elsteef
asked on
Connecting to SQL database application from a trusted domain
Hi all,
We have merged two companies. The companies are on unique domains.
I have setup a two way trust between domains. SID filtering is enabled.
I have a SQL application on domain ABC.com that I need to access from domain XYX.com. The application has it's own authentication method and is not AD integrated.
SQL authentication is set to "mixed" mode.
I can access the application from the computers that are on the ABC.com domain.
I cannot access the application from the XYZ.com domain.
It appears the domain users are mapped to a SQL user named "coexecutive".
When I attempt to login from XYZ.com I get an error that says "Error: Unable to retrieve company information. Login Failed for user 'coexecutive'. {InformationalException}.
I get a matching error in SQL that says "Login failed for user "coexecutive'. Reason: Password did not match for that login provided."
I joined a laptop to the ABC.com domain. I connected it to the XYZ.com network. I am able to login to the application.
This tells me it is not a port or IP setting issue. It must be a security issue.
If I login to the same laptop with a local account I get the same error when connecting to DB.
Any thoughts as how to allow the users in the XYZ.com domain access to the SQL database?
I've read some posts that say to create a local SQL user and map the domain users to that account. I have not been able to come up with steps to make that happen.
Thanks,
Steve
We have merged two companies. The companies are on unique domains.
I have setup a two way trust between domains. SID filtering is enabled.
I have a SQL application on domain ABC.com that I need to access from domain XYX.com. The application has it's own authentication method and is not AD integrated.
SQL authentication is set to "mixed" mode.
I can access the application from the computers that are on the ABC.com domain.
I cannot access the application from the XYZ.com domain.
It appears the domain users are mapped to a SQL user named "coexecutive".
When I attempt to login from XYZ.com I get an error that says "Error: Unable to retrieve company information. Login Failed for user 'coexecutive'. {InformationalException}.
I get a matching error in SQL that says "Login failed for user "coexecutive'. Reason: Password did not match for that login provided."
I joined a laptop to the ABC.com domain. I connected it to the XYZ.com network. I am able to login to the application.
This tells me it is not a port or IP setting issue. It must be a security issue.
If I login to the same laptop with a local account I get the same error when connecting to DB.
Any thoughts as how to allow the users in the XYZ.com domain access to the SQL database?
I've read some posts that say to create a local SQL user and map the domain users to that account. I have not been able to come up with steps to make that happen.
Thanks,
Steve
How does the application authentictes? Using SQL Server or Windows integrated (SSPI)?
ASKER
I believe it is using SQL Server Authentication. If I open SSMS, the only Domain accounts I see are the domain admin account, NTauthority\System, NT Service\MSSQLServer and NT Service\SQLServeragent.
All other accounts are SQL accounts.
All other accounts are SQL accounts.
When it's SQL Server auth, then it is imho a firewall or an additional routing from the secondary domain is necessary.
ASKER
Thanks Ste5an.
As a point of clarification. If I take a computer that is joined to the same domain as the SQL server and put it on my network (and my IP scheme) I can connect to the SQL server without any issues. If I log on to that same laptop as a local user rather than a domain user, I get the same error.
It's definitely a security issue between domains ABC.com and XYX.com. I just not clear on what would cause that issue.
Do you know of any default security settings that get populated to computers on the same domain? Maybe it's an issue of manually giving Domain ZYX those same security settings?
As a point of clarification. If I take a computer that is joined to the same domain as the SQL server and put it on my network (and my IP scheme) I can connect to the SQL server without any issues. If I log on to that same laptop as a local user rather than a domain user, I get the same error.
It's definitely a security issue between domains ABC.com and XYX.com. I just not clear on what would cause that issue.
Do you know of any default security settings that get populated to computers on the same domain? Maybe it's an issue of manually giving Domain ZYX those same security settings?
ASKER
A little follow-up information.
I have physical access to the SQL server that is hosting the application on Domain ABC.
I took my laptop from Domain XYZ and physically connected it to the same switch as the SQL server. I still get the same error message. Keep in mind this laptop is joined to the XYZ domain.
I also setup a firewall exception on the SQL server to allow all traffic . Just to be sure it wasn't an oddball firewall issue.
Steve
I have physical access to the SQL server that is hosting the application on Domain ABC.
I took my laptop from Domain XYZ and physically connected it to the same switch as the SQL server. I still get the same error message. Keep in mind this laptop is joined to the XYZ domain.
I also setup a firewall exception on the SQL server to allow all traffic . Just to be sure it wasn't an oddball firewall issue.
Steve
Another possibilty would be some logon trigger checking the account name..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.