I set the “Impersonation Level” to four possible values in SSAS connection string and like to test whether it impersonate the windows user.
I made changes in "Data Source Impersonation Info" to “ImpersonateAccount” in SQL Server Management Studio as well
So I logged into another user account in my system, unfortunately I could able to connect with my cube from both the user accounts.
Please help me to achieve impersonation using SSAS connection string.
Example:
string connectionString = #"Data Source=””; Initial Catalog=Adventure Works DW; Provider=SSAS; Impersonation Level=Impersonate";
Thanks in advance.
Regards,
Felix Merlin B
Related
I've been searching everywhere but it seems as nobody has my problem. I recently created an Azure SQL Database and I have not had luck at all with figuring out what to do with the error 18456. I Many times I've seen the "Just right click the database and go to properties and security" but there is no security. In fact there seem to be a lot of things I don't have when I right click. I barely know anything about any of this though, so I've tried quite a few things. At one point I thought I needed to use the sample adventure works. but that wasn't it. So I'd be really grateful if anyone helped.
[SSMS Version: 16.4.1]
[Azure SQL Database: Server Version 12]
Picture of my properties menu in SSMS(SQL Server Management Studio)
]
Picture of my right click
]
Your error is common, but the way you solve it on-premise or using virtual machines (Infrastructure-as-a-Service, IaaS) is different than how you would solve it for Windows Azure SQL Database (WASD). WASD is a Platform-as-a-Service version of SQL Server. The SQL Instance is logical, so you have to change some of your thought processes. One of the chief ways you'll need to change your thought processes is in how you manage your SQL Databases.
When you're in WASD and you create a database, you're asked to create an administrative username and password. Using that account you can deploy the schema of your database as well as SQL Authenticated Users and permissions. You don't have permission to change the instance's authentication types, that's why you don't see an option for security when you right-click on the instance name and choose properties.
The following steps are how you would create a new LOGIN to allow this new user to authenticate to the virtual instance. After you've created a LOGIN, you then need to create a database USER for this LOGIN. With this USER, you can then assign permissions for what this USER can and cannot do.
Adding Logins for your Windows Azure SQL Database
A few notes before we get started. In the following code anything in angle brackets (< and >) mean this is a variable you can change. So would be the username you want to create for your Entity-Framework application. would be the password you want to use for your .
Use your administrative credentials to connect to your instance. This account has permissions to control everything about your database. When you connect, you should find that by default you've connected to the master database on that instance. If not, use the drop-down at the top of SSMS to change to master. "USE master" will not work.
From this connection, the following T-SQL will create your Entity-Framework's username and password.
CREATE LOGIN [<username>] WITH PASSWORD = '<password>';
At this point, if you were to try and connect to the virtual instance with this and , you could connect to your virtual instance, but not any database on this virtual instance. Your error message would say something like:
The server principal "" is not able to access the database
"" under the current security context....
You need to take at least one more step before this user can connect to your user database.
Now, from that same SSMS script window, change the database to the user database () you're granting access to. This will be the database you want your Entity-Framework application to use. Remember, use the drop-down at the top.
First we will create a database user for the login created in the previous step.
CREATE USER [<username>] FOR LOGIN <username>
Then, we will allow this to connect to your user database , the database you want the Entity-Framework application to use.
GRANT CONNECT TO [<username>]
At this point, your new username can log in to the virtual instance and connect to your user database.
Now, you will need to add any other permissions this user will need. For example, if your will only need read permissions, you could get away with adding the user to the db_datareader database role. Add those permissions now.
Special note about connection and connection strings
Your user is now setup to connect to your user database. That means in SSMS if you try and connect with your Entity-Framework user, there is an extra step to your connection dialog box. Before you click Connect, you have to hit the Options button.
Since your user cannot hit master, you have to tell SSMS you want to connect to the user database first and avoid hitting master. By default, SSMS will try to connect to your SQL instance's master database first.
You have to enter the name of the database in the "connect to database" entry. After you've entered the database, you can then hit connect.
I'll guess that in your application it already had the "Default Catalog=" value set to your user database, and you were able to connect. Setting this value in options is like setting that "Default Catalog=" value.
I hope this helps you in breaking into WASD a little more.
EDITS: attempting to add clarity to the differences between IaaS SQL Server instances and PaaS Windows Azure SQL Database. I previously missed the FOR LOGIN clause on the CREATE USER statement.
I am using classic asp and trying to access to a remote sql server.
Even though I am specifing which database is default, connection is trying to access another database and yes, user does not have access to it.
I double check user properties where the default database is correctly set and mapped. Here is my connecting string..
Driver={SQL Server};Server=1.1.1.1\SQL2005;Initial Catalog=DEFAULTDB;UID=XXXX;PWD=XXXX
We sorted it out. DBA told me that while using X database, the trigger is using another database too. So we had to authorize for that database and problem was solved.
