Basically the title. I have a SQL Server instance that Ignition currently connects to using a local SQL account. I'm being asked to see if we can instead use an Active Directory user account as the credential, someDomain\someUsername. Has anyone got this to work and if so how? I'm struggling to find anything on this.
There are plans to upgrade this server from 7.9 to 8.1 shortly as well. If this is not possible in 7.9 but is possible in 8.1, that would also be helpful information to pass along and we can change our gnatt chart.
Yes exactly. I see that if I have ignition log on as a my AD account I think I can use integratedSecurity, the issue is this particular server hosts both production and dev versions of the project and prod/dev db connection strings, each of which would be a different AD Account so I can't have Ignition as a server logon on as both users simultaneously.
Were you able to do this strictly with the configurations on the db connection page? Or did you have to change what user the Ignition service logged in as?
We don't have a separate design gateway (We are not currently using Ignition for control but for data analysis so the occasional restart isn't an issue). So, it isn't exactly the same.
We created an AD account that is specific to the Ignition Gateway (we called it IgnitionReportingService) and then on the SQL server gave that account the appropriate permissions.
I see no reason why you couldn't create an account for each gateway, or even use the same account for both. As far as I know there is nothing that prevents a user from logging into SQL from multiple places.
Yes this isn't a real controls application either more so of a user input form. We too don't have separate gateways, it's one gateway with with both Prod and Dev versions of the Vision app and Prod/Dev db connection strings.
We created an AD account that is specific to the Ignition Gateway (we called it IgnitionReportingService) and then on the SQL server gave that account the appropriate permissions.
This part their IT has already taken care of and I have the two usernames one for prod and one for dev to use.
I might be overcomplicating things right now. I have the AD user credentials. What would I do to connect make a single db connection work with that? Was it just changing the username/password? Any other keyword arguments like integratedSecurity required? Do I have to change anything else?
Seems like I should may be using Authentication=ActiveDirectoryIntegrated is that right? But I get "Cannot use "Authentication=ActiveDirectoryIntegrated" with "User", "Username" or "Password" connection string keywords.) so I am not sure where I would provide those
And your ignition login is the default local user account still? You didn't have to put the name of the domain anywhere? Ugh I can't get this working still. Think its time to call IA.
I'm not sure what you mean by this. Login to the Gateway, Windows Login, or Ignition Service?
No, we actually use the IP address of the server, however, I would expect a DNS name to also work (actually not sure why we aren't using a DNS name) It's worked for a long time so I haven't touched it.
Is the connection being refused from the SQL Server? Is the user set up with proper permissions there?
What the Ignition service logs on as when it starts up -
No, we actually use the IP address of the server, however, I would expect a DNS name to also work (actually not sure why we aren't using a DNS name) It's worked for a long time so I haven't touched it.
Yea we are using DNS here and I am able to login as a local SQL account just not AD.
When I try with the username domain/userName it seems like it is SQL Server that is rejecting me - Caused by: com.microsoft.sqlserver.jbdc.SQLServerEception: Login failed for user 'domain/userName'. ClientConnectionId:12345....
When I try logging on with just the username without the domain I get the same exact error except in the error string but only shows the username which makes sense Caused by: com.microsoft.sqlserver.jbdc.SQLServerEception: Login failed for user 'userName'. ClientConnectionId:12345...
I just pinged their IT team though to make sure they did setup that AD account they told me as a user on the SQL cluster. Perhaps it's nothing on my end.
The AD user is now the db owner of the db I am trying to connect to and still having issues so I am just going to call the professionals at this point. Thank you
I don't think user/password in the JDBC driver ever works with domain accounts, just database user accounts. Integrated security bypasses that with an extra DLL to apply the service user's credentials.
(I don't ever do this. My clients set this up if they want it. I recommend against AD credentials in production.)
Yes, you can. But it does so directly based on the Service user, as long as you turn on integrated security, and have the correct MS DLLs alongside your JDBC jar.
I don't think you can use arbitrary domain accounts. (I could be wrong. I try not to get to close to this stuff.)
I would tell Ignition to login as the AD account domain/userName, and then in my SQL Server connection I would use integratedSecurity to use the service logon account.
