Manually Configuring A Remote SQL Server To Accept Machine Account Credentials

Version 4

    Purpose

     

    The purpose of this document is to provide details on how to manually configure a remote SQL Server to accept machine account credentials.

     

    Description

     

    If you are using Integrated Windows Authentication to access a remote SQL Server, in order for Shavlik Protect to interact properly with the server you must configure the server to accept machine account credentials. The best time to do this is immediately after you have installed Shavlik Protect but before you actually start the program. You can, however, perform these steps after starting the program. Any scans you initiate prior to this that require interaction with a remote SQL Server database will probably fail.

     

    This section describes how to configure a remote SQL Server to accept Windows authentication (machine account) credentials from the Shavlik Protect console. For security purposes, Shavlik recommends using Windows authentication where possible. Microsoft SQL Server Management Studio is used as the editor in the following examples but you can use a different tool if you prefer. The Shavlik Protect console and SQL Server must be joined to the same domain or reside in different domains that have a trusted relationship. This is so the console and the server can compare credentials and establish a secure connection. Once you have gained access to the SQL Server, create a new login account for Shavlik Protect to use by using the process outlined below. Note: You must have securityadmin privileges in order to create an account.

     

    1. Within the Security node, right-click Logins and select New Login. Type the login name using a SAM-compatible format (domain\machine name). The machine account is your console's machine name and must contain a trailing $. Make sure Windows Authentication is selected and the Default database box specifies the Shavlik Protect database.

    Note: Do not use the Search option. You must manually type the name because it is a special name.

     

    createremotesqlmachineaccount.gif

     

    2. For the Shavlik Protect database, create a new user login using the console machine account. In order to complete this right-click on the 'Users' folder, select 'New User'. Then browse to find the Login name and paste the name in the User name box. Assign the user the db_datareader,db_datawriter, STCatalogUpdate, and STExec role memberships.

     

    creatnewsqluser_roles.gif

     

    3. Open Shavlik Protect.

     

    4. Perform any troubleshooting as necessary.

    • You can use the SQL Server activity monitor to determine if connection attempts are successful when performing a patch scan.
    • If you ran Shavlik Protect before creating the SQL Server user account, some services may fail to connect to SQL Server. You should select Control Panel > Administrative Tools > Services and try restarting the services.
    • If the connection attempts are failing you can view the messages in the SQL Server logs to determine why the failures are occurring.

     

    Note: If you are utilizing the Role Based Administration feature within Shavlik Protect, please continue to the steps below.

     

    If you wish to allow other users access to the program, you may need to configure SQL Server so that those users have the necessary database permissions. Specifically, when using Windows integrated authentication, users without administrative rights on the database machine must be granted read and write permission to all tables and views. They must also be granted execute permission to all stored procedures in the Shavlik Protect application database. They may not otherwise be able to start Shavlik Protect.

     

    One way to grant these permissions is to assign your users the db_owner role. For security reasons, however, this may not be the best solution. A safer alternative is to grant execute permission at the database level. You do this by assigning the users in question to the STExec role.

     

    For an explanation of the permissions specified above, reference Protect SQL Account Configuration for least privilege requirement: SQL Account Configuration - Privilege or Role Requirements for Protect Database

     

    Additional Information

     

    More information from the Shavlik Protect product documentation:

    SQL Server Pre-Installation Notes

    SQL Server Post-Installation Notes

     

    The ability to check these privileges will require a DBA or the use of SQL Server Management Studio.

     

    Affected Product(s)

     

    Shavlik Protect 9.x