Logging in as administrator to Window 2008 R2 I can access all files on the server, naturally.
If I then login to SQL Server 2008 R2 as sa, I cannot access some flat files, for example, to Restore or dump data via bcp. (I can access all flat files via Import/Export Wizard though.)
I end up moving backup files around the file system until I find somewhere that works, or dumping data files to places I would prefer not to use.
How do I give sysadmin rights to these forbidden folders?
Why would my predecessor have blocked sysadmin access to these areas, do you think?
It's because when you are logged into SQL server as SA, you are the admin for SQL server, not the Windows server itself.
You are constrained to what the SQL server service account has rights to access on the machine as that is the context in which SQL server runs.
To be able to access these windows locations from within SQL server, first identify the name of the service account that is actually running the SQL server service and then give the permissions on the folders to this account.
To find the SQL Server service account, you can query the sys.dm_server_services DMV to find the account:
SELECT * FROM sys.dm_server_services
This will show you the service account set for each service, alternatively, you could just look in either the services console in Windows or SQL server configuration manager to see what account the SQL server is logging on as.
This DMV was introduded in SQL Server 2008 R2 SP1, so won't work in earlier versions, the following article has some information on various ways to find the service account:
Get SQL Server Service Account using T-SQL
Related
Hi I am new to SAP Business Object Central Management Console and trying to schedule a crystal report. For this I made an ODBC connection to a database(NCBODS) in the Server machine using windows authentication. I also gave same windows credentials in CMC as shown in below image. But It gives me an error saying
Error Message:
Error in File C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Data\procSched\SDDVCTRTRCH11.reportjobserver\~tmp5448125TH7b9b16.rpt: Unable to connect: incorrect log on parameters. Details: [Database Vendor Code: 18456 ]
I have given the same windows credentials that I use to connect to the app server. Still I am getting "incorrect log on parameters"
But when I use a SQL Authenticated Login in the ODBC connection and also use the same SQL Login credentials in CMC it works fine.
So the problem here is when I use the windows credentials it throws error but works fine when SQL credentials are used. Is there any way I can use windows credentials in CMC?? I really appreciate if any one can help me on this
If you create an ODBC DSN with authentication set to trusted connection (Windows authentication), be aware that a different account will be used when creating the DSN and when using it in BusinessObjects:
When creating the connection: the DSN is created using the credentials you're logged on with (i.e. your Windows AD user account)
When running a report: the connection to the database is initiated through BusinessObjects, thus the account which BusinessObjects is running with, will be used to connect to the database.
In other words, you need to make sure that following requirements are met:
Your SIA (Server Intelligence Agent) which runs your CMS, Crystal Reports servers, etc must be configured to run with an Active Directory service account. By default, it runs with the Local System Account, which will not be able to log on to your database (as it's a local account, it's not even able to access network resources).
You need to grant the service account you used to configure the SIA in step 1 the necessary rights to your database.
Remarks:
If you're using AD SSO, you cannot schedule the report so that it uses the Active Directory credentials of a certain user (because BOBJ doesn't store these credentials, it only verifies them at logon).
If you're not using AD SSO, but are authenticating users to the BusinessObjects platform (InfoView) with manual AD authentication, you can set the option Synchronization of Credentials. This forces BOBJ to store the AD credentials when the user authenticates.
The credentials are stored in the user profile (Database Credentials).
This will be a simple answer for those used to Windows authentication but as Solaris Sysadmin I am just looking for some clarification on how to implement Windows Authentication between an application running on an IIS7 Web Site (running on Server 2008 R2) and a Microsoft SQL 2008 Server.
The application at the moment uses this tag:
Data Source=mydbserverhostname;Initial Catalog=TheDBName;User ID=testuser; Password=apassword
In the specifications it is supposed to use this:
Data Source=mydbserverhostname;Initial Catalog=TheDBName;Integrated Security=SSPI;
I would like to go back and get the Windows Authentication working before I have to deploy to Production. From my understanding of Windows I need to have a Windows Domain account to authenticate against a Service Account which has been set on the SQL Server 2008.
What I am missing is how to achieve this and how to get it running as a service so that I can log out and leave IIS7 running the site and the SQL Server talking to each other.
I have read a couple of similar questions on this forum but the answers seem to be "just switch to SQL Authentication" which I need to avoid in the final implementation.
Any help would be appreciated.
When using the DefaultAppPool change the Identity to a custom username and password that matches the service account that has been created on the SQL Server/(LDAP) as per:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I made a page and a Login page to secure that first page. When you login, it show the error:
Unable to establish connection to database.
Error information:
Microsoft OLE DB Provider for SQL Server (0x80040E4D)
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Anyone know what this exactly means and what to do about it?
Answers help! :D
Check your Connection string settings for your 'Design' and the 'Live' server (which might be your own PC with IIS installed)
You may be able to access the tables etc when in Design mode, but when you publish it (even locally) it will use the 'Live' server details - which will mean you need to check that IIS has an appropriate user to access the SQL Server and database.
Most of the time I use 'SQL Authentication', but either way you need to allow the user access to SQL and DB.
Have a look at these other questions for options:
How do I configure SQL Server to allow access via IIS
and Microsoft has several options from this article:
MSDN Accessing SQL Server from a Web Application
We are upgrading to SSRS 2008 R2 on 2008 Server. We have a production environment that prevents us from having local admin permissions for accounts. We have been told that we can only have a batch level service account. I assume[d] the Content Manager and System Administrator role can run under this account however we can't seem to get ReportManager running without local admin. The SSRS database is installed on a separate box.
I'm hoping someone has a set of steps or reference to how we can configure this to work without local admin.
thanks
Marty
When installing SSRS by default there is no place to enter ssrs manager or ssrs credentials. Just set up the endpoints, database, email and a low level account. You would need an admin account initially to access the report manager once. During this time other system level accounts can be created that can match to your admins batch user requirements. I would propose two accounts for the SSRS box.
1. Report User - Can Run Reports Can View
2. Report Admin - Can Update Defs. Can Run Reports
Then deploy reports using ReportAdmin and request reports using ReportUser.
I have few SSRS 2008 reports. Databases are CRM databases. I have created a group of 10 users. Each user has different permissions(user can see data of only those databases which he has access from CRM side security).
When user tried to see reports from his place(machine) every time he gets this error.
An error has occurred during report processing. (rsProcessingAborted)
Cannot create a connection to data source 'DB_NAME'. (rsErrorOpeningConnection)
Cannot open database "CRM_Database" requested by the login. The login failed. Login failed for user 'NTAUTHORITY\ANONYMOUS LOGON'.
I am using windows authentication. within the server reports are working fine. Outside the server we are getting this error.i got few suggestions that its a double hop issue.Solutions can be :
Use stored credential. (In my case I can't use because every user has access to different database. He can select database in reports whatever he has access to and he will get data only for that database.)
Kerberos setting.( I don't know how to do that when you have Windows 7 and SQL 2008 R2)
Help would be appreciated.
"NTAUTHORITY\ANONYMOUS LOGON" is the built in IIS account on your report server. The reports are being executed from this account which serves up the page to the user.
Update your Data Source to use "Connect using: Credentials supplied by the user running the report" and checking "Use as Windows credentials" (Kerberos), if their AD account is setup with the appropriate DB permissions on the SQL Server. when connecting to the Data Source. Windows integrated security works also if you are on the domain.
Since you need to pass the user's account to the DB for authentication using credentials stored securely on server (Stored Credential) will not work for the scenario you describe as every user will hit the database with the same credentials.