Ok, I have followed the steps from https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql-server-2017 to try and fix this issue as well as the SUSE/Redhat documentation for connecting to an AD server.
The servers are on the domain, I can log into the servers with my domain credentials but when I attempt to login to SQL as a domain user ( that is a Sysadmin on the SQL Server ) I get a the Login failed, the login is from an Untrusted domain and cannot be used with integrated authentication ( Error 18452) when attempting to use SSMS from a Windows box that works if I log in with a local account from it. When I log in as the domain user on the linux box I get the SSPI Provider: Server not found in Kerberos database and Cannot Generate SSPI context. Iif I use sqlcmd for a local user connecting to the FQDN of either server it connects fine. I haven't touched Linux from an Admin standpoint in over 15 years.
This is on both a SUSE 12 SP2 and a Redhat 7.5 server in our test environment. Not a big deal for me but our users are complaining because they now need a local account to log in for testing purposes instead of just using their domain accounts like the Windows side of things. Any help is greatly appreciated, most of what I am finding online just points me back to the Microsoft document and I have basically rebuilt the servers a couple times trying to add it to the domain before installing SQL and also after installing SQL to see if that made any difference, get the same error both ways.
Related
Here is the scenario:
A web server is running on IIS 8.5 using AppPoolIdendtity to pass through the credential to connect to Reporting Service which is remotely installed in a MSSQL Server.
The reporting service has added the machine account DOMAIN\MACHINENAME$ to the system role assignment from http://MSSSQLRS/ReportServer as System Administrator like this:
The permissions granted to user ' are insufficient for performing this operation. (rsAccessDenied)"}
Testing local MSSQL server is smooth with local access. However, whenever the connection is established from the IIS web server. The "rsAccessDenied" error came up as DOMAIN\MACHINENAME$ user.
Not sure what else is wrong either on the WEB IIS or MSSQL server....
Sounds like RS Windows NTLM is not configured correctly. See this article.
I've got 2 machines:
A corporate desktop machine which is running Windows 7 SP1 which resides on the corporate domain and which I log into using a corporate domain account.
A personal laptop that I use when working from home via the Cisco VPN client but presently sits on my desk connected to the corporate WiFi (though I had it connected to the wire and on the same subnet as my desktop machine today also). This machine is not on the corporate domain; I log into this machine with a Microsoft Account.
I need to run Visual Studio 2013 Release Management Client from both machines. The machine on my desktop works fine when entering either the IP address or the URL into the Release Management Server URL entry field and everything hooks up and all is glorious.
On my Windows 10 laptop however, it's a different story. Every attempt to connect is met with the error:
The server specified could not be reached. Please ensure the
information that is entered is valid (please contact your Release
Management administrator for assistance). <-- I'm the admin
I can ping the machine both with IP address and with hostname, ruling out DNS issues. Both client machines are on the same subnet. Both machines are using the same outbound port.
Checking the event log I see a bunch of Message: The remote server returned an error: (401) Unauthorized.
Checking with Fiddler, on my desktop machine, I can walk through the handshake of each of the stages of startup and all is good. But in Fiddler on my laptop I see 3 401 Unauthorized errors before Release Management Client bombs and returns the rather uninformative message I posted above.
I've attempted to create a shadow account on my laptop and do the Shift-Right Click-Run As Different User dance, but I must be missing something because I can't get this to run.
I've talked to the network administrator who suggests that I should be able to access all of the same resources from both machines and that it must be a Release Management issue.
Is this an incompatibility between VS2013 Release Management & Windows 10 or something else? Has anyone else had this issue and overcome it? I have access to be able to administer the Release Management environment if there's changes that need to be made there and I'm a local administrator on both machines. I'm not however a domain administrator if changes need to be made there.
I would bet you simply have a security issue as the workstation is not domain-joined and the WPF client is using Integrated Authentication.
Often creating a local "shadow" user with same username and password, and running the client app under that account (run as) works.
Another option is to join the workstation to the domain or use a domain-joined VM.
After fully investigating the situation, it appears to have been a combination of factors. I am posting a response because this appears to be a relatively common problem:
The workstation was sending an unexpected credential to the server. To get around this, you have to configure the user account on the server without a domain in the username and create a shadow account on your local machine. When running the client application, you must either log into this shadow account on the local machine or you must SHIFT+RIGHT CLICK and choose "Run as" entering your local shadow credentials. This will then pass the shadow account to the server which will now authenticate without referencing the domain. OR
Create a user account on the server that matches the credentials on your local machine including MACHINENAME\LocalUsername
There appeared to be a network issue when attempting to connect to the Release Management Server from the non-domain machine when connected inside the network. When connecting via the VPN from home, this situation was resolved, but only after we'd ensured the account and local machine accounts were correctly configured. The domain connected machine always connected properly.
