Related