Connect to SQL Server with Windows Authentication in a different domain

  • I am trying to connect to a remote SQL Server on a VPN in a different domain. When I enter the Server name on the SQL Server and choose Additional Connection Parameters to add some extra stuff needed by my school:

    Integrated Security=SSPI; User ID=DOMAIN\username; Password=Password

    I get the following error:

    Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

    The only problem with the Windows Credential Manager solution is if you have a whole lot of database you support you have to have an entry for each one and update them each time you have to update your domain passwords. For some people that could be every 30 - 60 days.

    This post is somewhat related.

    @smehaffie you can easily use scripting and the "cmdkey /add" command to maintain your passwords - it also updates.

  • You are attempting to pass Windows credentials in plain text from the connection string of an application. This simply isn't how Windows authentication works, and largely defeats the purpose.

    You also can't just create the same username with the same password in your own domain, and expect that to magically work. Domain name is still part of the validation - your machine either has to be part of the domain, or the domain your machine is in must be trusted by the school's domain.

    The only workaround I know of is for SSMS (and it works for other apps too, like Plan Explorer and SentryOne), and that's the runas /netonly trick described in this answer. This fools Windows into launching SSMS as the login you specify, rather than your own (this isn't something you can set in the Connection properties dialog of SSMS, it's how you need to launch SSMS from the command line or a shortcut):

    runas /netonly /user:domain\username "C:\path_to\ssms.exe"

    This will prompt you for your password in the remote domain. It will look like it is using your local Windows credentials, but it is not.

    This should work with any application, including Visual Studio.

    So your options are:

    • have the university allow you to join your machine to the domain
    • have the university add your domain as a trusted domain
    • have a jump box inside the VPN that allows you to RDP and use tools connecting directly to the SQL Server machine
    • use SQL authentication
    • use the runas /netonly trick with SSMS or Visual Studio

    Is there a way to mimic this behaviour without the command prompt?

    @Gilles you can make a batch file and double-click the batch file, or you could use that string and create a shortcut maybe

    See if you are tired of typing the password every time you run `runas /netonly` or need to use it from a batch script.

  • There is another way, which I now use in preference to the runas /netonly method.

    You can add the credentials to your profile in Windows using the Credential Manager found in the Windows control panel.

    1. Open Credential Manager
    2. Click "Add A Windows Credential"
    3. Populate the "internet or network address" field with the name and port number of the SQL instance you wish to store credentials for.

      Example: UniServer:1433 (1433 is the default port, you may need a different port, especially if you are connecting to a named instance)

    4. Populate the "User Name" (don't forget to include the domain e.g. MYDOMAIN\MYUSER)
    5. Populate the "Password"
    6. Click OK

    If you have the server name, port and login details correct, you should now be able to use Windows Authentication from most client tools, SSMS, Excel, whatever. They will all use the stored credentials.

    Tip: Sometimes you need to use the FQN for the server when adding the credentials. e.g., it all depends on your network specifics.

    Here is a quick demo of the method :

    It is a screen grab of me attempting (and failing) to connect to a SQL Server running in a VM from my desktop, then adding the required credentials and trying again - successfully.

    Tip: use the "cmdkey /add" command to script creating and updating stored credentials.

    Interesting! It seems to depend on what your client machine thinks the remote machine is called rather than what it might actually be called. I've put an invented entry ("verysillytest.mwardm") in my host file for the IP address (as those of us accessing from outside of domains are wont to do) and set up the credential in the name "verysillytest.mwardm:1433". I can then connect happily (from a little app called Query Express) using either the hostname or the IP address.

    @mwardm yes, that's why I recommend using ping or nslookup as it will tell you the name exactly as you need to use it, including upper / lower case specifics.

    Ah, well "ping -a" didn't give me anything and nslookup didn't (immediately) work because I wasn't using the domain's DNS servers. Don't worry, I actually prefer the flexibility of just having to know the IP address (and the login) and being able to make up my own name!

    Awesome, it works! I just wonder - is it supposed to work like that or is it a bug or a design fail on the side of SQL Server? Microsoft or people from Microsoft advertise everywhere that you have to have a domain connected machine, otherwise there is no way to connect to SQL Server which is set up to accept only the domain credentials.

    BTW I would say that this answer should be marked as accepted, since it seems to be a real solution and the other answer is more like a workaround.

    In my case a port was necessary.

    Mine needed an FQDN, host name and port is not enough. Thanks.

    THAT beautiful solution fixed the issue I had in the Visual Studio with the EntityFramework/CodeFirst database connection. Thank you! :)

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM