Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

Windows authentication to SQL involving mutliple domains

In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."

The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.

The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.

The connection attempts are via ODBC using the "sql server" driver.

There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.



The SQL server service is running as a domain account.  There are SPNs for the SQL server , when I do :   setspn  -L" appdomain\SQLServiceAccount" I get:
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdomain: 1433  
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdomain  


NB. users which are  in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from  remote desktop on the app server without issue.
0
HoricePlant
Asked:
HoricePlant
  • 3
1 Solution
 
x-menIT super heroCommented:
check the "trust for delegation" property on AD

more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx
0
 
HoricePlantAuthor Commented:
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?

Regards.
0
 
HoricePlantAuthor Commented:
Resolved:  This came down to a Local security setting on the client:
 Network Security : LAN Manager authentication level

The client was set to 'NTLM response only'. Changing this to 'Send NTLMv2 response only' allowed the account to connect to all SQL servers. I believe this may be down the user domain DC having the 'SendNTLMv2 response only. Refuse LM & NTLM' , whereas the Appdomain DC was 'Send NTLM response only'
0
 
HoricePlantAuthor Commented:
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now