I have set up an Active Directory, Certificate Services on Windows 2003
Server. I am running SQL 2000 Server. AD and Certificate Services were
installed correctly.
My goal is to be able to use SSL when connecting to SQL Server via Query
Analyzer. I also want to keep the SQL Server installation under a "Domain
User" account with as little privileges as possible.
My problem is that SQL Server will not start when "Domain User" is only a
"member of" "Users" group. It starts when I make "Domain User" a "member of"
"Administrators". It seems that the SSL "forced encryption" will only work
with "Administrator" privileges which is the total access to control the
server, and this is not safe.
Does it mean that SSL "forced encryption" will only work under a "Domain
User" that is a "member" of "Administrators"? Is there another "Group" with
limited privileges that I could assign the "Domain User" to?
How else could I have the SSL work and SQL server installation in a "Domain
User" account?
I have tried so many different things. Wasted one week already. Nothing
works. There was some MS bug bulletin saying that this problem was fixed
with SQL 2000 service pack 2. I have service pack 3a installed. It still
does not work. The log shows the same errors as on the MS fix buletin that
was supposed to be fixed by that sevice pack. I've tried with Windows 2003
Srv, Win 2000 Srv. SQL Standard, Enterprise. I just cant get it to run. Can
you offer some more specific clues? It is so depressing and dissapointing.
Here is the MS buletin that I mentioned:
http://support.microsoft.com/default...b;en-us;314636
Thank you for your help.
This question should be posted perhaps in
microsoft.public.sqlserver.security.
As you have been unable to resolve this problem in some time, and are
repeatedly posting here, I suggest you contact PSS for immediate assistance.
As from your posting host it looks like you are in America, I suggest you
contact them at
http://support.microsoft.com/oas/def...54&gprid=36503
"Jason Robertson" <jason6869@.msn.com> wrote in message
news:QbSdnaNiabfxYhzcRVn-pw@.comcast.com...
> Hi,
> I have set up an Active Directory, Certificate Services on Windows 2003
> Server. I am running SQL 2000 Server. AD and Certificate Services were
> installed correctly.
> My goal is to be able to use SSL when connecting to SQL Server via Query
> Analyzer. I also want to keep the SQL Server installation under a "Domain
> User" account with as little privileges as possible.
> My problem is that SQL Server will not start when "Domain User" is only a
> "member of" "Users" group. It starts when I make "Domain User" a "member
> of"
> "Administrators". It seems that the SSL "forced encryption" will only work
> with "Administrator" privileges which is the total access to control the
> server, and this is not safe.
> Does it mean that SSL "forced encryption" will only work under a "Domain
> User" that is a "member" of "Administrators"? Is there another "Group"
> with
> limited privileges that I could assign the "Domain User" to?
> How else could I have the SSL work and SQL server installation in a
> "Domain
> User" account?
> I have tried so many different things. Wasted one week already. Nothing
> works. There was some MS bug bulletin saying that this problem was fixed
> with SQL 2000 service pack 2. I have service pack 3a installed. It still
> does not work. The log shows the same errors as on the MS fix buletin that
> was supposed to be fixed by that sevice pack. I've tried with Windows 2003
> Srv, Win 2000 Srv. SQL Standard, Enterprise. I just cant get it to run.
> Can
> you offer some more specific clues? It is so depressing and dissapointing.
> Here is the MS buletin that I mentioned:
> http://support.microsoft.com/default...b;en-us;314636
> Thank you for your help.
>
|||I am not going to pay hundreds of dollars for answers to their faulty
product!!!
"Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
news:ODl883avEHA.2200@.TK2MSFTNGP11.phx.gbl...
> This question should be posted perhaps in
> microsoft.public.sqlserver.security.
> As you have been unable to resolve this problem in some time, and are
> repeatedly posting here, I suggest you contact PSS for immediate
assistance.
> As from your posting host it looks like you are in America, I suggest you
> contact them at
>
http://support.microsoft.com/oas/def...54&gprid=36503[vbcol=seagreen]
> "Jason Robertson" <jason6869@.msn.com> wrote in message
> news:QbSdnaNiabfxYhzcRVn-pw@.comcast.com...
"Domain[vbcol=seagreen]
a[vbcol=seagreen]
work[vbcol=seagreen]
that[vbcol=seagreen]
2003[vbcol=seagreen]
dissapointing.
>
|||I'm sorry you feel this way.
The question is
1) is the problem with their product, ie is it a bug
2) is it perhaps a problem with trying to use the product in ways which it
was not intended.
3) is it perhaps a problem with trying to use the product as documented but
the documentation is faulty
I can raise a support incident for you if I am able to repro your problem at
no charge. I'll post back here with the status.
My only question at this time is, are you running SQL Server, Certificate
Server, and AD on the same server?
Can you also post the select @.@.version for me here?
Hilary
"Jason Robertson" <jason6869@.msn.com> wrote in message
news:O9idnZ4lw-WqXh_cRVn-1Q@.comcast.com...
>I am not going to pay hundreds of dollars for answers to their faulty
> product!!!
> "Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
> news:ODl883avEHA.2200@.TK2MSFTNGP11.phx.gbl...
> assistance.
> http://support.microsoft.com/oas/def...54&gprid=36503
> "Domain
> a
> work
> that
> 2003
> dissapointing.
>
|||Hi Hilary,
Thank you so much for intending to help me. I almost gave up already because
I have no clue what to do. This has taken me already three weeks of
troubleshooting, and trying different things.
SQL Server, Certificate Server, and Active Directory are all installed on
one server. I am also confident 100% that the AD is installed correctly. (I
mention this, because a lot of people install it wrong and have problems
because of it.)
The query for @.@.version gives:
Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows
NT 5.0 (Build 2195: Service Pack 4)
This one is from Windows 2000 Server and SQL 2000 Server both servers are
Standard Editions. I also tested on Windows 2003 Server and SQL 2000 Server
both Standard Editions, and the symptoms are the same. The same error logs
are generated. The logs give errors same as shown on the FIX bulletin from
MS:
http://support.microsoft.com/default...;en-us;314636. The most
important error line there is this:
"Encryption requested but no valid certificate was found. SQL Server
terminating."
It seems to me that when SQL Server runs under a "Domain User" account, it
does not have permission to read the certificate from the certificate store.
The SQL Server reads the certificate, and the SSL works ONLY when I make the
"Domain User" account a member of "Administrators" Group.
For security purposes Microsoft recommends that SQL Server be installed and
ran under a "Domain User" account with limited privileges, therefore I
wouldn't want to assign that "Domain User" to "Administrators" group.
The whole idea is to have SSL connection between Query Analyzer and SQL
Server, and have installed on a "Domain User" account. The bulletin says
that SP2 fixes that problem, but it doesn't. I have Service Pack 3a
installed on the SQL Server.
Please let me know if you have other questions. You can email me at
wgt3001@.yahoo.com I am very grateful that you wanted to help me and put some
thought into my problem. Three weeks ago I traveled to Europe and connected
to my server from there using Query Analyzer. Someone "sniffed" my
connection, and tried to hack to my SQL Server account. Fortunately my ISP
noticed the activity and restricted IP's on the firewall. Now I am about to
install my newly built server and would like to have this security feature
to avoid future problems when I travel again, and connect from unsafe
locations to my SQL Server. Who knows, maybe you will need SSL some day, and
after we resolve this problem, we will know how to make it work
Thank you very much for all your help Hilary,
Jason
"Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
news:OOaBXRhvEHA.3916@.TK2MSFTNGP10.phx.gbl...
> I'm sorry you feel this way.
> The question is
> 1) is the problem with their product, ie is it a bug
> 2) is it perhaps a problem with trying to use the product in ways which it
> was not intended.
> 3) is it perhaps a problem with trying to use the product as documented
but
> the documentation is faulty
> I can raise a support incident for you if I am able to repro your problem
at[vbcol=seagreen]
> no charge. I'll post back here with the status.
> My only question at this time is, are you running SQL Server, Certificate
> Server, and AD on the same server?
> Can you also post the select @.@.version for me here?
> Hilary
> "Jason Robertson" <jason6869@.msn.com> wrote in message
> news:O9idnZ4lw-WqXh_cRVn-1Q@.comcast.com...
you[vbcol=seagreen]
http://support.microsoft.com/oas/def...54&gprid=36503[vbcol=seagreen]
2003[vbcol=seagreen]
were[vbcol=seagreen]
only[vbcol=seagreen]
"Group"[vbcol=seagreen]
Nothing[vbcol=seagreen]
run.[vbcol=seagreen]
>
|||Hi Hillary,
I've found that you are famous SQL Server bookwriter! What an honor. My
problem may be a good subchapter for your book. I looked at many books in
Barnes n Noble to find a solution, and none of them addressed this issue in
detail. I am sure that there are many more people like me who are looking
for solution into this problem. Make it a chapter in your SQL book. It will
sell well!
Jason
"Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
news:OOaBXRhvEHA.3916@.TK2MSFTNGP10.phx.gbl...
> I'm sorry you feel this way.
> The question is
> 1) is the problem with their product, ie is it a bug
> 2) is it perhaps a problem with trying to use the product in ways which it
> was not intended.
> 3) is it perhaps a problem with trying to use the product as documented
but
> the documentation is faulty
> I can raise a support incident for you if I am able to repro your problem
at[vbcol=seagreen]
> no charge. I'll post back here with the status.
> My only question at this time is, are you running SQL Server, Certificate
> Server, and AD on the same server?
> Can you also post the select @.@.version for me here?
> Hilary
> "Jason Robertson" <jason6869@.msn.com> wrote in message
> news:O9idnZ4lw-WqXh_cRVn-1Q@.comcast.com...
you[vbcol=seagreen]
http://support.microsoft.com/oas/def...54&gprid=36503[vbcol=seagreen]
2003[vbcol=seagreen]
were[vbcol=seagreen]
only[vbcol=seagreen]
"Group"[vbcol=seagreen]
Nothing[vbcol=seagreen]
run.
>
|||Jason
Can you contact me offline? Your email address seems to be invalid.
Hilary
"Jason Robertson" <jason6869@.msn.com> wrote in message
news:idSdnfrfHoUjxBjcRVn-jw@.comcast.com...
> Hi Hillary,
> I've found that you are famous SQL Server bookwriter! What an honor. My
> problem may be a good subchapter for your book. I looked at many books in
> Barnes n Noble to find a solution, and none of them addressed this issue
in
> detail. I am sure that there are many more people like me who are looking
> for solution into this problem. Make it a chapter in your SQL book. It
will[vbcol=seagreen]
> sell well!
> Jason
> "Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
> news:OOaBXRhvEHA.3916@.TK2MSFTNGP10.phx.gbl...
it[vbcol=seagreen]
> but
problem[vbcol=seagreen]
> at
Certificate
> you
>
http://support.microsoft.com/oas/def...54&gprid=36503[vbcol=seagreen]
> 2003
> were
> only
only[vbcol=seagreen]
control[vbcol=seagreen]
> "Group"
> Nothing
buletin[vbcol=seagreen]
Windows
> run.
>
|||Hi Hilary,
My correct email address is: wgt3001@.yahoo.com
Jason
"Hilary Cotter" <hilary.cotter@.gmail.com> wrote in message
news:%23qHvO0rwEHA.2980@.TK2MSFTNGP10.phx.gbl...[vbcol=seagreen]
> Jason
> Can you contact me offline? Your email address seems to be invalid.
> Hilary
> "Jason Robertson" <jason6869@.msn.com> wrote in message
> news:idSdnfrfHoUjxBjcRVn-jw@.comcast.com...
in[vbcol=seagreen]
> in
looking[vbcol=seagreen]
> will
which[vbcol=seagreen]
> it
documented[vbcol=seagreen]
> problem
> Certificate
are[vbcol=seagreen]
suggest
>
http://support.microsoft.com/oas/def...54&gprid=36503[vbcol=seagreen]
Windows[vbcol=seagreen]
via[vbcol=seagreen]
is[vbcol=seagreen]
> only
> control
a[vbcol=seagreen]
was[vbcol=seagreen]
It[vbcol=seagreen]
> buletin
> Windows
to
>
