RE: 0x80004005 - you need permission to view its data

From: Sophie Guo [MSFT] (v-sguo_at_online.microsoft.com)
Date: 09/05/05

• Next message: Lucian: "Service Pack 4"
• Previous message: Dan Guzman: "Re: Permissions!"
• In reply to: Jeff Grundy: "RE: 0x80004005 - you need permission to view its data"
• Next in thread: Sophie Guo [MSFT]: "RE: 0x80004005 - you need permission to view its data"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 05 Sep 2005 08:33:37 GMT

Hello,

Based on the information in the "Security Account Delegation" topic in SQL
server Books Online(BOL):

Security Account Delegation
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad
_security_2gmm.asp

When connecting to multiple servers, and with each server change, we need
to use Delegation to retain the authentication credentials of the original
client. This issue can be resolved as follows:

Use SQL authentication to connect to the SQL server from the client, and
set the domain account used to start SQL Server to have permissions in the
shared folder on the machine where the data is located.

Based on my test, I can run the following code successfully in Query
analyzer(QA) when connecting to SQL server using sa:

select * from access2000...customers

Note: access2000 is a linked server using a Access 2000 sample database
northwind.mdb in a shared folder on a machine without SQL installed.

or

Establish a SPN for your domain account which will enable Kerberos
authendication:

1. Load the Active Directory Users and Computers MMC snap-in.

2. In the Active Directory Users and Computers snap-in, select the
Computers container.

3. Select the Windows 2000 machine running SQL Server, then right-click and
select Properties

4. Under the General Tab, check the "Select Trust computer for delegation"
checkbox, then OK.

5. Configure the SPNs for the MSSQLSvc process on the SQL Server box.

Someone log in with domain admin permissions needs to use it to run the
following commands:

setspn -A MSSQLSvc/<fully qualified domain name for SQL Server
machine>:<SQL Server
port #(1433 by default)> <domain account name for account SQL server
service runs
under>

Example:

setspn -A MSSQLSvc/mysqlserver.myactivedirectory.domain.com:1433
mydomainaccount

Anyone, whether or not a domain admin can display the spns like this, this
doesn't have to be run on the SQL Server machine, just a machine on the
domain.

Setspn -L <domain account name for account SQL server runs under>

I get this on my test domain:

Setspn -L ssrvacct

MSSQLSvc/chinagrove2kSQL.jimsau.ms.com:1433

These steps are for running SQL Server under a domain account.

Sophie Guo
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

---

• Next message: Lucian: "Service Pack 4"
• Previous message: Dan Guzman: "Re: Permissions!"
• In reply to: Jeff Grundy: "RE: 0x80004005 - you need permission to view its data"
• Next in thread: Sophie Guo [MSFT]: "RE: 0x80004005 - you need permission to view its data"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SQL account rights ... Please advice what is the best, suitable rights rather than domain admin ... issues, such as a server that might have IIS running on the same machine, ... applicable to SQL 2000 environment, ... files, or backups, make sure that the service account has Full ... (microsoft.public.sqlserver.security) RE: MP Install issue ... Where in the installation are you talking about specifying the account rather ... > MPDB ERROR - CONNECTION PARAMETERS ... > SQL Server Name: servername ... > with a trusted SQL Server connection. ... (microsoft.public.sms.setup) Re: SQL Express Fails with Hardware Error ... The LocalSystem account is a built-in account, ... which the SQL Service runs. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Minimum Hardware Requirement (Warning) ... (microsoft.public.sqlserver.setup) Re: SCCM with a remote SQL instance problems (IT IS NOT A WARNING) ... PreReq check is not a WARNING it is a FAILURE. ... account the run the SQL Server Service on the server, Domain Memberships, AD ... (microsoft.public.sms.installer) Re: Distributed Query - Linked Servers? ... In the case of SQL style accounts, it doesn't seem very secure to me, because the password will be transmitted over the network. ... it should also be able to work by setting up a credential and proxy account on Server1. ... In this case it could work with NTLM authentication. ... we just need to verify that the 2 sql server instances are under sql server and windows authentication mode and the sql account you use has the permission on the 2 sql server instances. ... (microsoft.public.sqlserver.server)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)