Home » Posts tagged 'sql server authentication'
Tag Archives: sql server authentication
SQL Server principals – Logins & How does Login Authentication work in SQL Server?
[MSSQLFUN & Decode ITeS becomes a family of 1600 individuals across the globe. Please join us on
Facebook & YouTube.]
SQL Server Level Principals
SQL Server level principals are the only way to connect to SQL Server to access data. They are the entry guard to ensure only authorized person entries and perform legitimated functions only.
SQL Server Level Principals has 2 components.
- Logins
- Server Roles.
Logins
Login is part of the Server Scoped Security Principal used to connect and access the SQL Server. In other terms, Credentials like user-id password, Token / Certification based access to access your data.
SQL Server supports 3 types of logins out of 2 (SQL & Windows Login) is mostly used in the environment and available from legacy versions of SQL Servers.
· SQL Server authentication Login
· Windows authentication login
- Individual Windows user
- Windows group
· Azure Active Directory authentication login
- Individual AD user
- AD group
Windows Logins: Here, User Id and password stored in Active Directory (AD) and AD authenticates users before they connect to SQL. Microsoft preferred to use windows authentication to ensure updated password policies are applied with a series of encryptions. This is to ensure user credentials and data are not compromised. Windows logins are managed by domain admins and DBA cannot change the password or modify the user. Windows Logins are also called NT logins. Windows logins can be assigned to SQL server as:-
- Individual Login – Individual logins are normal user credentials got direct access to SQL Server by adding it in SQL Server Logins.
- Windows Group – Windows group is a collection of windows users. Windows group will be added in SQL Server logins and on basis of that user’s part of the group will get indirect access to SQL Server. There may be a possibility that a particular user is not part of the group directly but added in the further subgroups. That means. All Users of the Windows group and all subgroups in the hierarchy will get SQL access in one go. This is very useful when access needs to be given to a large group.
SQL Logins: SQL Logins use Server Authentication. SQL Logins created at SQL Server and stores usernames and passwords in the “Master” database server. There is not the role of the domain controller and active directory in the authentication. It can be used in situations where Active Directory is not available., but, whenever possible, use Windows Authentication exclusively. You can create multiple users under SQL authentication to provided different users different access as per their requirement. You can configure SQL Server to run on SQL Server and Windows Authentication called Mixed Mode.
How to Manage (Create \ Alter \ Delete) Login in SQL using SSMS (SQL Server Management Studio)?
| Right click on Logins and click “New Login” |  |
| Select authentication type under which you want to create new login |  |
| For Windows Login, Enter Login Name with |  |
| For SQL Login, Enter Login Name with |  |
For Windows Login,
|
 |
For SQL Login,
|
 |
| Select Server role under which you want add login |  |
| Select Database and DB level permission to login. You can also assign it later. |  |
| To Delete, Right click on login and select delete |  |
| Delete Login Windows, Click OK. It will give you warning that DB users will remain orphan and you can delete it later. |  |
How does Login Authentication work in SQL Server?
- Windows Login: Windows authentication is more secured than Database authentication because it works on encryption and certificate-based security procedure. Windows login pass token in place of a user ID and password to SQL Server. This Token is provided by windows active directory \ Domain controller or local computer. This token is authentication validity pass with SID details of logins. In case login is not part of direct SQL Server login, all associated windows groups & subgroups SID will be added to the token for validation. Once SQL Server received the valid token, it compares the SID from token to SID saved sys.server_principals system view in SQL Server. Based on the result of SID Comparison access of SQL Server is granted or denied.
- SQL Login: SQL Login authentication is quite simpler than windows login. SQL Login provided user ID & password to SQL Server. User ID & password is saved in the master DB system view. SQL Server compared the user ID and corresponding password. If user ID exists and the password is correct, access is granted.
How to check logins are SQL or Windows at SQL Server?
We can use the below query to review logins that exists at SQL Server are SQL or Windows.
| SELECT SP.NAME AS LOGIN,
SP.TYPE_DESC AS LOGIN_TYPE, SL.PASSWORD_HASH, SP.CREATE_DATE, SP.MODIFY_DATE, CASE WHEN SP.IS_DISABLED = 1 THEN ‘DISABLED’ ELSE ‘ENABLED’ END AS STATUS FROM SYS.SERVER_PRINCIPALS SP LEFT JOIN SYS.SQL_LOGINS SL ON SP.PRINCIPAL_ID = SL.PRINCIPAL_ID WHERE SP.TYPE NOT IN (‘G’, ‘R’) |
Script to list permissions of all logins
| SELECT sp.NAME AS LoginName,
sp.type_desc AS LoginType, sp.is_disabled As Is_Disable, sp.default_database_name AS DefaultDBName, SL.sysadmin AS SysAdmin, SL.securityadmin AS SecurityAdmin, SL.serveradmin AS ServerAdmin, SL.setupadmin AS SetupAdmin, SL.processadmin AS ProcessAdmin, SL.diskadmin AS DiskAdmin, SL.dbcreator AS DBCreator, SL.bulkadmin AS BulkAdmin FROM sys.server_principals sp JOIN master..syslogins SL ON sp.sid = SL.sid WHERE sp.type <> ‘R’ AND sp.NAME NOT LIKE ‘##%’ |
Reference: Rohit Garg (http://mssqlfun.com/)
You can find and follow MSSQLFUN:-
Subscribe YouTube Channel Decode ITES
http://www.facebook.com/mssqlfun
Other Linked Profiles:-
Principals, Securables, Permissions – SQL Server Access Components
[MSSQLFUN & Decode ITeS becomes a family of 1600 individuals across the globe. Please join us on
Facebook & YouTube.]
