May 20, 2009 at 4:55 pm
Hi Folks,
This question might seem a bit weird, so apologies if it doesn't make sense. I have recently been getting spammed by developers they can't connect to Development servers. Checking the permissions on servers nothing has changed and they are part of AD group (Group1) that has access to these servers. But they keep getting permissions denied; looking further into it, Group1's Group type in AD is set to Distribution; so I found a group (Group2) that has AD group type of Security and gave that Group Access to the SQL Server. User has been able to login without issues...
My issue is why did Group1 stopped working? Talking to AD guys they say the type is for exchange servers; in backend of AD they are both groups. Reading on AD site it states I can't grant DACLs on Distributed Group types; does that extend to SQL Server now in a recent patch? We did apply windows patching recently; only article I can find that reflect this is:
.... http://support.microsoft.com/kb/957097/
The suggestion in this article, I cannot try without authorization from higher ups; so thats on wait. But wanted to know if anyone else has run into similar issues recently?
Thanks.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
May 21, 2009 at 3:28 pm
No one has this issue?
I have registered SPN for the SQL Server service and can confirm that all accounts are using Kerberos; but it still does not work when I use groups that are set as Distribution type.
Only work around I can find is using a group that is of type Security; but I will have to change alot of permissions. So I would like to get handle of why it stopped working out of the blue...
If any one has even any comments I'll take it...
Thanks.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
May 21, 2009 at 5:28 pm
So the access used to work with people being members of Group1?
Are you sure it wasn't through some other method that got revoked?
I'm not enough of an AD guru to know if there's an issue. I might experiment, if you can. Add a new AD group similar to Group 1, add a new, small user, add it to SQL Server to some test database. See if that works.
May 22, 2009 at 8:56 am
HI Steve,
Thanks for the suggestion; I am not sure what other factors can affect SQL Server authentication. As you said neither am I AD guru; talking to the AD guys they don't see anything that can cause this. Group1 was wroking fine until the about 2 weeks ago; now I can only authenticate with Group2.
I try to get another group created with same type to see if that has any affect...
Thanks.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
May 26, 2009 at 10:14 am
I talked to the AD guy he can't figure out how it worked with Distribution AD Group types to begin with; since it is working with Security AD Group type, I am not spending much more time on figuring this out.
Thanks for suggestion Steve.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
May 26, 2009 at 10:24 am
Sorry I couldn't be more help. My guess is the distr group is a bug in AD/SQL somewhere.
May 27, 2009 at 4:48 pm
Not a problem sir; I just was pulling my hair out thinking someone pulling a prank on me or something...
Heh, I welcome your thought and opinion. Thank-you again sir.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply