Solved

Windows authentication to SQL involving mutliple domains

Posted on 2014-01-16
4
327 Views
Last Modified: 2014-01-25
In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."

The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.

The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.

The connection attempts are via ODBC using the "sql server" driver.

There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.



The SQL server service is running as a domain account.  There are SPNs for the SQL server , when I do :   setspn  -L" appdomain\SQLServiceAccount" I get:
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdomain: 1433  
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdomain  


NB. users which are  in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from  remote desktop on the app server without issue.
0
Comment
Question by:HoricePlant
  • 3
4 Comments
 
LVL 18

Expert Comment

by:x-men
ID: 39785641
check the "trust for delegation" property on AD

more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx
0
 

Author Comment

by:HoricePlant
ID: 39785760
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?

Regards.
0
 

Accepted Solution

by:
HoricePlant earned 0 total points
ID: 39794066
Resolved:  This came down to a Local security setting on the client:
 Network Security : LAN Manager authentication level

The client was set to 'NTLM response only'. Changing this to 'Send NTLMv2 response only' allowed the account to connect to all SQL servers. I believe this may be down the user domain DC having the 'SendNTLMv2 response only. Refuse LM & NTLM' , whereas the Appdomain DC was 'Send NTLM response only'
0
 

Author Closing Comment

by:HoricePlant
ID: 39808405
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question