locked
Access Microsoft SQL Database in an untrusted domain environments RRS feed

  • Question

  • We have two domains that are untrusted and we have developer who have to access SQL Database that reside outside the main domain.  Presently, they are able to access it via Pass Through Authentication.  User Accounts have been created windows Server so that they can remote in and change their SQL password whenever their password changes on the main domain.  The password on the main domain has to be same as their sql password on the untrusted domain.  Is there another method of accessing the Database without going through Pass through Authentication.  We don't want users accessing the box?

    • Moved by Robert Marshall - MVPMVP Saturday, December 1, 2012 11:28 PM Moving to correct forum (From:Configuration Manager 2012 - Site and Client Deployment)
    Tuesday, July 3, 2012 2:02 PM

All replies

  • This forum is for ConfigMgr 2012 related questions only. Any chance that your question is SQL-only related?

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, July 3, 2012 2:08 PM
  • Use command prompt is an easy way to change SQL password. See the commands below:
    1. Go to the command prompt of the server and type in command prompt osql –L
    2. Copy full name of SQL Server and type:
    3. OSQL -S <insert_servername_here> -E
    4. Execute the following query:
    5. sp_password NULL, ‘<insert_new_password_here>’, ’sa’ and go

    Also you can use query windows in mangement studio to change sql database password.

    1. Open the SQL Server Management Studio.
    2. Open a New Query.
    3. Copy, paste, and execute the following:
    GO
    ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]
    GO
    USE [master]
    GO
    ALTER LOGIN [sa] WITH PASSWORD=N’NewPassword’ MUST_CHANGE
    GO

    Thursday, July 5, 2012 3:02 AM
  • Thanks Texiy. 

    But I don't know if I have framed the question rightly.  I was refering to SQL Server Instance where Developer accessed using SSMS through Pass-through Authentication.  The developers have to login Remote to change their password whenever the main password change.


    All is well.

    Thursday, July 5, 2012 6:56 PM
  • I can think of a couple of options:

    1. Use SQL Accounts instead of Windows accounts on the other domain
    2. Create domain accounts on the other domain for the developers

    For option 1 - they would just have to reset their passwords based on the domain requirements in the other domain as long as you create the accounts to enforce the password policy and expiration policy.

    For option 2 - the issue would a bit trickier.  They would have to use something like ShellRunAs (SysInternals) to launch SSMS with their other domain credentials.  Once SSMS is launched - they could access the other instance with normal Windows Authentication.

    For pass through authentication - I would setup a powershell script for each user to reset their remote password then block their ability to use RDP to access the server.  They would still have the account and local administrator access - but, they wouldn't be able to login to the server over RDP.  They would use the script to change their passwords instead.


    Jeff Williams

    Sunday, December 2, 2012 3:49 PM