May 20, 2003 at 9:08 am
The SQL Server computer account is what may be fried. This is just a stab. When I say administrator, I mean the Windows administrator account.
You know, before going down that road, let me ask these questions:
(1) If you have Terminal Services on the SQL Server computer, can anyone log in using a domain account (the domain account must be a member of the local Administrators group)?
(2) Can anyone successfully map to the network shares (by default C$, etc., that are accessible by administrators, to include domain admins)?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
May 20, 2003 at 9:30 am
(1)Yes, I’ve Terminal Services installed. And Yes, I can log in with my Domain Account (It’s also a Local Admin on the SQL Server Computer)
(2)Yes I can easily map to the system network share c$, d$,..
Did you have already succeeded put in place, what I'm trying to do?
May 20, 2003 at 9:44 am
At this point, I'm scratching my head. The system is handling authentication just fine... this would seem to indicate that there's a potential problem with SQL Server, one I've not seen before.
When you try and log on to the SQL Server using QA and using Windows authentication, are you able to log in (you're in the local Administrators group, so your account should have rights via the BUILTIN\Administrators group)?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
May 20, 2003 at 10:23 am
Sorry for your head 😉
Yes I’m able to connect to the server by “BUILTIN\Administrators” but I remove it for security reason.
I can also connect to a DB of the SQL Server if I set some right to a Domain User like “Domain\Richard”. All the permission is set in the sysmembers table. But It only works for a signle user, or a Local Group and not with Domain Group.
To give you more details about my test: I try is to connect with SQL Query Analyser with a normal Domain user to a DB of one of my SQL Server (connected on the same domain). He’s not at all an admin of anything. If I set the access with Domain\Name, it works but not with Domain Group.
May 20, 2003 at 12:07 pm
Sounds like for whatever reason it can't enumerate the groups. Unless someone else has an idea, this sounds like a PSS call to Microsoft.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
May 21, 2003 at 12:49 am
Thanks for your help bkelley.
The exact error that I have when a member of the group try to connect is:
“Unable to Connect to server xxx
Server: Msg 18456, Level 16, State 1
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user ‘Domain\Name’”
Do you have put in place the same structure than me: Domain Group with NT Authentification on several computers in the same domain?
I ask you this question because I can only test this problem on the office domain. I have no else structure like this. At this moment I haven’t meet or discuss with somebody who try exactly the same thing. I try to determine if it’s a SQL Server configuration problem, or domain configuration problem or policy problem.
If somebody could try the same test than me, it will be great:
- Normal user, SQL Server Computer, and domain computer are on the same domain but on 3 different computers.
- On the domain (with active directory) we create a group of user with our normal user.
- Normal user and Domain group has no windows access on the SQL Server computer
- Domain Group has only a public access to a DB on SQL Server. The DB by default is the DB where the group has access 🙂
If everything is in place, the user tries to connect with SQL Query analyzer to the SQL Server. For the moment I have always the error list at the beginning of this mail.
May 21, 2003 at 2:10 am
To give you more information somebody give me this link:
But in my case, when I try to “Add GlobalGroup to SQLLocalGroup”, he can’t find the GlobalGroup on the SQL Server Computer.
I’ve already thought about this possibility, but here, I can’t ‘force’ the login.
May 27, 2003 at 2:56 am
Now I’ll see with our network admin to install a new domain with the default parameters and try to see the domain group on the SQL Server computer.
Anyway, many thanks to everybody to help me.
Viewing 8 posts - 16 through 22 (of 22 total)
You must be logged in to reply to this topic. Login to reply