Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
Question
Saturday, February 4, 2017 9:37 AM | 1 vote
**Error Message: **
TITLE: Connect to Server
Cannot connect to SQL.
ADDITIONAL INFORMATION:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (Microsoft SQL Server, Error: 18452)
what I'am trying to do...
Installing a Windows 2012 R2 Standard Server with Skype for Business 2015 and SQL 2014 on it.
SQL should only be used by SfB 2015.
Windows Server is in domain. (domain.lab)
Servername: SKYPE.domain.lab
Added a static DNS Name SQL for the same IP of the SKYPE server. (tried static and Alias CNAME)
Connecting the SQL via skype.domain.lab works perfekt.
Connecting the SQL via SQL.domain.lab gives the error message.
Any help would be appreciated.
Second DNS is needed because of enterprise installation of SfB 2015.
All replies (11)
Saturday, February 4, 2017 10:35 AM
Unless the domains have a trust and the users/AD groups from that domain have logins on the SQL instance you are trying to connect to this is not going to work.
Joie Andrew "Since 1982"
Saturday, February 4, 2017 12:38 PM
You can try pass through authentication. Create a local machine account or a local domain account with the same name and password. Windows will try to authenticate with the local machine, then the local domain and finally the untrusted domain.
Sunday, February 5, 2017 9:39 AM
sorry, but I am a little bit new in this. What exactly do you mean ?
I successful logon to the database with Management Studio from localhost using windows authentication with servername skype.domain.lab.
But I can not logon with servername sql.domain.lab.
There is no multidomain.
Sunday, February 5, 2017 9:41 AM
I'am using administrator account of domain to logon via Management studio.
Local administrator has same password. Or did I misunderstood you?
Sunday, February 5, 2017 9:43 AM
Can you check ifSQL account is added to “Access this computer from network” Policy under Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network”???
Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting: Large scale of database and data cleansing
Remote DBA Services: Improves MS SQL Database Performance
SQL Server Integration Services: Business Intelligence
Sunday, February 5, 2017 11:46 AM
runas /netonly /user:domain\user "C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\ssms.exe"
check and confirm.
Please Mark it as Answered if it answered your question OR mark it as Helpful if it help you to solve your problem.
Sunday, February 5, 2017 12:53 PM
you have two subdomains skype.domain.lab and sql.domain.lab. Let us assume you have an account called test in skype.domain.lab with a password of password. Create an identical account in the domain sql.domain.lab called test with the password of password. When you try to logon to your SQL Sever using Skype.domain.lab\test it will first try test before sql.domain.lab\test. You can also create an identical account on the local machine running SQL.
Monday, February 6, 2017 7:27 AM
runas /netonly /user:domain\user "C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\ssms.exe"
check and confirm.
Please Mark it as Answered if it answered your question OR mark it as Helpful if it help you to solve your problem.
C:\Windows\system32>runas /netonly /user:domain.lab\administrator "C:\Program File
s (x86)\Microsoft SQL Server\120\Tools\Binn\ManagementStudio\ssms.exe"
Enter the password for domain.lab\administrator:
Attempting to start C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\M
anagementStudio\ssms.exe as user "domain.lab\administrator" ...
-> SQL starts till logon screen of Management Studio. Servername sql01.domain.lab still gives the same error.
Monday, February 6, 2017 7:27 AM
you have two subdomains skype.domain.lab and sql.domain.lab. Let us assume you have an account called test in skype.domain.lab with a password of password. Create an identical account in the domain sql.domain.lab called test with the password of password. When you try to logon to your SQL Sever using Skype.domain.lab\test it will first try test before sql.domain.lab\test. You can also create an identical account on the local machine running SQL.
I believe I have described it wrong. Skype ist the server hostname in domain.lab and sql is the DNS alias for the same server.
Monday, February 6, 2017 7:33 AM
Can you check ifSQL account is added to “Access this computer from network” Policy under Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network”???
Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting: Large scale of database and data cleansing
Remote DBA Services: Improves MS SQL Database Performance
SQL Server Integration Services: Business Intelligence
There is everyone in it and the domain\administrator account too.
Tuesday, February 7, 2017 1:10 AM
To login with Windows Authentication, you will need to create an SPN (service principal name) for your SQL server. This works if SQL Server is running as the builtin Network Service account (not if you use the account created when you install SQL)
setspn –A MSSQLSvc/sql.domain.lab:1433 domain\skype$
This will create an SPN for the hostname "sql.domain.lab" assigned to the "SKYPE" computer name in your domain (you may need to change domain to whatever your netbios domain name is, if it's not just 'domain')
Once created, restart the SQL service.
If you're using a user account to run the SQL Service (i.e. a service account), change 'domain\skype$' to the username for that account (i.e. domain\sqlserviceaccount)