locked
Domain VS Workgroup: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication RRS feed

  • Question

  • Hi all,

    Maybe first a context:

    We use customer servers that run in an isolated domain and on one server SQL-server is installed using Windows Auth. On those servers we have admin access through a domain account created for us. This domain account requires us to change our password every x-days (which is fine), but our software (services) also has to run under that account.

    Each time we need to update our password this means we also have to update all our services with the new password. To avoid this (for our services) we created local (workgroup) accounts on all servers and let all the services run under that account. Password is pretty complex, never expires, account is explicitly added to SQL-server login. And that worked fine for quite some time (3days). Then the message "Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication" started showing. Since it worked for some time, I couldn't immediately let go and started searching the net without much success. We don't prefer to use SQL-auth to avoid connection strings containing the visible password.

    Hence my question. Does anyone has a suggestion on what to check/try out? Or should we just give?

    Regards,
    Kevin


    • Edited by KevinVFA Monday, December 30, 2019 9:22 AM Additional info
    Monday, December 30, 2019 9:08 AM

Answers

  • Dear Kevin,

    I understand your predicament in reaching out to the client. I would however strongly advise the gMSA (Group Managed Service Accounts) for this task which is in my opinion way underutilized and works great for this kind of scenarios. 

    "A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators.

    The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.

    "

    Source

    Basically, just ask them to enable gMSA using this  (or a similar) step-by-step guidance. Doesn't take more then five minutes and is really the best solution for you guys.

    • Marked as answer by KevinVFA Tuesday, December 31, 2019 11:38 AM
    Monday, December 30, 2019 10:27 AM

All replies

  • Hi Kevin,

    For domain account require change password periodically, maybe you can try to add a new domain user account which password never expires:

     

    Hope it will help.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, December 30, 2019 9:53 AM
  • Dear Kevin,

    I understand your predicament in reaching out to the client. I would however strongly advise the gMSA (Group Managed Service Accounts) for this task which is in my opinion way underutilized and works great for this kind of scenarios. 

    "A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators.

    The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.

    "

    Source

    Basically, just ask them to enable gMSA using this  (or a similar) step-by-step guidance. Doesn't take more then five minutes and is really the best solution for you guys.

    • Marked as answer by KevinVFA Tuesday, December 31, 2019 11:38 AM
    Monday, December 30, 2019 10:27 AM
  • Dear Theodor,

    Although it doesn't solve/explain my current issue, I will mark this as an answer. After reading it through this indeed seems to be a way of handling such issues in a decent way.

    Other experiences of solving this issue without customer involvement are still welcome :)...

    Regards, 
    Kevin

    Tuesday, December 31, 2019 11:38 AM