My question is a two parter:
1. I would like to understand better why MSA accounts can't be used in a SQL Cluster configuration.
2. Can MSA accounts be used when you're using Availability Groups and SQL Always On?
Thank you in advance for the assistance.
Mark
Hello!
I'd like to know where I can grab a screenshot or retrieve the password policy that is in place for the SQL logins. Does it use the windows password policy? We use SQL logins.
Where can I get this info? A sql script or a screenshot would do.
Thanks
Shruti
hi
when run command ALTER DATABASE AmirDB SET ENCRYPTION ON
stuck in state 2 - Encription in Progress
and when run ALTER DATABASE AmirDB SET ENCRYPTION OFF
Error :
Msg 33109, Level 16, State 1, Line 25
Cannot disable database encryption while an encryption, decryption, or key change scan is in progress.
Msg 5069, Level 16, State 1, Line 25
ALTER DATABASE statement failed.
and when Restart Sql Server , DataBase AmirDB(Recovery Pending)
Please help.
thanks
I am doing some testing of utilizing our EKM for encrypting our databases with TDE, but I am running into a strange error, where the database encryption key is corrupted when it is created. We are currently using Safenet on SQL Server 2014 Enterprise. Here are all of the steps that were performed as recommended by their documentation:
CREATE CRYPTOGRAPHIC PROVIDER safenetSQLEKM FROM FILE = 'C:\SQLEKM\safenetsqlekm.dll'; CREATE CREDENTIAL TestEKMCred WITH IDENTITY = 'TestEKM', SECRET = '<password>' FOR CRYPTOGRAPHIC PROVIDER safenetSQLEKM; ALTER LOGIN SA ADD CREDENTIAL TestEKMCred; CREATE ASYMMETRIC KEY EKMLoginKey FROM PROVIDER safenetSQLEKM WITH PROVIDER_KEY_NAME = 'TestEKMAKey', CREATION_DISPOSITION = OPEN_EXISTING; CREATE CREDENTIAL TestEKMTDECred WITH IDENTITY = 'TestEKM', SECRET = '<password>' FOR CRYPTOGRAPHIC PROVIDER safenetSQLEKM; CREATE LOGIN SafeNetEKM FROM ASYMMETRIC KEY EKMLoginKey; ALTER LOGIN ADD CREDENTIAL TestEKMTDECred; CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>'; CREATE DATABASE TestEKM; USE TestEKM; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY EKMLoginKey;
Although I do not receive any error output or see any errors in the event log, in Profiler I see the following error generated:
Database encryption key is corrupted and cannot be read.
If I attempt to enable encryption on the database, it will set the state to Encrypting, with a progress of 0% forever.
Has anyone seen this kind of error, or used Safenet for TDE? Or any EKM for that matter - I am not finding a lot of online resources for this.
Thanks!
Brandon
Hi folks,
We have several MS SQL servers, ranging from SQL server 2008 to SQL server 2012, and these SQL servers are running on Window Server 2008 R2. According to the Download Center, Windows Server 2008 R2 is not in the supported operating system list. May I confirm that this security update is not applicable to SQL servers that are running on Server 2008?
https://www.microsoft.com/en-us/download/details.aspx?id=48005
https://www.microsoft.com/en-us/download/details.aspx?id=48007
Windows 7, Windows 7 Service Pack 1, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2
Hi,
I am getting continuous 18456 events in my event viewer for invalid login attempts for MS SQL.
Unable to find the exact source of the attack but its only connected to LAN network & not exposed to internet directly
Is there any way to find the culprit.
Thanks,
Sandesh
Using always encryption feature to encrypton column data in sql server 2016.
Does Microsoft odbc driver 13 for sql server support always encryption? What is the ADO connection string?
reference: microsoft activeX data object 6.1
Connection String:Driver={ODBC Driver 13 for SQLServer};Server=;ColumnEncryption=Enabled;Database=;Uid=;Pwd="
Unableget the decrypted data.
Features of the Microsoft ODBC Driver for SQL Server on Windowshttps://msdn.microsoft.com/en-us/library/jj730313.aspx
Thanks for your help!
Anonymous
I found an article on this community forum,
"Ports to be opened with Windows Firewall for SQL clustered instance" (https://social.technet.microsoft.com/Forums/sqlserver/en-US/044a3bca-f4e4-48d0-b7c2-3b3bc4ccbfee/ports-to-be-opened-with-windows-firewall-for-sql-clustered-instance?forum=sqlsetupandupgrade)
which contains a link to excellent article "How you should set your firewall rules to be able to connect to a SQL Server 2005/2008 clustered instance" (https://blogs.msdn.microsoft.com/farukcelik/2008/12/05/how-you-should-set-your-firewall-rules-to-be-able-to-connect-to-a-sql-server-20052008-clustered-instance/)
But I have a follow-up question.
In my case I have Windows Server 2012 R2 failover cluster and Microsoft SQL Server 2014.
When I connect a client (10.128.134.71) using Microsoft SQL Server Management Studio to an instance located on the above clustered SQL Server, and then issue NETSTAT command on the Windows server nodes (10.128.128.251), I can find connections to my client from high-numbered random TCP ports. How do I configure SQL to use predictable TCP ports so myfirewall can be configured to allow these SSMS management ports? The following NETSTAT command issued on the SQL Server nodes. Only one of the two nodes has any connections.
NETSTAT -AN | FIND "10.128.134.71" TCP 10.128.128.251:135 10.128.134.71:49658 ESTABLISHED TCP 10.128.128.251:62719 10.128.134.71:49281 TIME_WAIT TCP 10.128.128.251:62722 10.128.134.71:49281 TIME_WAIT TCP 10.128.128.251:62725 10.128.134.71:135 TIME_WAIT TCP 10.128.128.251:1433 10.128.134.71:49267 ESTABLISHED
Without the FIND I can also see
UDP 0.0.0.0:1434 *.*(Note: the above is a test case using a domain account to connect to SSMS. In my actual real world case, the DMZ client will use a SQL login, not a domain login. Just a hunch: Does the domain login explain TCP port 135 or any of the high-numbered random ports?)
George Perkins
We run a Windows Server 2012 R2 Failover cluster with five nodes, each node contains multiple instances of Microsoft Sequel Server 2012 SP2.
One instances is used for Microsoft SharePoint 2013 (15.0.4797.1000 SP1 CU February 2016), and it is this instance that is causing the issue, particularly over the weekend.
Our SharePoint farm is made up as follows:
1 Application Server + 2 * Web Front end servers.
SQL Server logs show:
SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. No authority could be contacted for authentication. [CLIENT: XXX.XXX.XXX.XXX]
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: XXX.XXX.XXX.XXX]
In all instances the IP addresses are a mixture of Application Server and both Front End servers.
We have not enabled Kerberos rather we are running NTLM, and all SQL Instances are using the same dedicated AD account for the SQL server service and the same dedicated AD account for SQL Server Agent.
We believe we have been able to discount 'interference' from our backup solution(s) Veeam for backup VM's ; Backup exec to leverage GRT for SharePoint, as no backups were / are active at the point SQL stared logging authentication issues.
Any assistance gratefully received
Hi,
How can I get the following?:
1. Administrators, who appear in administrators table in SQL Server, will be able to see all data (I succeeded with that part).
2. On the other hand, users who appear under a specific column, should see their specific data (rows).
For example, I have a table that has a column named "champion name". I'd like that every champion will see only the data of the rows that he is assigned as champion of.
Any ideas of how can I get this done?.
Thanks in advance!.
Hi forums,
I keep finding these events in the event log of my db server. It seems to happen with a full backup task configured via SQL Server Agent.
Any ideas?
