Domain user cannot connect with integrated security

john.sinclair_at_gmail.com
Date: 09/13/05

  • Next message: Stephen Costanzo: "Re: Grant, Revoke, Deny" 
    Date: 12 Sep 2005 21:56:58 -0700

    I've got a VERY perplexing problem....
    We noticed a SQL process on our development SQL server (SQL 2k, SP4 on
    win2003 sp1) that was connected as "moelocal", which is a local admin
    account on the server. The app was query analyser.

    I asked the user to use integrated security and not the local account -
    turns out he WAS selecting integrated security when he connected.
    Query analyser reports in the title bar connected as
    moetest.master.[DOMAIN]\moelocal, NOT the domain users account.

    I tried firing up a .Net app from the users PC that connects to the DB
    (which uses integrated security), then I executed sp_who. They are
    connected as the local user.

    The moelocal account is NOT the default administrator account, and it
    is not the account SQL server is running as.

    The domain user who is connecting is a member of a local group on the
    SQL box that is in the system admin role. Just to make sure I
    explicitly added the users domain account to the SQL logins and granted
    the system admin priviledges.

    We turned on auditing and there is an logon success event reporting the
    moelocal user connecting from the users PC. We disabled the moelocal
    account, and this time query analyser reported "login failed for
    MOETest\Guest"

    In the event log a failed login showed up for the moelocal account,
    followed by the failed login for the guest account.

    Why will integrated security not work for this user? Everyone else has
    no problems! I tried rebooting their PC, logging on from a different
    PC, but they always connect with the moelocal account.

    And just to compound things even further, there is another SQL instance
    on that server, and the user can connect to the second instance with
    integrated security just find.

    In desperation I even checked the SID of the domain account, and the
    moelocal account. No, they are not the same.

    AHHH! What could cause this!!
    Any suggestions greatfully recieved.

    Cheers,
    John

  • Next message: Stephen Costanzo: "Re: Grant, Revoke, Deny"

    Relevant Pages

    • Re: SQL account rights
      ... Please advice what is the best, suitable rights rather than domain admin ... Warren Brunk - MCITP - SQL 2005, ... Add it as a login to the SQL Server ... files, or backups, make sure that the service account has Full ...
      (microsoft.public.sqlserver.security)
    • Re: User authentication
      ... There are 2 SQL Server 2005 ... 1 SQL Server 2000 installed on another server ... Windows account instead to run backup jobs. ...
      (microsoft.public.sqlserver.clients)
    • Re: SQL 2000 Server gets hacked
      ... Thank you Beth. ... > placed a strong password on the 'sa' account?) ... Your SQl Service itself shouldn't be running as a ... (SQL Agent requires more, but not SQL Server). ...
      (microsoft.public.sqlserver.security)
    • Re: SQL 2000 Server gets hacked
      ... Thank you Beth. ... > placed a strong password on the 'sa' account?) ... Your SQl Service itself shouldn't be running as a ... (SQL Agent requires more, but not SQL Server). ...
      (microsoft.public.sqlserver.security)
    • Re: Microsoft Search service cannot be administered under the present user error SP3
      ... - Have not modified Administrator account, but i ran the SQL script anyway. ... SQL account is not a local administrator. ... > has this server ever been upgrade from SQL Server 7.0 or is this SQL ...
      (microsoft.public.sqlserver.server)