Ok, one physical server running Hyper-V. One VM is for the SQL 2016 DB. Another VM is for the web based application that talks to the DB. A third VM that is used as the file server. All files are stored on the file server.
The file location that needs to be bulk inserted is shared with the DB Service Accounts (currently set to specifically made domain accounts - one for each service).
The file can't be imported - access is denied. I've tried setting the share to Everyone - still doesn't work. I even changed the Security Policy to allow Anonymous users the same permissions as Everyone - still doesn't work.
I don't know how to go about this Delegation method so not sure what to do there.
What else can I do to get a simple file to import into a DB?
Have you enabled kerberos? If the connection is coming in as Anonymous, dosent it mean that the connection is using NTLM and its a double hop issue?
Related
The Plan
Have HR personnel dump an Excel file of payroll Job Titles to a network share, add that file as a Linked Server in SSMS, use those titles in my ASP.Net web forms. Using a Linked Server instead of importing data to allow HR to update the Job Titles file at their discretion.
The Problem
I can create the Linked Server and query it without issue, so long as I'm in SSMS with Windows Authentication. But, if I try to access the linked server using a SQL account, I first get the error:
Access to the remote server is denied because no login-mapping exists (Error 7416)
The SQL account being used is the same account my web forms use for everything else. The fact that this SQL account doesn't have file permissions isn't surprising though, so an adjustment to the Linked Server's security should do the trick.
The Problem (part 2)
To reduce the number of variables, I moved the Excel file so it's on the same machine as my SQL Server. I'm logged into the machine and logged into SSMS with my domain admin account.
I access the Linked Server's security tab and, to try and cast the widest net possible, I leave the local login (top part) blank and head straight to "Be made with this security context:" and proceed to provide my domain admin credentials. I hit OK, and I get the following:
Not a valid account name or password (Error 7399)
I know the account name and password are good, so what gives?
Other Things
Folks who've ran into similar things have been instructed to change the logon account being used for the SQL Server service, which I've done using my domain admin account (for troubleshooting, atm). This did not fix the problem.
This is what the Linked Server code looks like, although I created it via the GUI (included for sake of completeness):
EXEC master.dbo.sp_addlinkedserver #server = N'ADP_TITLES', #srvproduct=N'', #provider=N'Microsoft.ACE.OLEDB.12.0', #datasrc=N'C:\JOB_TITLE_EXPORT.xlsx', #provstr=N'Excel 12.0 Xml'
EXEC master.dbo.sp_addlinkedsrvlogin #rmtsrvname=N'ADP_TITLES',#useself=N'False',#locallogin=NULL,#rmtuser=N'DOMAIN\username',#rmtpassword='########'
The solution appears to be entering "admin" for the remote login, and leave the password blank.
This only works, however, if the file is stored locally. If it's on the network, I still get a 7399 error, but instead of saying the issue is the account name/password, it now says the issue is unspecified.
I can make my project work with a local file though. Since I'll be moving forward with that, I have no need to solicit additional answers.
I'm just in the process of trying to properly configure asp.net 4.5 on our IIS servers.
I have been able to navigate and launch an ASPX page that contains no data conenctions sucessfully so I know that the application pool authentication to the local directories is working as it should.
Now though I have a seperate SQL server that is connected to the domain and have a connection string stored in the code that connects the ASPX page to the server using a trusted connection. When running in visual studio debug mode, the connection works fine - but at that point I assume it is using my login credentials.
My question is, when a user calls the aspx page via the browser when hosted on the new IIS7 server, which account is used to call the SQL server when using a trusted connection? - Is it the end users or is it a local account from the IIS server?
When I call a page with data connections embedded I get the error: Login failed for user ADMIN\PCNAME$ ... which is an indication that this is the account that it is using. However this account doesn't exist on the domain that I'm aware of. - Or does it ?!
Thanks in advance,
It will use the account that ASP.NET is running under, as you've worked out. What you usually should do is create a Domain Account (with the right privileges) and run your ASP.NET AppPool under that account. Then a Trusted Connection will use that account for connecting to the database, and as long as you've given it access (which as a Domain Account you can do) it should all work.
