implemented the SQL server bastion inf from the W2K3 security guide and i
have an issue logging in with a member of the local administrators group. I
guess the lookup of group membership is somehow disabled. Does anyone know
the setting that allows this?
Thank youI'm not sure what you mean by:
"I guess the lookup of group membership is somehow disabled. Does anyone
know
the setting that allows this?"
The account that starts the MSSQLServer doen't need to be an admin account.
What account are you logging into the machine with?
What NT groups does it belong to?
Are you referring to Group Membership contained in Logins?
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Thanks for your reply,
The local admin on the server (W2K3) does not have an SQL login individually
but does have one due to it's membership of the BUILTIN\ADMINISTRATORS
group. Loging in to the server does not grant me access to SQL server (EM,
QA). When I log in with a local account created as the service account for
SQL server and that is a member of the BUILTIN\ADMINISTRATORS and also has
an individual mamping to an SQL server login works just fine. So somehow
windows can't figure out and tell SQL server that the local admin account is
a member of the BUILTIN\ADMINISTRATORS group. The only problem I have with
this reasoning is that if Windows can't tell SQL server that, how come I
knows it's the local admin for the machine? Purely on the SID so that it
doesn't even bother looking up the group memberships ...? The error I get
is as follows:
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
erver connection."
The user is 'null', so that means that Windows could not pass the
authentication through and the failure is occurring in windows not SQL
Server.
So my gues is that their is an issue with the Security Acount Mananger
Service or another security related service or a registry setting in the
.inf file of the W2K3 security guide. I've noticed that some user right
assignments that are neccessary for SQL server to work had to be enabled
(log on as a service etc ...) but I'm still looking for a solution for this
one. Funny thing is, we normally would remove the BUILTIN\ADMINISTRATORS
from SQL server but I first want to figure out the reason of this behaviour.
Best regards
Kevin McDonnell [MSFT]" <kevmc@.online.microsoft.com> wrote in message
news:ty$5a2nvDHA.2332@.cpmsftngxa07.phx.gbl...
quote:
> I'm not sure what you mean by:
> "I guess the lookup of group membership is somehow disabled. Does anyone
> know
> the setting that allows this?"
> The account that starts the MSSQLServer doen't need to be an admin
account.
quote:|||Hi John,
> What account are you logging into the machine with?
> What NT groups does it belong to?
> Are you referring to Group Membership contained in Logins?
>
> Thanks,
> Kevin McDonnell
> Microsoft Corporation
> This posting is provided AS IS with no warranties, and confers no rights.
>
>
///
-from prev thread-
"Login failed for user '(null)'. Reason: Not associated with a trusted SQL
erver connection."
The user is 'null', so that means that Windows could not pass the
authentication through and the failure is occurring in windows not SQL
Server.
///
Exactly. What I would check first to see if the client has any aliases
defined. You can review this using
the Client Network Utility or check the local registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS
SQLServer\Client\ConnectTo
You should have an entry that says; DSQUERY: REG_SZ: DBNETLIB
If there are any others, remove them and retest.
If that still doesn't work, try forcing a Named Pipe connection, by
creating one alias specifying Named Pipes.
Hope this helps
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
没有评论:
发表评论