tags:

views:

74

answers:

3
+1  Q: 

Problem when changing context (impersonation) and using a server link in SQL Server 2005

I get a strange behaviour when I combine impersonation with database links in SQL Server 2005. First, I connect to a database server using simple SQL Server Authentication with Login 'John'. On this server, a server link remote_sqlserver is defined. I already have SELECT privileges for mydb in this server. When I simply query a table on a DB on this server link:

SELECT count(*)
FROM remote_sqlserver.mydb.dbo.mytable  -- Works!

After that, I try impersonation with the same Login (don't ask why would one do that, I'm just experimenting ;) )

EXECUTE AS LOGIN = 'John'

SELECT count(*)
FROM remote_sqlserver.mydb.dbo.mytable  -- Error: "Login failed for user: 'John'"

When I revert, it works again:

REVERT

SELECT count(*)
FROM remote_sqlserver.mydb.dbo.mytable  -- Works!

Do you have any idea, why I get an error with impersonation, although the same Login can query the table without impersonation?

BTW: After "impersonation as self", if I query a local database, (of course, for which I have enough privileges) I don't get any error. It only happens when I query a remote DB via server link.

+2  A: 

You should read the Books Online article "Extending Database Impersonation by Using EXECUTE AS".

When you use EXECUTE AS to access a remote server, the remote server has to be configured to trust the caller. Even though the the "parent" and "child" logins are the same (i.e. "John") since you are using EXECUTE AS the trust relationships have to be set up. The authentication "path" is different even though the login is the same.

Darryl Peterson  2009-12-09 15:36:52
Also a recommended reading: http://www.sommarskog.se/grantperm.html#execas-crossdb The keyword is "TRUSTWORTHY"
ercan  2010-02-05 13:10:05
+1  A: 

If you havent already it might be worth having a quick read up on EXECUTE AS and Ownership Chains in case they can shed any light the problems your having

kevchadders  2009-12-09 16:22:13
+2  A: 

Wouldn't it be interesting if authentication would work by simple means of trusting who you say you are? One would say "I'm John, give me all the money in my account" and the bank would pay up the cash. Now, fortunately, the authentication systems used everywhere will be just a tad more demanding and when one shows up and say "I'm John", he will be challenged "Hullo John, so... what is your password?".

Exactly the same thing goes on here. You may notice that when you say EXECUTE AS Login = 'John' you did not provide a password. So the SQL Server instance may have been 'fooled' that you're "John", but nobody outside SQL will believe you (and the "fooling" inside SQL is a long story of trust and privileges in fact, what really happens is more like "I am the SYSADMIN and I SAY that thou shall believe this user is John!".

If you want to access anything outside the SQL Server system and be John, then you need to specify John's password. The usual way is by using a credential object, with CREATE CREDENTIAL.

Remus Rusanu  2009-12-09 16:49:27
Thanks for the easy explanation. I will read more about that. However, in this particular case, I AM already connected to server as John, before I say "hello server, I just wanted to tell you again: I AM John". That's why I thought it shouldn't cause much trouble if I say "I am John" again and again...
ercan  2009-12-10 08:03:41
The moment you said EXECUTE AS your previous credentials are no longer relevant.
Remus Rusanu  2009-12-10 08:12:24
But when I query another *local* database after I say EXECUTE AS, I don't get an error (see the BTW note under the question.) If what you say is true, I shouldn't be able to do that as well, right?
ercan  2009-12-10 09:02:54
Another *local* database trusts the sysadmin who vouched for you, so its all good. If you would had said EXECUTE AS **USER** = 'John' then your 'idenity' would havd been vouched for by dbo, not sysadmin, and the whole 'extending database impersonation context' discussion would apply. But since you said EXECUTE AS **LOGIN** = 'John', your identity is good anywhere in the local SQL Server instance.
Remus Rusanu  2009-12-10 16:28:51

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?