Pages

Wednesday, September 11, 2019

SQL Server FILESTREAM with SQL Server Authentication


If you have an application that connects to SQL Server using SQL Server Authentication
And you want to use the FILESTREAM feature in your .NET application utilizing the SqlFileStream Class like below:

SqlFileStream sqlFileStream1 = new SqlFileStream(filePath1, transactionContext1, FileAccess.Write);

You will probably get an error saying
“Access is denied“

In all documentation it is mentioned that
“FILESTREAM requires integrated security. SQL Server authentication is not supported.”

But there is a workaround that will allow you still to use the SQL Authentication in your connection string.

To use the FILESTREAM in your application you need to do 2 steps:
First, you need to get from the DB the Logical Path Name and Transaction Context.
(Like a token or file handler)

FileStreamColumn.PathName() As [Path]
GET_FILESTREAM_TRANSACTION_CONTEXT() As TransactionContext

The second step, using the path and transaction context initialize the SqlFileStream object.
These both steps should be done in a transaction scope and under the same user.
Meaning, if the application runs under Windows Account “User1”
then the first step of getting the logical path and transaction context should
be also done with the same “User1”.

What we can do is to use impersonation in SQL Server.
If the application runs with Windows Account “User1”, 
we should create this Windows Account “User1” in SQL Server as Login and DB user.

Impersonate it as below and grant to it relevant permission to the table 
with FileStream columns and execute the relevant
Stored Procedures/SQL Queries with EXECUTE AS [User1]
Use Master
Go
GRANT IMPERSONATE ON LOGIN::[User1] TO SQL_Login_of_App;
Go

According to the POC we did, this workaround allows you to stay with SQL authentication in your connection string to a database. 
Note, the impersonation cannot be granted to a windows group, only to a single account.

Source reference:

0 comments
Labels: ,

Master Data Services Add-in for Microsoft Excel, error on connecting to MDS Repository/Server


The Master Data Service is configured to have access via https protocol.
The MDS website is working with https without any issues.

But, when you try to connect to MDS Server(MDM Repository) in Excel
you get the error below:

TITLE: Master Data Services Add-in for Excel
------------------------------
An error occurred while making the HTTP request to https://[ServerName]/MDS/service/service.svc/bhb. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
------------------------------
ADDITIONAL INFORMATION:
The underlying connection was closed: An unexpected error occurred on a send. (System)
------------------------------
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. (System)
------------------------------
An existing connection was forcibly closed by the remote host (System)

This issue was related to TSL 1.2 settings.
To solve it, you need to set the .Net to work with strong cryptography
By setting/adding the SchUseStrongCrypto registry setting to DWORD:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001 


The software versions in our case:
  • Windows Server 2019 
  • Excel 2019 
  • Microsoft SQL Server 2017 (RTM-CU15) 
  • Master Data Services 14.0.10000.169 
The source reference:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/ba004936-df44-4184-bd1a-9e059a866e48/master-data-service-with-excel-2013-error?forum=sqlmds


3 comments
Labels: ,
Subscribe to: Comments (Atom)