Our setup:
Server1: Sharepoint is running
Server2: SQL Server is running
Our Sharepoint 2010 was working perfectly fine and then suddenly the website went down and when I tried accessing Central Admin I found the following issue in the error log:
System.Data.SqlClient.SqlException: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
I read on internet that this happens when the server loses trust with the domain so I removed the Sharepoint server from the domain and then added it back. Result: Same. No solution.
I also tried other methods where people have asked for updating the host file but that too did not work.
In order to check if the connection is working or not...i did UDL test where I created a file networkcheck.udl on Sharepoint server machine (Server1) and tried running with Windows authentication and tried to connect with DB server (Server2).
Result: Connection successful.
Can anyone please guide regarding this. I don't know why Sharepoint won't connect even after udl test being successful.
Because I don't know enough about your farm as a whole you may be best looking at this as a issue unrelated to SharePoint.
Are bother the servers in the same domain?
Like Dennis said have any of the passwords Expired/Changed?
Do you have anything other than localhost pointing to 127.0.0.1 in your Hosts file?
Check this thread and think of the problem away from SharePoint
SQL Server 2008 Windows Auth Login Error: The login is from an untrusted domain
Thanks
Truez
One of the possibilities of this error could be that the account from which the Server has been installed has been removed from the domain or the account password has been changed.
I have the following configuration for a web site:
Two Web front-ends (e.g. machine names: WFE1 & WFE2) 1 SQ
One SQL Server Database cluster (e.g. machine name: DBCluster)
All machines are in the same domain (e.g. MyDomain) running Windows 2008 R2 Enterprise and SQL Server 2008 R2.
I am in the process of deploying a web application that uses the Application Pool Identity. I have named the pool MyWebApp, which translates to the name, [IIS APPPOOL\MyWebApp]. When I try adding this user to SQL Server I get an error:
Windows NT user or group 'IIS APPPOOL\MyWebApp' not found. Check the name again.
The script that I have used to create the account in SQL Server is:
CREATE LOGIN [IIS APPPOOL\MyWebApp]
FROM WINDOWS WITH DEFAULT_DATABASE=[MyDatabase], DEFAULT_LANGUAGE=[us_english]
GO
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
Can someone please shed some light on how this problem can be resolved? Is using a domain account my only option or can I still get the application pool accounts to work?
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
That's exactly the problem. The IIS AppPool account only exists on the web server. If you were able to add this account to SQL Server, you would be authorizing an IIS AppPool that is running on the same machine as SQL Server. (I suspect it might still fail.)
The most secure solution would probably be to do as you say - create an account on the domain, give that account appropriate permissions on the database, and run the AppPool using that account's credentials.
However, if you'd still like to do it, you need to authorize the computer that the AppPool is running on - ie, DOMAINNAME\ComputerName$ (note the $ at the end).
Take a look at this article for more information (specifically, the section titled Accessing the Network).
I think that's a bad idea, however, because it authorizes any program running as NetworkService to access the database - not just your web applications.
I use windows xp and IIS 5 for web development. For database connection the credentials are set up as Integrated Security. It works fine our our DEV server (IIS 6) where they have configured the App Pool to run under the context of a domain account which has dbo access on the database. I myself also have dbo access in the database.
But when I run from my localhost the database connection failed (under Integrated Security=true) saying user '' has no previleged. So its passing a blank string as user instead of my logged in domain accountj ("domainname\myname"). How do I configure my localhost IIS so that it passed my logged in domain account as a user to the sql server? Basically I'm trying to silumate the apppool on IIS-5in my local machine.
I tried changing the "Log on as" on World wide web services & IIS Admin on my local machine services console, restarted it and did an IISRESET. Nothing seems to fix the problem.
Also I tried putting my domain user name (domainname\username) and password in the connection string by removing integreated security=true. Still that also not works
I am an administrator on my local machine. I tried different things like making aspnet user an administrator,log as as service etc etc with no luck
Please advice me how to configure IIS5 to run under a different account. thanks in advance
You need to set the user for anonymous login to be the domain account. I forget what tab it is on but it is there somewhere.
I think this link will point you in the correct direction
http://support.microsoft.com/kb/310344
Use IIS Express -- it is IIS7 for XP.