Thank you for your contribution.
I am a bit new to this VB.NET application stuff. I currently try to develop a application using Microsoft Visual Basic. Net with Remote SQL Server 2005.
In my application include user login using Username and Password. The application will use from many branches. Every branch have their own Username and Password. I create User Master table in SQL Server Database with SLN, User_name, Password, Branch, Note fields.
Now I want to design a VB.Net Form in my application where I can get all Username and Branch login status in a DataGridView like....
Header - *Branch Username Status*
Value - Kolkata U00001 Logged
How can I get this? If any senior vb.net developer or expert solve the same i will be very thanks full to him. Thanking you.
Here is some SQL to extract the current users:
select distinct DB_NAME(dbid),loginame, dbid
FROM sys.sysprocesses
where [dbid] not in(0,1,4) -- exclude list
Note there are two levels of security in SQL Server - SQL Security and "Integrated" security. The latter uses the windows login, SQL Security is managed by you within SQL Server. It looks like you intend to add an SQL user/login named for the branch with a defined password that everyone in the branch will use. Not a great idea IMO. You can use integrated security and add each windows user to SQL server and then add the SQL users to security groups to control access to the SQL objects. This would require each user to authenticate with your windows servers first locally before they can connect to the remote server.
I'd highly recommend you upgrade to at least SQL Server 2008 R2.
I am currently encountering the following error when I try to specify a datasource from SSRS to SQL Server db (2008) using "credentials that are stored securely in the server" - this is specified as a windows account "s2\killian" with the option to "impersonate the authenticated user after a connection has been made" checked.
Msg 15157, Level 16, State 1, Line 1
Setuser failed because of one of the following reasons: the database principal 's2\killian' does not exist, its corresponding server principal does not have server access, this type of database principal cannot be impersonated, or you do not have permission.
Obviously this method of impersonation uses the SetUser() function behind the scenes and the MSDN documentation states that dbowner permissions are required in order to use this function. However I am getting the above error when using dbowner. I am not in a position to use sysadmin because of security policy.
Does anyone know how to get this mechanism of authentication and impersonation working without assigning sysadmin priveleges on the SQL Server database to the windows account used by the SSRS data source.
Is there a way of getting SetUser() to work without sysadmin priveleges?
Thanks
Killian
The clue is "the database principal 's2\killian' does not exist"
Any connection uses context change on the database side (eg SETUSER, EXECUTE AS etc) requires that the impersonated user exists in sys.server_principals and/or sys.database_principals.
Assuming you use an AD group, not individual logins, then this will cause the same error as above. Outside of any permissions. If you are db_owner, then you can impersonate at the database level. If you can't, then it's because of the previous paragraph.
I've always thought that this is an idiotic option for SSRS to have. MSDN says it uses SETUSER which is also deprecated. Ideally, you'd impersonate before connection which is possible for asp.net apps but don't know for SSRS (which is an asp.net app of course)
Sorry for lack of "do this and it works" answer...
I have been able to confirm as well that you must have Sysadmin rights to run the SETUSER function which appears to be the mechanism leveraged by SQL reporting services when "Impersonate the authenticated user after connecting" option is chosen.
MSDN's documentation for SETUSER mentions this but makes it sound like it should also be possible to run this function as just a db_owner but I have not gotten reporting services to work with an account that only has db_owner and I have not even been able to run setuser manually under an account that only has db_owner. The only way I have gotten it to work is with sysadmin privileges.
Using SQL Server 2005
I have the server connection name as (server1) in windows authentication mode, I want to change windows authentication mode to sql server authentication mode...
when i try to change sql server authentication mode with username = sa & password = sa, it showing error...
How to change the authentication mode or how to create a new sql connection?
Please post your connection string or have a look at http://www.connectionstrings.com/
Without seeing your connection string, it is difficult to help you, however, judging from what you have said, the problem appears to be in the way you are setting credentials. It should be:
Data Source=<servername>;Initial Catalog=<database name>;User Id=sa;Password=<password>;
Not "username=". Note that I have removed any reference to "Trusted_Connection=yes" or "Integrated Security=SSPI". Btw, did you really need to run your app in the context of sa? If this app really needs to do sysadmin stuff, I would recommend creating a user specifically for that (or an Application Role) so that you can restrict what account can do if necessary.
Did you configure your server to allow SQL authentication? Check by opening SQL Server Management Studio (SSMS), right click your server, choose properties -> security and look at the radio buttons under "Server authentication".
Also, are you sure the password for the account sa is sa?
User name sa its the default name ..........no need to give username ........I think u r mistaken in the password field(password asks two times)
u may need to give the password as "a" (password asking two times ,give the same password)
It may work