Post reply

Linked Server Login Mapping & NT Groups

  • April 29, 2003 at 7:44 am

    #58790

    Hi All.

    I'm having a problem with configuring linked server logins. The servers are both Win/SQL2000 in an NT domain. I've got an NT group, say Production\support, as a login on ServerA. I have also created a standard SQL login LinkServerLogin on ServerB which I have given sysadmin rights.

    In the linked server security properties I've mapped the NT group to the SQL login (since I can't pass NT credentials in non-Active Directory environment.) However, when I run the query "select * from [ServerB].database.dbo.table" I get the following error message:

    Server: Msg 7416, Level 16, State 1, Line 1

    Access to the remote server is denied because no login-mapping exists.

    When I map an individual member of Production\support to LinkServerLogin and run the quey everything is fine. Anybody got any suggestions. Oh and by the way I've already got an NT group mapped to a linked server login in a production set-up and that works ..... Arrrrrrg.

    Thanks a million

  • April 29, 2003 at 9:05 am

    #455696

    I haven't gotten the group thing to work either. Without an Active Directory domain, you seem limited to using the bottom part of that dialog box:

    For a login not in the list above, connections will:

    I choose the last option: Be made using this security context: and map to a single SQL login on the linked server.

    HTH,

    Michelle



    Michelle

  • April 30, 2003 at 1:04 am

    #455769

    Hi Michelle,

    The funny thing is we do have it working on a Win2k machine so I believe it should work.

    My problem with the last option is that this radio button gives all logins to serverA access to ServerB through that linked server, as I read it. So if you've got any other suggestions I'd been delighted to hear them. By the way what's "HTH"?

    David

  • April 30, 2003 at 10:45 am

    #455825

    HTH = Hope This Helps

    Obviously it didn't.

    Is the group a local group to that machine or a global group on the NT domain?



    Michelle

  • April 30, 2003 at 11:00 am

    #455827

    Global. It's a head-wrecker!

    David

  • May 2, 2003 at 11:54 pm

    #456091

    As a DBA/Developer, I have developed my own applications like Data Scripter, SQL-Compare Pro. If anyone need these let me know. I can give it to u guys @ now price and obligation...

  • May 5, 2003 at 10:17 pm

    #456241

    In BOL, there is an entry concerning "Security Account Delegation". Search for it and you will find that this may be a fix you need to implement. Basically, it concerns allowing client connections to retain NT credentials when "hopping" servers. This typically applies to Windows 2000 servers/domains, and requires changes to EACH referenced server AND the account that SQLSERVER and SQLSERVERAGENT accounts run as (BTW, they must be NT accounts). HTH.

    Joshua Jones
    Director, Global Database Services
    PGi

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply