2

I can't get rid of this error. I have added the "NT AUTHORITY\NETWORK" user via SSMS, along with the relevant roles using this thread as reference: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

I am trying to make a db connection via a Windows Service. In debug mode the DB connection works fine. When I actually try and run the installed service is when I get this error.

Here is my connection string from the app.config:

<connectionStrings>
    <remove name="LocalSqlServer" />
    <add name="LocalSqlServer" connectionString="Data Source=(LocalDb)\v11.0; database=MyDB; Integrated Security=True;" />
    <remove name="SqlServer" />
    <add name="SqlServer" connectionString="Data Source=(LocalDb)\v11.0; database=MyDB; Integrated Security=True;" />
    <remove name="SqlServer" />
  </connectionStrings>

I also tried with adding User ID=myDomain\myUsername; to the connection string, but that didn't help.

Community
  • 1
  • 1
flerngobot
  • 616
  • 1
  • 9
  • 30

3 Answers3

5

First read this description of the security limitations of using LocalDB. Reading that make me think that it may not be possible to use "NT AUTHORITY\NETWORK SERVICE"; I'm not sure. I think you'll need to use your credentials.

Not to be too obvious, but if you are using Integrated authentication the credentials that the service is running under must match credentials that have access to the database. If you don't want to use credentials for the service (that is, you want it to run under "NT AUTHORITY\NETWORK SERVICE"), then you'll need to add :"NT AUTHORITY\NETWORK SERVICE" as a user with adequate access to the database MyDB.

If possible, start with setting that user to db_owner for MyDB. If that works, then start adjusting permissions in SSMS to lower levels. If that doesn't work then something else is wrong with the database configuration. Ensure also that the user "NT AUTHORITY\NETWORK SERVICE" has file system access to the files that MyDB is using.

Also, you have an extra <remove name="SqlServer" /> at the end there...not sure if that's deliberate.

klugerama
  • 3,312
  • 19
  • 25
  • 1
    I have SQL Server set up with Windows Authentication, so I don't actually have a password to connect with. Could that be the problem? I already have db_owner set for NT AUTHORITY\NETWORK SERVICE user. I'm not sure how to check that it has file system access. Thanks for catching the extra "remove name" line, I have taken that out. Still same error though. – flerngobot Feb 05 '14 at 02:32
  • Oh, I should add that I am not using SQL Server Express. I have regular SQL Server 2012, but reading that article you linked makes me think maybe I should be using a different way to connect for the Windows Service. – flerngobot Feb 05 '14 at 02:39
  • 3
    Okay, so after connecting my DB to my local machine and adding logins for both network service and local service I was able to get this working. I guess the main issue was just that LocalDB doesn't allow the connection from NT AUTHORITY\NETWORK SERVICE. – flerngobot Feb 07 '14 at 06:24
  • This can also be due to a group policy not allowing service accounts. – IrishChieftain Mar 05 '18 at 20:13
0

in that link that you used as reference I think Jed gave the correct answer to your problem. Try it. You should add 'NT AUTHORITY\NETWORK SERVICE' not 'NT AUTHORITY\NETWORK'.

I think the default user for windows services is Local Service. So try to add 'NT AUTHORITY\LOCAL SERVICE'.

You could also try to change user that your service runs under. Try to run the service with your credentials and see if this helps.

I hope it helps.

pepo
  • 8,644
  • 2
  • 27
  • 42
  • Thanks for the feedback. I have indeed added "NT AUTHORITY\NETWORK SERVICE", and I have added "NT AUTHORITY\LOCAL SERVICE" also. Neither of these got rid of the error unfortunately. I was hoping not to have to use credentials for this, but I will try that as a last resort. Thanks. – flerngobot Feb 04 '14 at 01:25
  • Is there a reason you don't want to use credentials for a service? – TTeeple Feb 04 '14 at 16:03
  • Did you set "NT AUTHORITY\NETWORK SERVICE" to `db_owner`? – klugerama Feb 04 '14 at 18:01
  • I do in fact have db_owner set for NT AUTHORITY\NETWORK SERVICE. I don't have credentials for connecting to SQL Server, I have it set up with Windows Authentication. – flerngobot Feb 05 '14 at 02:33
0

You can specify yourself which user account is used by a Windows service. If the service uses integrated security to connect to the database server, then the same user account must be authorized on the database server. It is best to create a dedicated user, so you can fine-tune authorization where needed. Follow these steps:

  • On the machine running the service, create a new Windows user (e.g. MyUser).
  • In SQL Server Management Studio, unfold your server instance and then Security. Right-click on Logins and select New Login... Enter login name NameOfMachineRunningTheService\MyUser and select Windows authentication. Tinker with the settings on pages Server Roles and User Mapping; for testing purposes, you may want to assign lots of rights (e.g. server role sysadmin), but on production, you should reduce this to the bare minimum, for obvious security reasons.
  • In Computer Management - Services, right-click your service and select Properties. On tab Log On, select This account and fill in .\MyUser. Enter the user's password (twice) and click OK. If necessary, restart the service.
Ruud Helderman
  • 10,563
  • 1
  • 26
  • 45