views:

375

answers:

1

I need to set up a "throw-away" instance of SQL Server 2008 for students to test a program for a few weeks. SQL Server 2008 is running on a virtual instance of Windows Server 2008. The server is not a member of the domain. The client computers that need to connect to the SQL Server are domain members, as are the student accounts. The client program expects to connect with Windows Authentication. This would all be very simple if the server were in the domain; despite lengthy discussions with the school's IT, this is not going to happen...

So: I need to configure the SQL Server to accept connections from these clients. I'm no sys-admin, so my best guess (based on this article) was:

  1. Enable the Guest account on Windows

  2. Add "NT AUTHORITY\ANONYMOUS LOGON" to the logins accepted by the SQL Server

  3. Set "Network Access: Allow anonymouse SID/Name translation" in Local Security Policy

  4. Add the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock and set it to 1

By my reckoning, that should have done it, but the clients still cannot connect. Can anyone give me a recipe for getting this to work? Basically telling the SQL Server to accept connections from anyone and everyone?

p.s. No security worries: this is all behind the school firewall, and I will reset the instance when we are done.

A: 

In order for two machines to connect using Windows Authentication, one of two things must be true:

  1. The machines are in the same domain, or
  2. The machines are in the same workgroup and the Windows account has the same password on both machines

If neither is true, then the only alternative is SQL Authentication (SQL Server-specific username and password).

RickNZ
Anonymous or Guest access is not possible?
Brad Richards
I'm not 100% sure, but I don't think so. Under the covers, Windows Auth doesn't use strings to authenticate users; it uses SIDs. AFAIK, SIDs for built-in accounts are different from one workgroup or domain to another, so unrelated machines can't determine which account name is really the "anonymous" one. Some of the issues are explained in the following MS KB article, but from what you said in your question, I'm guessing you already saw this (plus, it only applies to SQL 2005 and Windows Server 2003 anyway): http://support.microsoft.com/kb/839569
RickNZ
Since it's a "throw away" instance, have you considered running SQL 2008 on a virtual machine? That way, the VM could be in the same workgroup as your students. Plus, it makes resetting things afterwards very easy.
RickNZ
It seems to truly be the case: no way to allow anonymous access. Rick, thanks for your inputs! Since I can't make the machine a domain member (and I can't take the student machines *out* to make a workgroup) - the only solution appears to be to get the source code and alter the database connection strings to use SQL security. Not ideal, but at least possible. Thanks again!
Brad Richards