2016 Aug 09 21:00:00 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: pci-ph-msdb01.jenetwork.local: An account failed to log on. Subject: Security ID: S-1-5-20 Account Name: PCI-PH-MSDB01$ Account Domain: JENETWORK Logon ID: 0x3e4 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Account Domain: Failure Information: Failure
Reason: %%2304 Status: 0xc000040a Sub Status: 0x0 Process Information: Caller Process ID: 0x65c Caller Process Name: C:\Program Files\Microsoft SQL Server\MSSQL10_50.JEMSSQLSERVER\MSSQL\Binn\sqlservr.exe Network
Information: Workstation Name: PCI-PH-MSDB01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Authz Authentication Package: Kerberos Transited Services:
- Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the comp
QB
I've installed the MS SQL Server 2016 with Reporting Services and the SSMS 2016.
In the Installation i've put the "Admin Groups" from the to the Admins but after Installation i can't connect to the Server via SSMS i get the Error 18456 Login failed for User.
I had tried it with the local Computer Admins to login also with the Group Admin accounts. But this also doesn't work.
Hi Team,
Few queries on Sysadmin.
Is it possible to disable 'sysadmin' role for SQL instance?
Is it recommended to disable 'Sysadmin' if its possible?
What is the approach, create one more user, assign it 'sysadmin' role and then disable the default sysadmin?
If i have multiple instance of SQL and have Dbs, do i need to disable for every instance or disabling from 1 instance would disable it for other instance also (i don't think so but just want to confirm if anyone has tried this)?
Any pointers will be appreciated. Thanks
Regards,
Hello All,
I created a TDE on one of the database and then i dropped and removed teh TDE and even removed all the databases, and even after restarting the sql instance the is_encrypted is showing as 1 for tempdb
checked
select * from master.sys.certificates
SELECT * FROM master.sys.symmetric_keys
select * FROM sys.dm_database_encryption_keys
all are clean.
is there any way to come out of this situation
Hi
I'm using SQL 2005 and trying to find a way to track when users are including specific criteria in their SQL queries. I'm trying to avoid implementing RLS because I think that would have it's own set of headaches.
I'm able to get the info below if I run manually throughout the day.
select
getdate() datestamp
,db_name(database_id)db
,r.start_time,
s.session_id
,s.[status] session_status,
substring(t.text,(r.statement_start_offset/2)+1,
case when statement_end_offset=-1 or statement_end_offset = 0
then (datalength(t.[text])-r.statement_start_offset/2)+1
else (r.statement_end_offset-r.statement_start_offset)/2+1 end) Query,
command,
wait_type,
wait_time,
wait_resource,
last_wait_type
,original_login_name
,login_time
,charindex('CP',t.text)CP_char
,program_name prog_name
,charindex(where_clause,t.text)
,where_clause
,user_id
--into G7_audit
from sys.dm_exec_sessions s left outer join sys.dm_exec_requests r on s.session_id = r.session_id
outer apply sys.dm_exec_sql_text(sql_handle)t
left outer join g7_audit_phrase g7 on charindex(where_clause,t.text)>0
--
where s.session_id<>@@spid
and charindex('abstract',t.text)=0 and (charindex(where_clause,t.text)>0 or charindex(' CP',t.text)>0 or charindex('%CP',t.text)>0) and user_id not in (13,20,267) and is_member('db_datareader')=
All help is greatly appreciated!
Thanks
Katie
We have a new application being developed, and the developers chose to grant permissions at the database level versus object level.
When I query database_permissions I see the role has the insert, update, delete, select permissions. Permissions were set by running the following SQL: grant insert, update, delete, select to role_name;
When I query the database permissions and join it to database_principals for the role, I don't get anything returned.
I am old school Oracle Database administrator, and prefer to have the permissions set at the object level.
Is it secure to grant permissions at the database level to a role? Will other schema be impacted by granting to the database level?
Any information would be appreciated.
DJ
We have successfully implemented SSL on SQL Server 2012 Standalone Server.
We are using ThirdParty Certificate.
Now we are planning to implement on AlwaysOn.
How to implement SSL on ALawsOn?
What aare the information include in Certificate while creating?
Anonymous