Hi, In the past we had some phrases that we had encrypted at rest in ms sql. Now when we change those phrases, we are being required to do a whole cloud release to change the phrase so I'm getting interested in keeping the phrase in the
database again. So my question is, is there some way to encrypt just certain ms sql queries on the wire? I actually don't care about the query going to ms sql, but I want the query coming back to the querying program to be encrypted on the
wire. I am pretty sure I am seeing that you can put some certificates in ms sql and have encrypted queries on the wire with ms sql. But I definitely don't want every query (especially large data queries) to be encrypted both directions on the wire. Is there some wire encryption with ms sql where you specify that just that query you want encrypted on the wire?
↧
ms sql encryption on the wire?
↧
Cannot find the symmetric key '', because it does not exist or you do not have permission
Hi, This I'm very new to database encryption so please bear with me.
I was able to do encrypt and decrypt a column in SQL Server 2012, using SQL Server Management Studio and through my java web application.
Now, we have a new server with MS SQL 2017 version. I did the same thing setting up the master key, certificate, and symmetric key. It works while I'm selecting data from SQL Server Management Studio, on Windows login and SQL login.
The problem is when it comes to the web application it does not work anymore. I'm getting: "Cannot find the symmetric key '', because it does not exist or you do not have permission"
This is how I read the encrypted data:
OPEN SYMMETRIC KEY SymmetricKeyHere DECRYPTION BY CERTIFICATE CertificateHere;
GO
SELECT CONVERT(varchar, DecryptByKey(COLUMN1)) AS 'Decrypted COLUMN1'
FROM TABLE1;
-- Close the symmetric key
CLOSE SYMMETRIC KEY SymmetricKeyHere ;
What do you think did I miss?
Thank you.
↧
↧
Linked Server Server Account works in SSMS but fails in a SQL Server Agent Job
So the Linked Server is setup on SERVER1. We run a SQL Server Stored Procedure from SERVER1 using [SERVER2].[msdb].[sp_send_dbmail] and it works like a charm. WahLah...Email comes through Outlook. If we try running via a SSIS Package using SERVER2 as Connection Manager and then setup a job on SERVER1 we get the following error...
Description: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has occurred. Error code: 0x80040E4D. An OLE DB record is available. Source: "Microsoft SQL Server Native Client 11.0" Hresult: 0x80040E4D Description:"Login failed for user '(Service Account)'.". End Error Code: 0xC00291EC Source: Execute SQL Task Execute SQL Task Description: Failed to acquire connection "(Server).(Database Name)". Connection may not be configured correctly or you may not have the right permissions on this connection. End Error DTExec: The package execution returned DTSER_FAILURE (1).
I have looke high and low to try and resolve this and cannot seem to find anything.
What security permissions are missing form the Linked Server Service Account? Is it something related to SQL Server Security? Or something related to the Service Account Active Directory set-up? A Server setup switch?
If I try running the same SSIS Package on SERVER2 as a SQL Server Agent Job, it runs like a charm!
What am I missing here? And please don't come back and say just run it on SERVER2 because it truly has to run on SERVER1.
Thanks for your review and am hopeful for a reply.
↧
Set-SqlColumnEncryption throwing exception in Windows 2012 R2
Hi,
I am using
1) System 1: Windows Server 2012 R2 and installed .Net Framework 4.6.1 on it, Powershell verison 5. Now I am trying to execute the powershell scripts from here, which connects to a
2) System 2: Windows 2012 Server R2 and having Server having SQL Server 2016 installed
3) My purpose is to encrypt the columns using powershell
4) I have connected to Powershell console using Administrator login in system 1 and database is successfully connected, since I debugged the code in powershell ISE and checked the same.
5) I have installed the Master Key certificate in System 1 and already created the "Master Key" metadata CMK1 and "Encryption Key" CEK1 in the database server successfully
6) I am getting exception as follows
==============================================================
Set-SqlColumnEncryption : The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an
exception.
At C:\DB\RMD_Customer_Encyption_DBA_Part.ps1:35 char:1
+ Set-SqlColumnEncryption -InputObject $database -ColumnEncryptionSetti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SqlColumnEncryption], TypeInitializationException
+ FullyQualifiedErrorId : System.TypeInitializationException,Microsoft.SqlServer.Management.PowerShell.AlwaysEncrypted.SetColumnEncryption
=====================================================================
Source code is
# Obtain the location of the column master key and the encrypted value of the column encryption key from your Security Administrator, via a CSV file on a share drive.$keyDataFile = "C:\db\keydata1.txt"
$keyData = Import-Csv $keyDataFile
# Import the SqlServer module
Import-Module "SqlServer"
# Connect to your database.
$serverName = "IN1"
$databaseName = "ABC"
$password = "Admin1234"
$connStr = "Data Source=IN1;Initial Catalog=ABC;User ID=sa;Password=Admin1234;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;Packet Size=4096;Column Encryption Setting=Enabled"
#$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security = True"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]
# Encrypt the selected columns (or re-encrypt, if they are already encrypted using keys/encrypt types, different than the specified keys/types.
$ces = @()
$ces += New-SqlColumnEncryptionSettings -ColumnName "dbo.Customer.FirstName" -EncryptionType "Deterministic" -EncryptionKey "CEK1"
$ces += New-SqlColumnEncryptionSettings -ColumnName "dbo.Customer.LastName" -EncryptionType "Deterministic" -EncryptionKey "CEK1"
Set-SqlColumnEncryption -InputObject $database -ColumnEncryptionSettings $ces
↧
sql auditing
Is it possible database level auditing with sql2012 standard edition? The aim is to reach the log in case of a deletion in a table. Could you please share with us a document for databese change tracking?
↧
↧
Can't connect using SQL Authentication
Hi!
I am doing some tests here with SQL Server. Using the management studio I can connect to the server using my Windows user. Using that, I want to create a user and access a database.
I went to the security folder, added a login, selected the SQL authentication, set the user and password.
After that I added a user in the database using the login I just created (I gave the same name to both).
When I try to open a new connection, I select SQL Authentication and input the user and password, but I get an error that I can connect:
===================================
Cannot connect to localhost.
===================================
Login failed for user 'qwe'. (.Net SqlClient Data Provider)
Am I missing something?
Thank you,
Oscar
http://theitphilosopher.blogspot.com/
↧
MS SQL encryption function output differently each time
Hi all,
We are using MS SQL 2016 Standard Edition SP1.
And when we used the encryption function, "EncryptByKey", the end result of the encrypted value seems to be different even though we are encrypting the same text. E.g. encrypting "ABCD0123" first time output "0x0010FF740752C44785EE835649E31F060100000020AE31EAA6A354B95C7BE3991FF3924957A1301E3DA460A96A52B7614A69CA5CE56A21865BBDAD0280CD84AE052770A5"
and when we run the same encryption second time for the same "ABCD0123" input, we get the another output:
"0x0010FF740752C44785EE835649E31F06010000003EC461FA076B3DAF0A8AC37BB442848DBFEBC0CAA8BF3F09F8B53E7D00C695497314863BBFD4A6F946BB25AB0E8DE6D3"
Is it normal for the MS SQL encryption function to produce different output each time it run?
Please help me understand how we can resolve such scenario. Or rather what is the best practise for such scenario if we want to get the same output for the encrypted value?
Thanks a lot in advance.
Best regards,
Alex.
↧
3-Part Naming - Application Access
I have a SQL Server (SQL2016 SP2) with an application database and about 8 operational databases. I have created a sql login for use by our web app which allows that app to execute stored procedures and read directly from the tables in the application database db_WebApp. I have stored procedures in db_WebApp which 3-part name to other procs and tables in the operational databases (db_Oper1, db_Oper2, ... db_Oper8).
In order to enable reads/executes using 3-part naming within the db_WebApp stored procs, I also had to add the application login as a user to each of the affected operational databases and grant read permission on the affected tables and execute permission for the remote procs.
However, now the application can just connect at will to the operational databases, which is not what I want, because I don't want the app to be able to directly reference schema in the operational databases (which can change, which is why I encapsulated access to them in stored procs in db_WebApp).
Anyone have a good idea as to how I might be able to do this ? I'm trying to use 3-part naming to access other databases on the same server, but I don't want to allow the sql user to directly connect to the databases. I need to limit the access to 3-part naming (read, execute).
Kathy Gibson
↧
Running Vulnerable TDS service
How do you fix a Running Vulnerable TDS service security scan?
↧
↧
DDL AUDIT long output
I have created a DDL audit with database_change_group , database_object_change_group and schema_object_change_group. However i have get the long output on column 'statement' as below. Please help to advise.
SELECT clmns.name AS [Name], clmns.column_id AS [ID], clmns.is_nullable AS [Nullable],clmns.is_computed AS [Computed], CAST(ISNULL(cik.index_column_id, 0) AS bit) AS [InPrimaryKey],
clmns.is_ansi_padded AS [AnsiPaddingStatus], CAST(clmns.is_rowguidcol AS bit) AS [RowGuidCol],
CAST(ISNULL(cc.is_persisted, 0) AS bit) AS [IsPersisted], ISNULL(clmns.collation_name, N'') AS [Collation],
CAST(ISNULL((select TOP 1 1 from sys.foreign_key_columns AS colfk where colfk.parent_column_id = clmns.column_id
and colfk.parent_object_id = clmns.object_id), 0) AS bit) AS [IsForeignKey], clmns.is_identity AS [Identity],
CAST(ISNULL(ic.seed_value,0) AS bigint) AS [IdentitySeed],
CAST(ISNULL(ic.increment_value,0) AS bigint) AS [IdentityIncrement],
(case when clmns.default_object_id = 0 then N'' when d.parent_object_id > 0 then N'' else d.name end) AS [Default],
(case when clmns.default_object_id = 0 then N'' when d.parent_object_id > 0 then N'' else schema_name(d.schema_id) end) AS [DefaultSchema],
(case when clmns.rule_object_id = 0 then N'' else r.name end) AS [Rule],
(case when clmns.rule_object_id = 0 then N'' else schema_name(r.schema_id) end) AS [RuleSchema],
CAST(ISNULL(COLUMNPROPERTY(clmns.object_id, clmns.name, N'IsDeterministic'),0) AS bit) AS [IsDeterministic],
CAST(ISNULL(COLUMNPROPERTY(clmns.object_id, clmns.name, N'IsPrecise'),0) AS bit) AS [IsPrecise],
ISNULL(ic.is_not_for_replication, 0) AS [NotForReplication],
CAST(COLUMNPROPERTY(clmns.object_id, clmns.name, N'IsFulltextIndexed') AS bit) AS [IsFullTextIndexed],
CAST(COLUMNPROPERTY(clmns.object_id, clmns.name, N'StatisticalSemantics') AS int) AS [StatisticalSemantics],
CAST(clmns.encryption_type AS int) AS [EncryptionType], clmns.encryption_algorithm_name AS [EncryptionAlgorithm],
clmns.column_encryption_key_id AS [ColumnEncryptionKeyID], ceks.name AS [ColumnEncryptionKeyName],
CAST(clmns.is_filestream AS bit) AS [IsFileStream], CAST(clmns.is_sparse AS bit) AS [IsSparse],
CAST(clmns.is_column_set AS bit) AS [IsColumnSet], usrt.name AS [DataType], s1clmns.name AS [DataTypeSchema],
ISNULL(baset.name, N'') AS [SystemType], CAST(CASE WHEN baset.name IN (N'nchar', N'nvarchar') AND clmns.max_length <> -1
THEN clmns.max_length/2 ELSE clmns.max_length END AS int) AS [Length], CAST(clmns.precision AS int) AS [NumericPrecision],
CAST(clmns.scale AS int) AS [NumericScale], ISNULL(xscclmns.name, N'') AS [XmlSchemaNamespace],
ISNULL(s2clmns.name, N'') AS [XmlSchemaNamespaceSchema],
ISNULL( (case clmns.is_xml_document when 1 then 2 else 1 end), 0) AS [XmlDocumentConstraint],
CASE WHEN usrt.is_table_type = 1 THEN N'structured' ELSE N'' END AS [UserType], clmns.generated_always_type AS [GeneratedAlwaysType],
CAST(clmns.is_hidden AS bit) AS [IsHidden], CAST(clmns.is_masked AS bit) AS [IsMasked] FROM sys.all_views AS v
INNER JOIN sys.all_columns AS clmns ON clmns.object_id=v.object_id
LEFT OUTER JOIN sys.indexes AS ik ON ik.object_id = clmns.object_id and 1=ik.is_primary_key
LEFT OUTER JOIN sys.index_columns AS cik ON cik.index_id = ik.index_id and cik.column_id = clmns.column_id and cik.object_id
= clmns.object_id and 0 = cik.is_included_column LEFT OUTER JOIN sys.computed_columns AS cc ON cc.object_id = clmns.object_id
and cc.column_id = clmns.column_id LEFT OUTER JOIN sys.identity_columns AS ic ON ic.object_id = clmns.object_id
and ic.column_id = clmns.column_id LEFT OUTER JOIN sys.objects AS d ON d.object_id = clmns.default_object_id
LEFT OUTER JOIN sys.objects AS r ON r.object_id = clmns.rule_object_id
LEFT OUTER JOIN sys.column_encryption_keys AS ceks ON (ceks.column_encryption_key_id = clmns.column_encryption_key_id)
LEFT OUTER JOIN sys.types AS usrt ON usrt.user_type_id = clmns.user_type_id
LEFT OUTER JOIN sys.schemas AS s1clmns ON s1clmns.schema_id = usrt.schema_id
LEFT OUTER JOIN sys.types AS baset ON (baset.user_type_id = clmns.system_type_id and baset.user_type_id = baset.system_type_id) or
((baset.system_type_id = clmns.system_type_id) and (baset.user_type_id = clmns.user_type_id) and (
baset.is_user_defined = 0) and (baset.is_assembly_type = 1))
LEFT OUTER JOIN sys.xml_schema_collections AS xscclmns ON xscclmns.xml_collection_id = clmns.xml_collection_id
LEFT OUTER JOIN sys.schemas AS s2clmns ON s2clmns.schema_id = xscclmns.schema_id WHERE (clmns.name=@_msparam_0)and((v.type = @_msparam_1)
and(v.name=@_msparam_2 and SCHEMA_NAME(v.schema_id)=@_msparam_3))
↧
Installing SQL Server for Generic Users
I have to install machines for new employees that use the same software: Windows 10, Office, and SQL Server 2014. To expedite this process, I use a generic user and when the computer is deployed to the new employee, the login credentials are set. However, SLQ Server does not automatically grant login access to the new employee even though that employee is a local administrator to his/her own machine.
Is there a way to add this new user, instead of installing SQL Server using the user login credentials?
Thank you!
↧
Using AD group for permissions
I know this is a often discussed topic. I'm researching it, but would like to get input from this forum as well. If I use a domain group to give application users read/write permissions to a database, how do I prevent individual members of
the domain group from accessing SQL Server independently via SSMS from the application server or another remote server? Assume firewall ports open between the app server and SQL server. Thanks.
↧
KRB_AP_ERR_MODIFIED error connecting to SQL from some servers (not all)
Hi,
We are getting this error from some servers in our environment when trying to connect to a SQL Server, but not from all (so, we do have some that are able to connect fine to it)
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <SQLServiceAccount>. The target name used was MSSQLSvc/<SQLServerName-FQDN>:1433. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (<Domain>) is different from the client domain (<Domain>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Details:
| EventData |
| Server | <SQLServiceAccount> |
| TargetRealm | <Domain> |
| Targetname | MSSQLSvc/<SQLServerName-FQDN>:1433 |
| ClientRealm | <Domain> |
We are trying to test using an UDL File, and when Kerberos Logging is enabled, we are seeing this (Source: Security-Kerberos, Event 3):
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 15:0:15.0000 1/8/2019 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: <Domain>
Server Name: <SQLServiceAccount>
Target Name:
Error Text:
File: 3
Line: 587
Error Data is in record data.
SPNs look ok when checking with the Kerberos Configuration Troubleshooting tool (and the fact that other servers in the same environment are working (there are multiple working, and multiple failing)... All are in the same domain (single domain environment).. and all of them are able to talk to other SQL Servers that coexist with the problematic one.
Any ideas/suggestions, on what I can look at next to troubleshoot this?
↧
↧
Grant DML (Insert, Update, and Delete) privileges via Stored Procedures Only
What is the best way to Grant DML (Insert, Update, and Delete) privileges via Stored Procedures Only? The user should be able to execute any stored procedure (including those that have DML statements inside) but cannot directly go to the table and change
the data in it (NO db_datawriter permissions). The idea is to give the developers full permissions in DEV but SELECT (db_datareader) and EXECUTE permissions in PROD, so they cannot accidentally change the objects or data in PROD server.
↧
Process to capture the list of SP's executions and its time taken
hi ,
my development team has created an Batch process in which it has close to 100 SP's thats the been created in the name of an Batch process , which on initiating will run for 4 to 6 hours depending on the H/w response.
My requirement here is , in that 100 SP's in few situations 50 may trigger nor 70 depending on the select condition which the users passes in the submit button . I want to know the list of SP's executed and its time duration taken to complete each SP's execution
is there a way to find it
hemadri
↧
Is there a way to use a variable to set the ENCRYPTED_VALUE on the COLUMN ENCRYPTION KEY?
Is there a way to use a variable to set the ENCRYPTED_VALUE on the COLUMN ENCRYPTION KEY?
I'd much rather use a variable that have it hardcoded like this.
CREATE COLUMN ENCRYPTION KEY [ColumnEncryptionKey1] WITH VALUES ( COLUMN_MASTER_KEY = [ColumnMasterKey1], ALGORITHM = 'RSA_OAEP', ENCRYPTED_VALUE = 0x016E000001630075007200720065006E00740075007300650072002F006D0079002F003700640066003400610063003700330031003700380064003300360035003200390031006400660039003400330065003000660030003900360035003300640064006500320039003600660063003700A4E3998FA143C159CB3F54B819D1E95827F40122E563B9DCBB855F366B1192979EE73374992A2D074DF7F4B19B0D6BE84D674FDFD574A52C1FD09F375D954B8EA01D63F002D36BF7BBE3AE8D3279EAA189F589F4FE520CF76A0064929E094FC1BDEE91B7C53DAB47F09FA3888C5DF07C210A604329F9F5CEB4495E00F7CD7055993ACA7E1D7D6885553D06312C60396A0DF2449144FFC32008B7636901C2B9EDEC8588BAE8DA079496DDA9BCF8367AE618C3D1F1504559A523379C29C8BA8658972BA3A25F46DDE3FC50CB198A3D3EE24CE92E7739CE8443E01A12BD7ABB58790812EF49AB592D0E537D808E1205C92B00D188EB221740CA8891B43EF58CC1968735F7AE779F5A98DF2BC1B983E16D767BD0926AF4EB6847B7D928D0548D77EC76C935DF37C4FB2E410B4925E26BD52648FABF2ED08DDFFD49B13EE5CEC923A1CA3F222AB7E104E0C0649D0D158DBA33687DC1C6FBBF5573F057CF0ADCEF4033ECB832B57C658127109DB871D83CB7FAD6ADADC05089424EECAA57A27BA41AD71AA17109F710004BFC71FF0E30E826F131FB8A63D0284B5EC33C1FA34AD2982E5613F243F8F916C5A4DF9C46210255580E29DE4FC0DE189A013078D4C6E1BA672CE549F4B52672D2FC06B94B9E7F95BFB2238EF73B0694706AF068FD07A874E4ADAF86DD405F2A68D9ABEA50292824555AD4E319A3B024D189D08E8E43CAD235 ) GO
↧
Error : cannot create table since it references a column encryption key from a different database
Hi,
I have 2 different database lets consider Database A and Database B in the same SQL server 2017.In both database some columns are encrypted.
I want to access a encrypted column of database A lets say mobile_no and insert it into table test_table in Database B .
Below is the query which is used
Use B
GO
SELECT mobile_no INTO test_table FROM a.table
I am getting below error on execution
Cannot create table since it references a column encryption key from a different database
And we also tried creating the same column master key and column encryption key on both the databases A AND B.
Regards,
Saurabh
↧
↧
sql server SQL auth to KERBEROS auth?
I setup a sql server 2012 express for some lab work I need to get done with Active Directory integration and ultimately using kerberos from a linux machine joined to AD domain using Kerberos auth to query sql server
I can connect using sql auth with I can run sql queries with sqlcmd and also added linux machine to the domain.
Now I am getting ready to setup kerberos on my linux machine to talk to sql server.
I can see sqlserver is responding with SQL for auth_schem instead of KEREROS with this query!
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Docs are telling me it should respond with KERBEROS
how do I change sql server auth to kerberos?
↧
how to restore only partial data from sql db
hi ,
i have an DB whose size is 200 GB , created in 2016 jan , and today we are in 2019 jan.
i have an requirement that i need to restore only last 6 months of data from today .
i have daily backups from oct 2018 onwards before which i dont have any backups also . no tran backups too .
can you please suggest a method nor a way to restore only 6 months of data from the DB , there are around 6000 tables in the DB and few tables has column stored for date and few may not .
i am fine even if you can suggest some 3rd party tools for my requirement
thank you
hemadri
↧
SQL Server Object Modifications
Hi,
I am using below query to for SQL Server Object Modifications.
How to modify this query to include user name (who modified object) ,user machine name and date/time?
CREATE TRIGGER object_changes
ON DATABASE
FOR CREATE_TABLE,DROP_TABLE,ALTER_TABLE,CREATE_VIEW,DROP_VIEW,ALTER_VIEW,CREATE_PROCEDURE,DROP_PROCEDURE,ALTER_PROCEDURE
AS
DECLARE @data XML = EVENTDATA()
DECLARE @eventType nvarchar(100)= CONCAT ('EVENT: ',@data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'),+ CHAR(13))
DECLARE @TsqlCommand nvarchar(2000)=CONCAT('COMMAND: ',@data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)'))
DECLARE @BodyMsg nvarchar(2100)=CONCAT(@eventType,@TsqlCommand)
EXEC msdb.dbo.sp_send_dbmail
@profile_name = 'SupportDBA',
@recipients = 'abc@xyz..com',
@body =@BodyMsg,
@subject = 'The following object(s) was/were changed';
GO↧