Access SQL Server over Network using System Account

  • Thread starter Thread starter Michael Paulus
  • Start date Start date
M

Michael Paulus

I'm trying to use integrated security to access a
Microsoft SQL 2000 database from a .NET windows service
I'm creating. I've tried everything to get the service
to access the SQL Server database on a remote server but
it won't while running under the SYSTEM account. I've
added the Domain Computers group to the users in SQL
server and then granted read / write access for that
group to the specific database. I get an error message -

Error Number:5
Error Description:Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.

I can copy files accross the network to that server using
the system account but cannot figure out why SQL server
won't allow the logon. Any help would be appreciated.
 
Hi Michael,

The windows SYSTEM account is a local account that the credential might not
be able to passed to the remote computer. So the service cannot login to
SQL server. In this case, you can try the following workaround:

1. Use SQL authentication instead of Windows NT integrated authentication.

2. Create a domain account, and grant access to this account on SQL server.
Use this account to access the SQL server with Windows NT integrated
authentication.

If anything is unclear, please feel free to reply to the post.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Michael Paulus" <[email protected]>
| Sender: "Michael Paulus" <[email protected]>
| Subject: Access SQL Server over Network using System Account
| Date: Wed, 22 Oct 2003 12:44:13 -0700
| Lines: 16
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcOY1N6gYDdNdcpoSbel+ZGCVzcgmA==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.dotnet.framework.adonet
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.adonet:64331
| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| X-Tomcat-NG: microsoft.public.dotnet.framework.adonet
|
| I'm trying to use integrated security to access a
| Microsoft SQL 2000 database from a .NET windows service
| I'm creating. I've tried everything to get the service
| to access the SQL Server database on a remote server but
| it won't while running under the SYSTEM account. I've
| added the Domain Computers group to the users in SQL
| server and then granted read / write access for that
| group to the specific database. I get an error message -
|
| Error Number:5
| Error Description:Login failed for user 'NT
| AUTHORITY\ANONYMOUS LOGON'.
|
| I can copy files accross the network to that server using
| the system account but cannot figure out why SQL server
| won't allow the logon. Any help would be appreciated.
|
 
What I'm unclear about is that I can use the system
account to access "files" over the network just fine
because the computer (system) account is stored in the
active directory so I can add the computer account to the
NTFS security and shared security to allow the system
account to transfer files. What I'm confused about is
when trying to access SQL server the credentials get
changed to annonymous.
 
Hi Michael,

Sorry that I misunderstood your question. Since "Domain Computers" is a
domain group, I think you can access SQL server by adding this group to the
SQL user list. Please check the following to make sure that you're
accessing SQL server with this account.

1. Open this service and click "Log On" tab. Make sure that the option
button "Local System account" is selected.

2. Check the SQL server user list to see if the Domain Computers group has
been added and has enough privilege to access certain databases.

3. Open SQL Profiler (Add all the Security Audit events in the Events tab.)
to monitor on the SQL server and start the service on local machine. You
will see which user is actually logged on to the server in the trace window.

If that still cannot resolve the problem, would you provide me with more
information on above? I will be glad to help.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

--------------------
| Content-Class: urn:content-classes:message
| From: "Michael Paulus" <[email protected]>
| Sender: "Michael Paulus" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: Access SQL Server over Network using System Account
| Date: Thu, 23 Oct 2003 05:57:57 -0700
| Lines: 88
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcOZZUey7Wc6qooVSI6JvdHzK7mlcg==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.dotnet.framework.adonet
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.adonet:64396
| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| X-Tomcat-NG: microsoft.public.dotnet.framework.adonet
|
| What I'm unclear about is that I can use the system
| account to access "files" over the network just fine
| because the computer (system) account is stored in the
| active directory so I can add the computer account to the
| NTFS security and shared security to allow the system
| account to transfer files. What I'm confused about is
| when trying to access SQL server the credentials get
| changed to annonymous.
|
|
| >-----Original Message-----
| >Hi Michael,
| >
| >The windows SYSTEM account is a local account that the
| credential might not
| >be able to passed to the remote computer. So the service
| cannot login to
| >SQL server. In this case, you can try the following
| workaround:
| >
| >1. Use SQL authentication instead of Windows NT
| integrated authentication.
| >
| >2. Create a domain account, and grant access to this
| account on SQL server.
| >Use this account to access the SQL server with Windows
| NT integrated
| >authentication.
| >
| >If anything is unclear, please feel free to reply to the
| post.
| >
| >Kevin Yu
| >=======
| >"This posting is provided "AS IS" with no warranties,
| and confers no
| >rights."
| >
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "Michael Paulus" <[email protected]>
| >| Sender: "Michael Paulus" <[email protected]>
| >| Subject: Access SQL Server over Network using System
| Account
| >| Date: Wed, 22 Oct 2003 12:44:13 -0700
| >| Lines: 16
| >| Message-ID: <[email protected]>
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| Thread-Index: AcOY1N6gYDdNdcpoSbel+ZGCVzcgmA==
| >| X-MimeOLE: Produced By Microsoft MimeOLE
| V5.50.4910.0300
| >| Newsgroups: microsoft.public.dotnet.framework.adonet
| >| Path: cpmsftngxa06.phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.framework.adonet:64331
| >| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| >| X-Tomcat-NG: microsoft.public.dotnet.framework.adonet
| >|
| >| I'm trying to use integrated security to access a
| >| Microsoft SQL 2000 database from a .NET windows
| service
| >| I'm creating. I've tried everything to get the
| service
| >| to access the SQL Server database on a remote server
| but
| >| it won't while running under the SYSTEM account. I've
| >| added the Domain Computers group to the users in SQL
| >| server and then granted read / write access for that
| >| group to the specific database. I get an error
| message -
| >|
| >| Error Number:5
| >| Error Description:Login failed for user 'NT
| >| AUTHORITY\ANONYMOUS LOGON'.
| >|
| >| I can copy files accross the network to that server
| using
| >| the system account but cannot figure out why SQL
| server
| >| won't allow the logon. Any help would be appreciated.
| >|
| >
| >.
| >
|
 
You have to use the FQDN in the Data Source field of the connection string
in order for Kerberos authentication to work. Else I think authentication
will fall back to NTLM...
 
Back
Top