This post focus on a typical cause of sql login failure issue described as the title.
In real world, a customer log on to the machine as a domainuser or local machine accout, he can connec to SQL Server through SQL Server Management Studio. However, he fails to connect by using SQL Login, namely, in connection string specify User as the NT account, and the password.
He did: “Create login [domainuser] from windows”, then try –
osql -S -U [domainuser] -P xx or osql -S -U[machineaccount] -P xx.
To explain the reason, first you need to understand two Authentication Modes in SQL Server 2005:
- Windows authentication Only authenticated windows users can gain access to the SQL instance. You need to add a windows login for each windows user or group that needs access to SQL istance. This is default and recommended mode because you can take advantage of all the centralized security policers of your Active Directory domain.
Mixed Mode authentication Both windows login and SQL Server logins(neither of which are mapped to an operating system users) can access the SQL instances. You use mixed mode when you need to provide access to non-Windows-users for example when users of another operating system need access to SQL.
The –U and –P options are only for SQL Authentication. The SQL Client will not try to impersonate a windows user, instead it directly send the user/password to SQL Server and try to find a matching SQL login.
The solution is: You need to runas to impersonate the windows user and connecting using -E option in “osq.exe” or specify “Integrated Security=SSPI” or “Trusted_Connection = yes” in your connection string.
SQL Server Protocols
Disclaimer: This posting is provided “AS IS” with no warranties, and confers no rights