Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server
From: John J. Hughes II (no_at_invalid.com)
Date: 03/24/05
- Next message: Patrice: "Re: Filename of picture retrieved from database?"
- Previous message: Bernd: "Re: C# Raw Socket Issues starting TCP Connections"
- In reply to: Willy Denoyette [MVP]: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Next in thread: oj: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Reply: oj: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Reply: Willy Denoyette [MVP]: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 24 Mar 2005 13:21:47 -0500
"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message
news:uO82u2IMFHA.3356@TK2MSFTNGP12.phx.gbl...
>
> "John J. Hughes II" <no@invalid.com> wrote in message
> news:ewLARtIMFHA.3356@TK2MSFTNGP12.phx.gbl...
>>
>> "Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message
>> news:ewjs%23eIMFHA.2680@TK2MSFTNGP09.phx.gbl...
>>>
>>> "John J. Hughes II" <no@invalid.com> wrote in message
>>> news:Oel8zHIMFHA.1176@TK2MSFTNGP12.phx.gbl...
>>>> Again thank you for your support.
>>>>
>>>> I have worked around the registry problem and added the computer name
>>>> to the SQL as a valid log in with access to the correct databases.
>>>>
>>>> Now I have the following error message from the connection string:
>>>> "Login failed for user '(null)'. Reason: Not associated with a trusted
>>>> SQL Server connection."
>>>>
>>>> My connection string is "Data Source=MyServer;Initial
>>>> Catalog=DBData;Integrated Security=SSPI;Persist Security
>>>> Info=False;Packet Size=4096;Workstation ID=MyWks" which works fine from
>>>> the user account.
>>>>
>>>> Is this message because my workstation is set as a workgroup and not
>>>> part of the Win2K3 domain or do I need to configure the connection
>>>> string differently?
>>>>
>>>> Regards,
>>>> John
>>>
>>> I'm unclear on how you were able to (successfully) add a remote machine
>>> account to SQL. Machine accounts are W2K (or higher) domain members and
>>> must be specified as domain\MachineName$ where domain is the domain
>>> where both SQL server and client machine are members of. Each machine
>>> account is just like a regular domain user account, so authentication
>>> requests are handled by the DC of the login domain, and as you aren't
>>> running in a domain realm this feature won't work for you.
>>>
>>> If you need SQL integrated security to work in a workgroup, you should
>>> create a shadow account on both servers that is an account with the same
>>> identity and password. At the asp.net side you must grant the required
>>> privileges to the local system resources like Filesystem and Registry,
>>> on the SQL side you can grant SQL server access and nothing else.
>>>
>>> Willy.
>>>
>>>
>>
>> Well in regards to add the log in name to the SQL server I just did the
>> following, no problem.
>> exec sp_grantlogin 'MyDomain\MyComputer$'
>>
>> I had a feeling the domain thing was causing me problems. I am writing
>> and testing my code on a workstation so there is no second server at this
>> point. When the code is released it will be on a second server so my
>> current problem may be mute but it would be nice to test in as close to
>> the same environment as possible.
>>
>> I am not using asp.net, this is a normal service which accesses the SQL
>> server on a second computer which happens to be a Win2K3 server.
>>
>> Oh well thanks for the pointer, I guess I will read about shadow accounts
>> today :)
>>
>> Regard,
>> John
>>
>>
>
> John,
>
> Sorry, don't know why I was refering to asp.net, anyway this applies to
> any service running on windows.
> That means it can be tested (the shadow account) with the file server
> service as well.
> Create the same account on both machines.
> Grant access to a file share on the server.
> Runas the "shadow account" on the client, and see you can access the files
> on the remote share.
>
> Willy.
>
>
> Willy.
>
>
Willy,
How is this different then just going to properties of the service and
setting the "Log On" property to "This Account" and using a local account?
Currently if I change the log on account for this service to my user account
the system works fine. I am trying to test as a network service which seems
to have a whole bunch of other problems. The problem is when I run as a
network service then the user name is <null> when trying to log on to the
SQL server. Will this shadow account allow me to in some way convince the
network service it has a valid name?
Regards,
John
- Next message: Patrice: "Re: Filename of picture retrieved from database?"
- Previous message: Bernd: "Re: C# Raw Socket Issues starting TCP Connections"
- In reply to: Willy Denoyette [MVP]: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Next in thread: oj: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Reply: oj: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Reply: Willy Denoyette [MVP]: "Re: NT AUTHORITY\ANONYMOUS LOGON --- SQL server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
