January 11, 2007 at 1:59 pm
We have a service that runs as Local System on a Windows 2003 server. That service needs to connect to an SQL server (SQL 2000 on separate Windows 2003 server). However, when the service tries to connect it gets a "Login failed for user '(null)'" error. Which is what I would expect.
The vendor who wrote the service said that we should add the computer name as a SQL user by creating a new Windows Authentication type login (in Enterprise Manager) with a name of OurDomain\ServerWithTheService$. They said that that would allow the service to connect to the SQL server. However, we still got the "Login failed for user '(null)'" error.
We were able to work around the issue by running the service as a domain user rather than as Local System. However, I wanted to run the vendor's suggestion past you guys to see if what the vendor said makes sense. I've never heard of anything like that before, and would like to learn more about it if what they're saying is it's possible.
Thanks for any input you have on this.
January 11, 2007 at 2:20 pm
I've seen those sort of solutions put into place for network shares and such, but never on SQL server Permissions. IMHO it would basically be like creating a Null share, something that was done 'back in the day' in the networking world, but that basically would be a decent sized security issue in todays world.
For ease of management, and usability I always suggest running those types of services as domain or local machine users with limited rights so that you can easily configure access for them.
It also might be soemthing along the lines of if you tried the vendor supplied solution you may have needed to create the user in the database as well as just on the server, and or you may need to synch up the user they created in the database with the user you created on the server.
January 11, 2007 at 3:22 pm
They were wrong because a Local Login ONLY has access to the local server/workstation. You need a Domain Login to be able to access other servers/workstations.
-SQLBill
January 22, 2007 at 12:55 pm
what your vendor told makes perfect sense. This is what you call a mirror account. the only thing is that the mirror account (sql user) should have the same User Id and password as that of the Id under which your service is running.
January 22, 2007 at 9:04 pm
SQLBill is correct in that Local System account will not allow any kind of network access.
You may have the vendors suggestion work by selecting Network Service account for your service, and not necessarily have to have a domain account. This used to be a way to have access to other server resource by using local account without needing a domain account.
But I think this was "broken" with Windows Server 2003. I know it worked with Windows 2000 and prior versions. I think you will need to use a domain account (about 80% sure).
Mark
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply