[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Windows authentication to SQL involving mutliple domains

Posted on 2014-01-16
4
Medium Priority
?
341 Views
Last Modified: 2014-01-25
In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."

The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.

The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.

The connection attempts are via ODBC using the "sql server" driver.

There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.



The SQL server service is running as a domain account.  There are SPNs for the SQL server , when I do :   setspn  -L" appdomain\SQLServiceAccount" I get:
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdomain: 1433  
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdomain  


NB. users which are  in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from  remote desktop on the app server without issue.
0
Comment
Question by:HoricePlant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Expert Comment

by:x-men
ID: 39785641
check the "trust for delegation" property on AD

more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx
0
 

Author Comment

by:HoricePlant
ID: 39785760
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?

Regards.
0
 

Accepted Solution

by:
HoricePlant earned 0 total points
ID: 39794066
Resolved:  This came down to a Local security setting on the client:
 Network Security : LAN Manager authentication level

The client was set to 'NTLM response only'. Changing this to 'Send NTLMv2 response only' allowed the account to connect to all SQL servers. I believe this may be down the user domain DC having the 'SendNTLMv2 response only. Refuse LM & NTLM' , whereas the Appdomain DC was 'Send NTLM response only'
0
 

Author Closing Comment

by:HoricePlant
ID: 39808405
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question