SQL Server Access Authentication
SQL Server Security is the primary DBA responsibility and required to secure guard your data. SQL Server database contains your users and business data and this needs security from unauthorized access. SQL Server Access Authentication is a crucial aspect of SQL Server Security.
SQL Server provides a list of mechanisms to provide access to the user. For New DBAs or other than DBAs, this process seems to be complex and confusing. These access controls help to provided exact access to each required user to ensure ZERO extra privilege or data access to anyone.
Components of SQL Server Access Authentication
SQL Server access authentication has 3 components:-
- Principals: Objects that can request SQL Server resources called Principals. Access to Principals is depended on the scope. Based on the scope, Principals can be divided into 2 types:-
- Server Level Principals
- Database Level Principals.
- Securable: Securables are Server or Database objects to which authentication can be provided. Like Table, Endpoints, etc. Securable are divided based on scope, Server Scoped, Database Scoped & Schema Scoped.
- Permissions: Permissions are giving control of securable to the principal. Principal can perform the required operation of securable as permissions assigned, Permissions at Server level managed via Logins and Server roles whereas at database-level permissions are managed using database user and roles.
Reference: Rohit Garg (http://mssqlfun.com/)
You can find and follow MSSQLFUN:-
Subscribe YouTube Channel Decode ITES
http://www.facebook.com/mssqlfun
Other Linked Profiles:-
SQL Server Authentication
[MSSQLFUN & Decode ITeS becomes a family of 1500 individuals across the globe. Please join us on
Facebook & YouTube.]
We will be discussion SQL Server Authentication and below topics:-
- What is Authentication?
- Type of authentication in SQL Server (SQL & Windows)
- Windows Authentication
- What is Windows authentication?
- Advantages & Disadvantages
SQL Authentication
- What is SQL authentication?
- Advantages & Disadvantages
SQL Server Authentication Modes
- What is Authentication?
Authentication, The process of identity verification of the user. In Laymen terms, Attention is the process to check “Who are you?”. It can be based on user-id & password or token-based or certificate-based. Authentication is the key to allow only authorized users can connect to access the data and system.
Only user with correct authentication details able to connect.
- Type of authentication in SQL Server (SQL & Windows)
Microsoft supports 2 types of authentications, SQL, and Windows authentication. For each login created on SQL Server, it should be part of either authentication.
- Windows Authentication
Windows Authentication depends on Active Directory (AD) to authenticate users before they connect to SQL. Windows auth use series of encryption to ensure no leak of sensitive data. It is the recommended authentication mode because AD is the best way to manage password policies and user and group access to applications in your organization. User Id and password stored in Active Directory. You can run SQL Server only on Windows Authentication called Windows Authentication Mode.
Advantages of Windows Authentication:
ü All in One Domain: When your environment is on one domain, both DB and application are hosting on the same domain. Windows authentication is the best and secure way of DB communication.
ü Domain Controller: Here, we had Domain Controller to manage logins creation \ modification and authentications.
ü Password Policies: Windows logins must bear with password policies. Windows logins can not skip it. This makes the user password more secure and updated.
ü DBA relief: DBA no more needed to manage users and passwords. This task is completely managed by domain admins in windows auth.
ü Windows Group: Windows give functionality to create groups and that group can be added to SQL server to give access to all users in the group in one go.
Disadvantages of Windows Authentication:
ü No Control: DBA has no control over logins, it completely managed by domain admins.
ü Windows Group: Windows groups has a disadvantage as well because membership of the group is hidden to DBA. DBA will not be aware of who is part of groups or when users added or removed from the group.
- SQL Authentication
SQL Server Authentication works by storing usernames and passwords in the “Master” database server. It can be used in situations where Active Directory is not available., but, whenever possible, use Windows Authentication exclusively. You can use SQL Server and Windows Authentication at the same time called Mixed Mode.
You can create multiple users under SQL authentication to provided different users different access as per their requirement.
Advantages of SQL Server Authentication
ü Legacy Application Support: You can keep using your legacy application with support of SQL authentication.
ü Vendor Application Support: Vendor or 3rd Party application which are not built specifically to use SQL Server can be used with SQL Server using SQL authentication
ü Cross Operating System: SQL authentication is best to use when the environment had multiple types of operating systems like Windows, Linux, etc.
ü No Domain \ Workgroup \ Non-Trusted Domain Environment: SQL authentication is best to use while working in No Domain, Workgroup, Non-Trusted Domain Environment where users cannot be authenticated using Windows domain controller.
Disadvantages of SQL Server Authentication:
ü Multiple User Name and Password for Users: Let’s consider a user who needs access to multiple database instances. In SQL authentication, the User will have separate login and password for each instance. This will be difficult to manage and annoying.
ü Multiple User Name and Password for DBAs to Manage: Let consider, You are a team of 5 DBAs and using 50 SQL Server instances. This lead to 250 user ID & Password management for DBA.
ü Enforcing Password Policy: SQL Server logins can be skipped from enforcing password policy. These lead to week passwords and no regular change of password.
ü Application or user pass SQL login and password to connect. This communication can be hacked and user id & passwords can be compromised.
- SQL Server Authentication Modes
Based on available authentication types, SQL Server supports 2 types of authentication modes.
- Windows Authentication Mode:- This is the default one and preferred from Microsoft.
- Mixed Mode: Mixed mode supported Windows authentication along with SQL authentication. Both types (windows & SQL) logins can work under this model.
How to check the current authentication mode?
Right Click on Server Instance Name in Object Explorer > go to Properties > Security Tab
To change authentication mode, you can change the selection from this screen and click ok. This change needs SQL Service to restart to take into effect.
Reference: Rohit Garg (http://mssqlfun.com/)
You can find and follow MSSQLFUN:-
Subscribe YouTube Channel Decode ITES
http://www.facebook.com/mssqlfun
Other Linked Profiles:-