Added:
After some back and forth on comments, lets go back to the start: set the new AppPool to run with the domain users account, and recycle the AppPoolo. What is it that says the password is wrong? If it's IIS trying to start the AppPool, then it is extremeny likely that the Password you gave the AppPool IS wrong, or else that the password is set to change on first logon.
If its not IIS, but opening a Database connection, are you sure that the database allows this Domain Account access to the database and the tables within it it will need? What roles have you assigned to this account? Also, what SQL statement is it trying to execute (if it's got far enough to try and execute a statement at all)?
I suggest you put any response in you original question - comments get to be a drag if there are too many of them.
I'm trying to drag and drop a file from my desktop to my local MSSQLSERVER shared folder/directory used for filestream files. Everytime I do so, I receive the following Windows error - "You need permission to perform this action."
I feel like I've tried everything under the sun to resolve this, from adding users and groups to the share's permission list (and granting full access) -- all the way to adjusting permission settings in SQL Server (for the database and individual filetable).
My local MSSQLServer service is logged on as a network account and I'm trying to drag/drop with my windows authenticated account. I've tried modifying so the service so it's logged on by a windows auth account, restarted, but still no luck there.
Any thoughts?
Thanks
You tried to enable the "Allow remote clients to have streaming access to FILESTREAM data" in SQL Server Configuration Manager | SQL Server Services | SQL Server (MSSQLSERVER) | FILESTREAM?
Tried to change the ownership Filestream Access Level:
EXEC sp_configure filestream_access_level, 2
RECONFIGURE
(0 - disabled, 1 - T-SQL access enabled and 2 - full access enabled [including access via windows explorer].)
(http://lennilobel.wordpress.com/2010/12/12/sql-server-2008-filestream-part-2-of-3-enabling-and-using-filestream-2/)
PS: Sorry for my english.
In Windows Server 2003 SP2, I have removed all users (Anonymous Users, Authenticated Users, Everyone etc) under Component Services > Computers > My Computer > Properties > COM Security > Edit Limits.
After that, I couldn't access the server via remote desktop and terminal services also fails. I can still access it via VNC but when I attempt to open Component Services > Computers, the window stops responding.
Is there any way that I can restore COM permissions to their default settings at least? Or is there a way to enable access to the properties window so I can set it myself?
Thank you for your help.
Ianthe
=== Update: DCOMPERM.EXE ===
I found that the dcomperm.exe file that can alter permissions via the command line. It works on my local machine. My problem now is how to copy it over to the Win2k3 server since network services (netlogon etc) fails to start.
The idea I have right now is to access the Win2k3's VM hard disk and copy the file over. I have yet to find a way to do that.
If you guys have a better way, I hope you don't mind helpin.
Thanks again!
I found that the dcomperm.exe that can alter permissions via the command line. It works on my local machine. Please note that netlogon service also fails to start due to the permissions. I wasn't able to transfer the file through shared folder.
A workaround I did, is use subversion to transfer the file. Commit-Checkout/Update...
After I reset the permissions, the Component Services window worked as per normal.
I have trouble accessing filestream via SqlFileStream. Sql server and IIS7 are on different servers, remote access to Filestream is enabled. Workgroup for both servers is the same.
I've tried everything, including opening user with identical username/passwords on both servers. Didn't work.
Dim sqlFileStream As New SqlTypes.SqlFileStream(filePath, txContext, IO.FileAccess.Read)
I have both filePath and context.
However, when I open server via explorer logged on locally as Administrator, I also get access denied if I try to acesss this share. Any ideas?
Can permissions for this share be edited at all?
The solution to this problem is to have user with same credentials on both sql server machine and IIS machine. Also, application pool identity must be running with these credentials, and connection string must be set to integrated security.
To edit permissions for this share you edit permissions on this table, as the documentation clearly states (funny how this clearly comes to you only after tenth time reading it):
In SQL Server, FILESTREAM data is secured just like other data is secured: by granting permissions at the table or column levels. If a user has permission to the FILESTREAM column in a table, the user can open the associated files.
"Integrated Security = True;" in connection string