VB.NET, Kerberos and SQL Server.
Greetings
In our test environment we are have an issue with an internal VB.NET application were members of an AD group are being prompted to re-enter their credentials. I have gone over the configuration of the IIS server with Microsoft and it is correct.
On a whim I asked our DBAs to add this group to the database SQLServer and give it exclude permissions. The issue was resolved. However this group is not needed for the Production database on SQL Server. Production is working fine.
Why?
Any insight would greatly be appriciated.
In our test environment we are have an issue with an internal VB.NET application were members of an AD group are being prompted to re-enter their credentials. I have gone over the configuration of the IIS server with Microsoft and it is correct.
On a whim I asked our DBAs to add this group to the database SQLServer and give it exclude permissions. The issue was resolved. However this group is not needed for the Production database on SQL Server. Production is working fine.
Why?
Any insight would greatly be appriciated.
lcohan
"However this group is not needed for the Production database on SQL Server" - in my opinion most likely that AD group has already the permissions as part of some other larger group perhaps or maybe a different set of credentials are used to connect to SQL by the VB.NET code in the production segment.
ASKER
Icohan
Thank you for your response. You are correct that there is a group that everyone is a member of and the group is indeed added to the database's security > users. The group does have exclude on all the store procedures. Is there anything else I should check?
Thank you for your response. You are correct that there is a group that everyone is a member of and the group is indeed added to the database's security > users. The group does have exclude on all the store procedures. Is there anything else I should check?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Icohan
Sorry, let me clarify. You mention in your first comment that their may be an account the is giving them the permission they need on the production database. I was just confirmation that there is another account on the production database.
The short answer is that production and test are exactly same, except that I added the one group to test that resolved the issue that I was having on test that I do not have on production.
Does that help clarify?
Sorry, let me clarify. You mention in your first comment that their may be an account the is giving them the permission they need on the production database. I was just confirmation that there is another account on the production database.
The short answer is that production and test are exactly same, except that I added the one group to test that resolved the issue that I was having on test that I do not have on production.
Does that help clarify?
Well you say that "The short answer is that production and test are exactly same" however...you also say that "I was just confirmation that there is another account on the production database." so in my opinion and proven by what you did in test the environments are different and the access is NOT in the test unless you add the AD group to SQL right?
It is impossible otherwise - meaning that they are indeed exactly the same but one works and one doesn't. Alternatively...are both Production and Test environments on the same domain? Sometimes they are not and you'll need a "domain level trust" set for the AD to work on "non-trusted" domains.
It is impossible otherwise - meaning that they are indeed exactly the same but one works and one doesn't. Alternatively...are both Production and Test environments on the same domain? Sometimes they are not and you'll need a "domain level trust" set for the AD to work on "non-trusted" domains.
ASKER
Icohan
The "other account" is on both test and production and it does have execute permission on both. This is the base ad group.that all accounts are a member of.
So, when you said there maybe another account this is the only other account on the databases.
Does that help?
Thanks
Ray
The "other account" is on both test and production and it does have execute permission on both. This is the base ad group.that all accounts are a member of.
So, when you said there maybe another account this is the only other account on the databases.
Does that help?
Thanks
Ray