Link to home
Create AccountLog in
Avatar of RayBakker
RayBakkerFlag for Canada

asked on

VB.NET, Kerberos and SQL Server.

Greetings

In our test environment we are have an issue with an internal VB.NET application were members of an AD group are being prompted to re-enter their credentials. I have gone over the configuration of the IIS server with Microsoft and it is correct.

On a whim I asked our DBAs to add this group to the database SQLServer and give it exclude permissions. The issue was resolved. However this group is not needed for the Production database on SQL Server. Production is working fine.

Why?

Any insight would greatly be appriciated.
Avatar of lcohan
lcohan
Flag of Canada image

"However this group is not needed for the Production database on SQL Server" - in my opinion most likely that AD group has already the permissions as part of some other larger group perhaps or maybe a different set of credentials are used to connect to SQL by the VB.NET code in the production segment.
Avatar of RayBakker

ASKER

Icohan

Thank you for your response. You are correct that there is a group that everyone is a member of and the group is indeed added to the database's security > users. The group does have exclude on all the store procedures. Is there anything else I should check?
ASKER CERTIFIED SOLUTION
Avatar of lcohan
lcohan
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Icohan

Sorry, let me clarify. You mention in your first comment that their may be an account the is giving them the permission they need on the production database. I was just confirmation that there is another account on the production database.

The short answer is that production and test are exactly same, except that I added the one group to test that resolved the issue that I was having on  test that I do not have on production.

Does that help clarify?
Well you say that "The short answer is that production and test are exactly same" however...you also say that "I was just confirmation that there is another account on the production database." so in my opinion and proven by what you did in test the environments are different and the access is NOT in the test unless you add the AD group to SQL right?
It is impossible otherwise - meaning that they are indeed exactly the same but one works and one doesn't. Alternatively...are both Production and Test environments on the same domain? Sometimes they are not and you'll need a "domain level trust" set for the AD to work on "non-trusted" domains.
Icohan

The "other account" is on both test and production and it does have execute permission on both. This is the base ad group.that all accounts are a member of.

So, when you said there maybe another account this is the only other account on the databases.

Does that help?

Thanks

Ray