3

I want to connect to SQL Server using a domain account from a web host that is NOT in the domain. This is a plain vanilla ASP.NET web app. This off-domain site hits Reporting Services using domain credentials and I don't know why this isn't allowed for SQL connections.

We have a lot of internal apps (win form and web form) and this is the last one to convert to integrated security so we can manage permissions across the board via AD, but if I have to do it in SQL, then I can accept defeat.

Has anyone figured out how to do this or is it just not possible?

Since_2008
  • 2,331
  • 8
  • 38
  • 68
Stuart Stephens
  • 91
  • 1
  • 5
  • 1
    I know in standard windows security, If you have the client local user account have same username and password as an account on the server it works. I'm not sure to what extent AD interferes with this. You might get a more experienced response over on Server Fault, which is focused on professional level system and server administration. In similar situations I usually just give up a create a SQL user though. :) good luck and +1 for a question showing thought. – TZHX Apr 17 '15 at 20:21
  • The credentials are taken from the thread running your web app. You might be able to impersonate a user and change the identity of the thread to a domain account. I don't have all the details, but this might help: [link](http://stackoverflow.com/questions/258857/set-identity-of-thread) – sarme Apr 17 '15 at 21:28
  • I am pretty sure I checked into this idea along the way, but I tried it again. Attempting to match my local user name to my domain user name (same password, had to grant folder permissions and logon as service/batch policies) did not work and resulted in an exception connecting to SQL: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. – Stuart Stephens Apr 17 '15 at 22:50
  • This makes sense to me as I don't see how integrated security could work (i.e. the authentication would have to happen on the non-domain host and then resulting credentials are provided when accessing SQL Server - something that can't happen). I would have to be able to modify the connection string to provide user/pass credentials similar to what I had to do for SSRS, but that is a web service. As best I can tell, connection strings for integrated security do not support this. – Stuart Stephens Apr 17 '15 at 22:50
  • For this reason, I can't change the identity in coding (i.e. impersonate) as there is no domain controller to process the authentication required to change identity. I think I have to be able to submit a request with credentials. I didn't get that impression from the "Set Identity of Thread" link. – Stuart Stephens Apr 17 '15 at 22:50
  • Have you set up trust relationship between domains? – Sandeep Apr 18 '15 at 04:37
  • This server is off domain and not part of a domain. It is stand alone. Due to firewall restrictions, it can not communicate with another domain. I think the only ports that is open are for SQL and HTTP/HTTPS. – Stuart Stephens Apr 20 '15 at 18:35

2 Answers2

0

You can Connect to domain SQL Server 2005 from non-domain machine and later versions but this requires that you can connect to the domain from the remote machine.

You can connect to Reporting Services using domain credential because it uses NTLM for Windows Integrated authentication which goes through HTTP authentication. Direct connections to SQL Server don't use HTTP so this type of authentication isn't available.

Community
  • 1
  • 1
Stephen Turner
  • 7,125
  • 4
  • 51
  • 68
0

You will need to join the SQL box to the Web App domain or the other way around or make a trust relationship between the domains

runas /netonly /user:domain\username "c:\path\ssms.exe"

look at this post here: http://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/

Aram
  • 5,537
  • 2
  • 30
  • 41
  • Joining the domain or creating a trust relationship is not possible as this box is in a DMZ and is pretty locked down. Also, I need my web app to access SQL, not Management Studio. This is a production webserver accessible by the public. – Stuart Stephens Apr 24 '15 at 21:59