?
Solved

Windows authentication to SQL involving mutliple domains

Posted on 2014-01-16
4
Medium Priority
?
335 Views
Last Modified: 2014-01-25
In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."

The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.

The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.

The connection attempts are via ODBC using the "sql server" driver.

There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.



The SQL server service is running as a domain account.  There are SPNs for the SQL server , when I do :   setspn  -L" appdomain\SQLServiceAccount" I get:
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdomain: 1433  
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdomain  


NB. users which are  in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from  remote desktop on the app server without issue.
0
Comment
Question by:HoricePlant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Expert Comment

by:x-men
ID: 39785641
check the "trust for delegation" property on AD

more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx
0
 

Author Comment

by:HoricePlant
ID: 39785760
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?

Regards.
0
 

Accepted Solution

by:
HoricePlant earned 0 total points
ID: 39794066
Resolved:  This came down to a Local security setting on the client:
 Network Security : LAN Manager authentication level

The client was set to 'NTLM response only'. Changing this to 'Send NTLMv2 response only' allowed the account to connect to all SQL servers. I believe this may be down the user domain DC having the 'SendNTLMv2 response only. Refuse LM & NTLM' , whereas the Appdomain DC was 'Send NTLM response only'
0
 

Author Closing Comment

by:HoricePlant
ID: 39808405
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month14 days, 17 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question