Solved

Windows authentication to SQL involving mutliple domains

Posted on 2014-01-16
4
323 Views
Last Modified: 2014-01-25
In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."

The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.

The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.

The connection attempts are via ODBC using the "sql server" driver.

There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.



The SQL server service is running as a domain account.  There are SPNs for the SQL server , when I do :   setspn  -L" appdomain\SQLServiceAccount" I get:
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdomain: 1433  
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdomain  


NB. users which are  in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from  remote desktop on the app server without issue.
0
Comment
Question by:HoricePlant
  • 3
4 Comments
 
LVL 18

Expert Comment

by:x-men
ID: 39785641
check the "trust for delegation" property on AD

more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx
0
 

Author Comment

by:HoricePlant
ID: 39785760
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?

Regards.
0
 

Accepted Solution

by:
HoricePlant earned 0 total points
ID: 39794066
Resolved:  This came down to a Local security setting on the client:
 Network Security : LAN Manager authentication level

The client was set to 'NTLM response only'. Changing this to 'Send NTLMv2 response only' allowed the account to connect to all SQL servers. I believe this may be down the user domain DC having the 'SendNTLMv2 response only. Refuse LM & NTLM' , whereas the Appdomain DC was 'Send NTLM response only'
0
 

Author Closing Comment

by:HoricePlant
ID: 39808405
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question