Adding AD Security group to a SQL linked server

%3CLINGO-SUB%20id%3D%22lingo-sub-2302242%22%20slang%3D%22en-US%22%3EAdding%20AD%20Security%20group%20to%20a%20SQL%20linked%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2302242%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20have%20a%20question%20about%20adding%20permissions%20for%20a%20user%20group%20on%20a%20linked%20server%20in%20SQL%20Server.%20I%20am%20not%20a%20security%20specialist%2C%20so%20I%20appeal%20to%20everyone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20topo%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20private%20software%20that%20I'll%20call%20%3CEM%3EX%3C%2FEM%3E%20installed%20on%20a%20%3CEM%3EHyper-V%3C%2FEM%3E%20virtual%20server.%20Users%20of%20this%20software%20connect%20through%20virtual%20machines%20using%20the%20Remote%20desktop.%3C%2FP%3E%3CP%3EThe%20application%20has%20its%20own%20SQL%20Server%20database%20instance.%20The%20security%20for%20this%20database%20is%20Windows%20Authenticated.%20Application%20%3CEM%3EX%3C%2FEM%3E%20users%20all%20belong%20to%20a%20user%20group%20in%20the%20%3CEM%3EWindows%20Server%202019%20Active%20Directory%3C%2FEM%3E%26nbsp%3B(%3CEM%3EAD)%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20I%20have%20a%20%3CEM%3EY%3C%2FEM%3E%20application%20(%3CEM%3EMicrosoft%20Dynamic%20365)%3C%2FEM%3E%20that%20is%20installed%20locally%20on%20each%20workstation%20and%20which%20has%20its%20own%20SQL%20instance.%20The%20application%20uses%20an%20SQL%20database%20which%20I%20would%20also%20call%20Y.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20would%20like%20to%20share%20information%20between%20the%202%20SQL%20instances%2C%20I%20created%20a%20%3CEM%3Elinked%20server%3C%2FEM%3E%20on%20the%20%3CEM%3EX%3C%2FEM%3E%20instance%20to%20the%20%3CEM%3EY%3C%2FEM%3E%20instance.%20I%20succeeded%20with%20some%20SQL%20query%20to%3CEM%3E%20insert%2C%3C%2FEM%3E%20%3CEM%3Eupdate%3C%2FEM%3E%2C%20and%20%3CEM%3Edelete%3C%2FEM%3E%20some%20information%20in%20a%20database%20of%20instance%20%3CEM%3EY%3C%2FEM%3E%20from%20my%20instance%20%3CEM%3EX%3C%2FEM%3E.%20To%20do%20this%2C%20I%20granted%20myself%20DB_owner%20rights%20on%20the%20database%20of%20%3CEM%3EX%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20reached%20the%20stage%20of%20allowing%20user%20group%20%3CEM%3EX%3C%2FEM%3E%20to%20be%20able%20to%20run%20from%20application%20%3CEM%3EX%3C%2FEM%3E%20using%20the%20same%20queries%20that%20interact%20on%20SQL%20server%20%3CEM%3EY%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20realize%20that%20I%20need%20to%20create%20each%20user%20of%20%3CEM%3EX%3C%2FEM%3E%20in%20the%20SQL%20instance%20of%20application%20%3CEM%3EY%3C%2FEM%3E%20from%20the%20%3CEM%3ESecurity%3C%2FEM%3E%2C%20%3CEM%3EConnection%3C%2FEM%3E%20menu.%20My%20requests%20work%20when%20I%20grant%20%3CEM%3EDB_Owner%3C%2FEM%3E%20roles.%20I%20would%20have%20thought%20that%20I%20could%20have%20used%20the%20same%20group%20used%20in%20%3CEM%3EAD%3C%2FEM%3E%20for%20my%20%3CEM%3EX%3C%2FEM%3E%20application.%20I%20tried%20well%20but%20it%20doesn't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20if%20this%20is%20due%20to%20the%20configuration%20of%20my%20linked%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20configuration%20I%20am%20using%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-04-28_08h58_16.png%22%20style%3D%22width%3A%20700px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F276259iA7CB1B33260582F6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-04-28_08h58_16.png%22%20alt%3D%222021-04-28_08h58_16.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-04-28_08h58_39.png%22%20style%3D%22width%3A%20697px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F276260iE16E8748E3333993%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-04-28_08h58_39.png%22%20alt%3D%222021-04-28_08h58_39.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20someone%20point%20me%20to%20a%20solution%20to%20avoid%20having%20to%20recreate%20every%20user%20of%20my%20%3CEM%3EAD%3C%2FEM%3E%20from%20%3CEM%3EX%3C%2FEM%3E%20in%20my%20instance%20%3CEM%3EY%3C%2FEM%3E%20and%20just%20link%20my%20group%20%3CEM%3EX%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2302242%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELinked%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQL%202014%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello,

I have a question about adding permissions for a user group on a linked server in SQL Server. I am not a security specialist, so I appeal to everyone.

 

Here is the topo:

 

I have private software that I'll call X installed on a Hyper-V virtual server. Users of this software connect through virtual machines using the Remote desktop.

The application has its own SQL Server database instance. The security for this database is Windows Authenticated. Application X users all belong to a user group in the Windows Server 2019 Active Directory (AD).

 

On the other hand, I have a Y application (Microsoft Dynamic 365) that is installed locally on each workstation and which has its own SQL instance. The application uses an SQL database which I would also call Y.

 

As I would like to share information between the 2 SQL instances, I created a linked server on the X instance to the Y instance. I succeeded with some SQL query to insert, update, and delete some information in a database of instance Y from my instance X. To do this, I granted myself DB_owner rights on the database of X.

 

I have reached the stage of allowing user group X to be able to run from application X using the same queries that interact on SQL server Y.

 

However, I realize that I need to create each user of X in the SQL instance of application Y from the Security, Connection menu. My requests work when I grant DB_Owner roles. I would have thought that I could have used the same group used in AD for my X application. I tried well but it doesn't work.

 

I don't know if this is due to the configuration of my linked server.

 

Here is the configuration I am using:

2021-04-28_08h58_16.png

 

2021-04-28_08h58_39.png

 

Could someone point me to a solution to avoid having to recreate every user of my AD from X in my instance Y and just link my group X.

 

0 Replies