August 1, 2005 at 12:36 pm
Can Windows Authentication be used against a remote SQL Server instance when the client and server machines participate in a WorkGroup rather than a Domain? I haven't had any luck with this though I can't find a resource that explicitly sez it won't work. Would it make a difference if it was a MSDE instance vs. a SQL Server instance? Thanks. Will
Will Dougherty
August 1, 2005 at 12:58 pm
I doubt that Windows Authentication against a workgroup will work. You need to be authenticated against a NT domain or an AD.
From Books Online:
'A user's network security attributes are established at network login time and are validated by a Windows domain controller.'
August 1, 2005 at 4:06 pm
I believe so, however the same username and password combination would have to exist on both ends.
August 2, 2005 at 1:33 am
Windows Authentication can be used, but the same username and password must be present on both the client and server machines (and have permissions to SQL Server of course).
Julian Kuiters
juliankuiters.id.au
August 2, 2005 at 1:41 am
August 2, 2005 at 9:58 am
Not having much luck with that. I'm using the ASPNET user account on both sides. I assume since the ASPNET login was automatically installed as part of the same software installation that the password is the same.
I added the LOCALSERVER\ASPNET login id to the database instance and (just for the experiment) gave it every possible authority.
Still getting: System.Data.SqlClient.SqlException: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
Any other suggestions except: " Don't do that"?
Will Dougherty
August 2, 2005 at 8:13 pm
The ASPNet service will have a random login generated at install, so both machines will be different. The ASPNet login probably doesn't have network access either, so wouldn't be allowed to connect to another machine. I wouldn't give the ASPNet account direct access to the Sql Server. I dont have any references I can point you to, but you can configure the IIS website to use a different windows account which you can manage the username/password of to make sure it's the same on both boxes.
Julian Kuiters
juliankuiters.id.au
August 12, 2005 at 10:17 am
I've just tried performing remote db access in a workgroup setting and found that setting up user accounts on both client and server machines with identical passwords did not work.
I tried logging in using osql as the client and here's what I got:
osql -SSERVERMACH -E
Login failed for user 'SERVERMACH\Guest'.
The strange part is that I was logged in as 'CLIENTMACH\jasona' on the client machine, so I'm not sure why it was trying to log me in as Guest on the server.
After adding a Guest login to sqlserver and Guest user to the database both osql and my C#/Crystal Reports app were able to login successfully.
Is this the behaviour we should expect in a Workgroup setting? Has anyone else done this successfully using local windows accounts?
August 12, 2005 at 10:48 am
I think the first response post from Chris is the right one. It makes sense to me that local account SERVERMACHINE\JoeBlow is not the same user as local account CLIENTMACHINE\JoeBlow. Domains (from my somewhat limited knowledge) are all about managing resources at a (subset of the) NETWORK level. When you sign on to a Domain, you can be at any machine and you're identified as the same user account.
I tried the other suggestions and ended up giving up on Windows authentication in a WorkGroup environment (unless IIS and SQL Server share a machine and ALWAYS will).
Will
Will Dougherty
August 25, 2005 at 9:38 pm
JasonA,
I currently do not have access to any machines that are not on Active Directory, but could it be that you are using Windows XP and need to enable the Classic security model? I have just been reading about this today here http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_givt.asp and from another post about using Windows Authentication with MSDE 2000 without a Domain.
Your example seems to support that because you attempted to log in using CLIENTMACH\jasona and were expecting to have it use SERVERMACH\jasona but got SERVERMACH\Guest instead.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply