Quantcast
Channel: SQL Server Security forum
Viewing all 3027 articles
Browse latest View live

windows account lost, anyway to enable mix mode authentication and login SQL server?

March 30, 2019, 6:00 pm
$
0
0

First, i think it  began with an Active Directory issue, but i don't find any queue for AD in this forum and this is also SQL server related so i post it here.

i am currently stuck at an embarrassing situation i replied at:

https://social.technet.microsoft.com/forums/windowsserver/en-US/fc830e06-c82f-4b62-aa81-a8ecc75684c8/password-changed-after-ad-dc-installation

OK, i am not so familiar with AD operation, but when demoting AD, why it does not just revert to the local machine accounts saved before AD promotion? why does it just create a new local machine administrator account without much notices(maybe the wizard does noticed me somewhere, i don't remember clearly)? It does prompt me for a new local machine administrator password, i thought it just reset the old local machine administrator password, but it created a new account.

Now, the sql server part: I see some one said i can just make some registry change to enable mix mode, and enable sa account. But its also said that sa password was set by the original sql server installation, so after enabling sa account by registry change, how do i know the sa password or can i just reset it.

By the way, i had tried to set the sql server service account to the new local machine administrator account, but i still cannot login sql server with the new local machine administrator acount.


update:anyway, i rebuilt master, which is almost the same as reinstall sql server 

C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\SQLServer2012>Setup /QUIET /ACTION=REBUILDDATABASE /INSTANCENAME=MSSQLSERVER /SQLSYSADMINACCOUNTS=guyu
minglaptop\administrator /SAPWD= xxxxxxx

Search

SQL Server Login Account not being able to find the second instance

March 31, 2019, 2:13 pm
$
0
0

We have a strange SQL Server access issue due to some unique circumstances.

 

Company went thru a merger. There are two domains.  Not domain trust (DNS) relationship yet, but two companies are connected to each other physically via physical network via Comcast.

There no shared dns name resolution, because dns servers are separate; that’s why SQL Server access is done via IP Address. No Alias’es are used in either servers.

 

sqlServer1         10.10.10.10        single instance, default name

 

sqlServer2          20.20.20.20       instance #1 default name

                                                               instance #2 name = instB             <= this is the problem 

 

Servers are in “angels.org” domain; users are in a different city in the sister company “brothers.com”

Users are logged in to brothers.com at all times.

 

In both sqlServer1 and sqlServer2\inst2 there are two logins which can access and login to these sql servers; but sqlServer2 (default instance) does not allow any access – no users there.

BROTHERS.COM\brotherA          windows login

userB                                                    sql server login 

 

These scenarios work:

10.10.10.10        Window Auth allows      BROTHERS.COM\brotherA    to login

10.10.10.10        SQLServer Auth allows   userB    to login

20.20.20.20\instB          Window Auth allows   BROTHERS.COM\brotherA   to login

 

But this one fails:

20.20.20.20\instB          SQLServer Auth    fails  userB     

Actually the hit goes to the default instance sqlServer2

Even though, userB wants to come to 20.20.20.20\instB default trace shows

EventName: Audit Login Failed

serverName: sqlServer2 …. not sqlServer2\inst2


In other words, domain account can find the second instance, but the SQL Server account cannot find the second instance if the SQL Server has multiple instance.

 

Why is that?


AlwaysEncrypted Data Encryption failing in PowerShell

April 1, 2019, 4:38 pm
$
0
0

I'm trying to encrypt multiple columns using AlwaysEncrypted, trying to apply the encryption using PowerShell and it is failing with the below error message :

Set-SqlColumnEncryption : The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an exception.

The actual line of code where is is giving exception is :

Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $smoDatabase

Further looking into the error, I've found the below exception :

System.TypeInitializationException: The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an exception. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the 
                        target of an invocation. ---> System.TypeInitializationException: The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AlwaysEncryptedManagement' threw an exception. ---> System.IO.FileNotFoundException: Could not 
                        load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.

I'm running SQL Server 2016 Enterprise, PS Version 5.1, SQLPS version 21.1.18068.

Not sure what am I missing here. Any help will be highly appreciated.

Warning Preflib service does not match the trusted performance library in reg

April 15, 2016, 10:02 am
$
0
0

Hello,

While review my event logs I came across this warning.  I need to take some action on this, I'm just not sure what. Any help would be greatly appreciated.

Log Name: Application

Source: Perflib

Event ID: 2003

The configuration information of the performance library "perf-MSSQLSERVER-sqlctr10.50.1600.1.dll" for the "MSSQLSERVER" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

I was reading on one site, that I should reinstall the perf-MSSQLSERVER-sqlctr10.50.1600.1.dll.  If this is true, what can I find the file for down load from microsoft?

Thank you!

David92595


Database 'TEST' is already open and can only have one user at a time.

April 30, 2015, 7:27 am
$
0
0

Hi all,

Could some help on this issue as per urgency!



Database 'TEST' is already open and can only have one user at a time.

I also tried this command but having the same error, please let me know how to troubleshoot this issue

Use Master

GO

Select * from master.sys.sysprocesses

Where spid > 50

            And dbid=DB_ID (‘StuckDB’))  -- replace with your database name

Thanks

EXECUTE xp_cmdshell AS context of a sysadmin requires ##xp_cmdshell_proxy_account## credential to exist?

November 12, 2014, 1:29 am
$
0
0

Hi,

I am unable to use a stored procedure to allow a non-sysadmin to execute in the context of a sysadmin and call xp_cmdshell unless the ##xp_cmdshell_proxy_account## actually exists.

My understanding is that a sysadmin does not require the use of a proxy in order to execute xp_cmdshell.  However without one set up I receive the following error:

Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1

The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.

A little confused as to why the ##xp_cmdshell_proxy_account## needs to be set up and if/how/when the credential identity's details are actually used?

Regards
Dan

what is the use of master key (which is created under master DB) in sql server?

April 3, 2019, 3:18 am
$
0
0

what is the use of master key (which is created under master DB) in sql server? 

The one which is created as

create master key 
encryption by password = 'somepassword';

Regards, Ashif Shaikh


SQL Admin Group

April 3, 2019, 11:16 am
$
0
0

We have a SQL ADMIN Group (SAG). This group is part of a DOMAIN ADMIN group (DAG). We would like to remove SAG from the DAG. 

Would there be any possible impact on this or would it break anything?

TIA

Search

Sql 2014 doesn't have admin login..

April 4, 2019, 9:32 pm
$
0
0

HI

I have a SQL without an admin login so if want to create another user or map a user to a database I can not do that.

I received the error:



The server only have 2 logins...

But the only active login has limited permissions.. 


Cannot start C2 audit trace === HELP

September 19, 2007, 9:57 am
$
0
0

Hi,

 

Could anyone assist me with this issue, nothing has changed on the server except trying to restore a db from another sql server to the one with the error (SQL01  to SQL02)

 

SQL02 Server does not startup, i get this error:

Cannot start C2 audit trace. SQL Server is shutting down. Error = 0x80070003(The system cannot find the path specified.)

 

Then I try to apply the -f parameter on service start up, and i get this error:

Could not create tempdb. You may not have enough disk space available. Free additional disk space by deleting other files on the tempdb drive and then restart SQL Server. Check for additional errors in the event log that may indicate why the tempdb files could not be initialized.

 

Could anyone please advise me on some solution?

 

Much appriciated

Gino

When setting up a proxy account, what should the permissions be?

April 8, 2019, 1:40 pm
$
0
0
I need to set up a proxy account for a credential in SQL Server. The proxy will be used to execute Python, SSIS, etc. The problem is, I'm not a windows security expert. When I'm setting up a Windows account to use with the credential, what rights should I give the account? What groups should it belong to? I'm assuming you don't want to make it an administrator no?

Help setting up permissions on DataBase.

April 8, 2019, 2:57 pm
$
0
0
I just built my (VS 2019) solution as an .msi file, I installed the program, then when I run it, and I can only read from the DataBase (.mdf & .ldf files), I can't modify or delete records, so I when to the program's installation folder and change the DataBase permissions manually, then... the program worked as expected... my consern is that the End-User may not know how to do that. So, how do I produce an .msi file with a dataBase that has no restricions to read and write?, a program that can be run in any computer, and the End-user doesn't need to give those permissions manually.

Any ideas are welcome!

Thank you.

A required privilege is not held by the client- Proxy though works when same account is the SQL Server Agent Service

April 9, 2019, 12:54 am
$
0
0

Okay, I know this question has been asked before but I have a scenario that I don't think any of those questions explain.

 1. I have always used SQL Server Configuration Manager

 2. I have SQL Server 2016

 3. The SQL Agent job has a simple step to call a batch file which simply does Echo "Hi" (just for a test)

  4. I am the administrator of the SQL Server as it is on my desktop with username: sys\username

  5. When the SQL Server Agent Service Account is made to run with sys\username and the the job step run as "SQL Server Agent Service Account" (which is basically me : sys\username) it runs fine.

6. When I create a credential with sys\username (again me) and then a proxy with that credential and run the job step as that proxy account it fails.

The reason for doing this, in Production, we would want to run this job with a proxy account and thus I am testing out that the permissions rolled out in LIVE are right. But that is at a later stage, first I have to understand why is it that it fails in this case? Especially when it's me (the same user)? Thoughts? 


Creating a conection string with powershell throws an error

April 9, 2019, 10:24 am
$
0
0

Hi am currently trying to execute this code using powershell

Function Verify-License(){

    $dbName = "site1000"
    $serverName = 'josuevm\SQL2016'
    $validation1 = $false                         
    $finalValidation  = $false    


    try{
        #Create a Connection and open it
        $connection = [System.Data.SQLClient.SQLConnection]::new()
        $connection.ConnectionString = "Server=($serverName);database=($dbName);User ID=dailycheckupvm\manager;trusted_connection=true;"
        $connection.Open();
   
        #Create a Command Object and the query to be executed
        $command = [System.Data.SQLClient.SQLCommand]::new()
        $command.Connection = $connection
        $command.CommandText = 'Select name from ICE.syslicense'
        
       
         #This variable will store the name of the license
        [string]$result = $Command.ExecuteScalar()
        
        #Read the Query
        $reader = $command.ExecuteReader()    

        #Read the path where the License physical is
        $licenseFilePath = 'F:\Epicor\ERP10\ISV\site1\SetupEnvironment'
        
        #Store all the files located in the directory
        $filesInLicenseFilePath = Get-ChildItem -Path $LicenseFilePath

        #Verify the License File match with the record in the DB
        foreach($file in $filesInLicenseFilePath){
        
          if($file.name -eq $result){
            $validation1 = $true
          }
        }
       
        #Validate if there is a record on the ICE.syslicense table
        if(($reader.FieldCount -gt 0) -and ($validation1 -eq $true)) {
          $finalvalidation = $true;
        }
        
        else {
          
          $finalvalidation = $false;
        }

     }
     catch {
          
          $errorMessage = $_.Exception.Message
          $failedItem = $_.Exception.ItemName     
          write-host $errorMessage
          write-host $failedItem
     }

     finally{
          #$command.Dispose()
          #$reader.Dispose()
          $Connection.Close()
     }

      $finalvalidation

} #End of Method Verify-License

But am getting this error

ontext Basic 

                    Validation of the ISV Installation\nException calling "Open" with "0" argument(s): "Cannot open 

                    database "site1000" requested by the login. The login failed.\nLogin failed for user 'NT 

                    AUTHORITY\SYSTEM'."\n\n


Protect Sensitive Data

April 10, 2019, 10:35 am
$
0
0

Hi Team,

How to protect sensitive data while copying (backup and restore) DB from PROD to QA. Like in QA i don't want to show real SSN/Credit card numbers.

weekly we have to refresh DB from PROD to QA

Environment: SQL Server 2016

Search

SQL 2019 - Missing "Allow Enclave Computations" & No enclave provider found for enclave type 'SIMULATOR'

April 11, 2019, 5:06 am
$
0
0

I am trying to configure Secure Enclaves, in SQL Server 2019 CTP 2.3.

I have built an attestation service, which seems to be working, and I have registered the SQL Computer's certificate with the Attestation Service. 

I have configured the enclave type as VBS, and used trace flag 127, to enable enclave computations, as below:

However, when I try to create a column master key, there is no option to "Allow Enclave Computations", as per the MSDN tutorial

If I try to connect to the instance, with Always Encrypted enabled, I get the following error:

No enclave provider found for enclave type 'SIMULATOR'. Please specify the provider in the application configuration.  (System.Data)

I know we are in CTP, so it may just be buggy, but wondered if anybody else had come across this, or knew how to work around it?

Pete


Question on exported private key (pvk file)

April 11, 2019, 7:01 am
$
0
0

Using TDE on SQL Server, and have need to back up the cert and private key to a key management system.

I export them as;

USE Master
BACKUP CERTIFICATE TDECert
TO FILE = 'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\TDECertBackup'
WITH PRIVATE KEY (file='C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\TDECertBackupKey.pvk',
ENCRYPTION BY PASSWORD='xxxxx')
GO

The certificate has no issue in importing to the Safenet KeySecure, however the private key is in MS proprietary format.  I've tried a program I found called pvk.exe to turn it onto a PEM formatted file that will import to the KeySecure.

However I've not found a utility that accurately puts that back into a pvk that is a binary compare to what was backed up from SQL Server.  I've tried the pvk.exe to convert the PEM to pvk, as well as putting both the cert and key into a pfx file and used PVKConverter.exe.  Noting seems to work.

Anyone run into the same thing, or know how the MS pvk file can be converted back and forth?

Thanks

-Mike

sqlcmd connectivity issue after disabling TLS1.0

April 13, 2019, 7:37 am
$
0
0

Hi All,

We do have SQL Server 2012 instances on same domain. And users were accessing the instances through remotely via sqlcmd and it was working fine.

After disabled TLS 1.0/enabled TLS 1.2 and SQL SP4 patched, we are unable to connect the instances remotely via sqlcmd. 

Please help me to know how to fix this issues, do we have any workaround?

Thanks

David 

Preventing Remote Login Attempts

April 15, 2019, 11:07 am
$
0
0

Hi All,

Hopefully someone can help solve this issue. We have an outside service that is assisting our company. They need access to our SQL server so we had to open 1433 to them. 

In our router we limited the source to only be their IP address. Which was working for years. Just recently however there have been a run of EventID 18456 errors(Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT:<different IPs>]).  And the client is different each time, they come in at a rate of 1 a second for about one hour at a time then a few hours break then again. usually no more than 3 attacks per 24 hour period. 

I'm kind of stumped in how this is happening as the only IP Address that should be able to get in the firewall from the router is the one from the outside company. Clearly others are getting through though. 

Any thoughts or help would be appreciated. 



Unable to login to Sql Server after installation

April 15, 2019, 2:19 pm
$
0
0

Hi All,

I have installed Sql Server 2014 on one of my windows server. Since the port 1433 is not open, I have changed the port to another port on the network configuration TCP/IP. when I try to login for the first time, it is not taking either windows or sql authentication. It is throwing login failed for user.

I have tried everything, but still continue to have this error.

Appreciate any help.

Thanks,
Srikant Mishra

Srikant Mishra

Viewing all 3027 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>