Is it possible to login using Nt Authentication by manually typing "Domain\login" on the login prompt?

  • Is it possible to login using Nt Authentication by manually typing "Domain\login" on the login prompt?

    I'm trying to prove to my boss that this is not possible but he insists on investigating further.

    So for example we would like to use a shared domain login. Meaning from any workstation (like my coworkers) I can easily login to SQL Server by speciying a different domain login from the login prompt like this: "Domain\login".

    Is this possible? Please let me know if you need further explanation.

    Thanks in advance.

    -SteveV

  • What login prompt EM/isql? You would need to log out and back into windows to log in as this domain user. You could create a global group add your co-workers to this group and then add this global group to the MS SQL Servers you want access to.

  • From EM. We are trying to avoid from logging out of the domain to use another account. Thanks for the reply. I'll look into the Group suggestion.

    SteveV

  •   To log in to SQL Server as another NT-authenticated user:

      1.  Find EM, Query Analyzer, etc. shortcut icon.

      2.  Shift+right-click the icon

      3.  Select 'Run as...'

      4.  Provide user/pass/domain info

      The app will run as the user specified in #4.

      Important - The RunAs service must be started on the machine for this to work.

    -Eddie

    Eddie Wuerch
    MCM: SQL

  • Yes, this is possible using the runas.exe.

    In a command shell window, run the below and replace aausa\carl.federl with the appropriate domain login.

    runas /user:aausa\carl.federl isqlw.exe

    Regarding "we would like to use a shared domain login", do your realize that this means you will not be able to track who performed a particular activity since everything will be logged under the shared domain login? This means that you will not be in compliance with the Sarabannes-Oxley act and also HIPPA, if you are in the health industry.

    Your auditors will probably write up your company for being non-compliant.

    P.S.

    I am currently documenting approach to remove all shared accounts or to at least have the password unknown to the DBAs.

    A better practice to have individual accounts and allow ease of privilege granting:

    Create a domain group.

    Assign the members to the group.

    Grant the rights to the group such as SQL Server system administrator.

    When everything is working, disable all generic accounts.

    Comfirm everything is still working and then remove the generic accounts.

    SQL = Scarcely Qualifies as a Language

  • Thanks for everyone's input. I believe utilizing NT Groups will address our needs including SOX related issues.

    SteveV

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply