Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SqlLogin: Issues with sql-native accounts. #1032

Closed
jhoneill opened this issue Jan 24, 2018 · 4 comments · Fixed by #1652
Closed

SqlLogin: Issues with sql-native accounts. #1032

jhoneill opened this issue Jan 24, 2018 · 4 comments · Fixed by #1652
Labels
bug The issue is a bug.

Comments

@jhoneill
Copy link

jhoneill commented Jan 24, 2018
edited by johlju
Loading

I'm build SQL server 2012 boxes for the a test team and the test set up is configured to use a SQL native logon with an insecure password.
We had some problems where the password was "spontaneously" changing which we traced to the xSQL DSC resource. I distilled the (complex, hundreds of settings) DSC script down to this

Configuration wibble    {
    param (
        [Parameter(Mandatory=$true)]
        [System.Management.Automation.PSCredential]$DomainCredential   
    )
    Import-DscResource -ModuleName xSQLServer  
            
    Node $AllNodes.NodeName  {
        $NodeName               =   'SQL-VM'                                    ;
        $SQLInstanceName        =   'MSSQLServer'     

        $SQLLogin   = "AppAdmin" 
        $SQLPwd     = $SQLLogin | ConvertTo-SecureString -AsPlainText -Force        
        $SQLCred    = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $SQLLogin, $SQLPWd 
        $name       = $SQLLogin -replace "\W",""
        xSQLServerLogin               $name {
                Ensure                         = 'Present'
                LoginType                      = 'SqlLogin'
                Name                           = $SQLLogin
                LoginCredential                = $SQLCred 
                LoginMustChangePassword        = $false
                LoginPasswordExpirationEnabled = $false
                LoginPasswordPolicyEnforced    = $false  
                SQLServer                      = $NodeName
                SQLInstanceName                = $SQLInstanceName
                PsDscRunAsCredential           = $DomainCredential
        }
    }
}
    $configurationData =   @{  AllNodes =   @( 
        @{NodeName                    =    "*"     
          PSDscAllowPlainTextPassword =    $true   
          PSDscAllowDomainUser        =    $true   
         }
         @{NodeName = "LocalHost"}
         )
         }

If I run wibble with config data and a valid credential the first time it creates the account exactly as required. I can logon in SQL Management studio , and connect from SQL native client using the creds.

If I run it as second time, a message is displayed saying the "Password Validation failed for the login ...", set runs and thereafter the logon is broken.

Now... Set-SQLServerLoginPassword calls $login.changePassword() with a secure string. On MSDN the documentation here https://msdn.microsoft.com/en-us/library/mt697759.aspx it says that the method takes a secure string. But on my sql 2012 box the method reports that it takes a string, which makes me think that password is being changed to a secure-string representation of the password.

Further in the test-target resource if the loginType is 'SQLLogin' it will check if the password has changed. THIS IS BAD because the login should be created but shouldn't be forced back to its initial password if the password is changed later. It is worse because the check is by calling Connect-SQL which does not set the $sql.connectionContext.secureLogin and so ONLY works with Windows logins, not SQL ones . So the test will always report the SQL native login has the wrong password, meaning the SET part will always be called, and if a password is included SET will always invoke Set-SQLServerLoginPassword.

For now I have removed the reset password behaviour and the test for a changed password from my own version. That may not be best for the public version.
@johlju johlju changed the title xSQLLogin issues with sql-native accounts. SqlServerLogin: Issues with sql-native accounts. Jan 24, 2018
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Jan 24, 2018
@johlju
Copy link
Member

johlju commented Jan 24, 2018

Thanks for a detailed issue description! I labeled this as a bug even if some are an enhancement.

In regards to the behavior to it changing password back to the initial password. Maybe we should add a Force parameter and if set to $true then the password is changed. If set to $false then password is not changed.

@claudiospizzi
Copy link
Contributor

I think this is related to issue #1048. I guess it was never possible, at least with SQL Server 2016, to validate the SQL Login password correctly.

@jhoneill jhoneill mentioned this issue Feb 19, 2018
Closed
@jhoneill
Copy link
Author

It looks like Claudio has fixed the logon test, I think the setting the password wrongly part needs a check for SQL versions (pass a secure string in 2016 and a string in older versions). I'd add a "Let the password change" switch so it doesn't change existing behaviour (having "force" assumed to be true isn't nice).

@johlju johlju mentioned this issue Feb 20, 2018
Closed
@johlju
Copy link
Member

johlju commented Feb 21, 2018

@jhoneill Yes, I think part of this issue was resolved by issue #1048 and the merged PR #1049.

@johlju johlju changed the title SqlServerLogin: Issues with sql-native accounts. SqlLogin: Issues with sql-native accounts. Jul 10, 2020
@SphenicPaul SphenicPaul mentioned this issue Dec 14, 2020
Merged
9 tasks
johlju pushed a commit that referenced this issue Jan 12, 2021
@SphenicPaul
SqlLogin: Added and amended integration tests for logins of 'SqlLogin…
9130c05 
…' type (#1652)

- SqlLogin
  - Added functionality to throw exception if an update to the `LoginMustChangePassword`
    value on an existing SQL Login is attempted. This functionality is not supported
    by referenced, SQL Server Management Object (SMO), libraries and cannot be
    supported directly by this module.
  - Added integration tests to ensure that an added (or updated) `SqlLogin` can
    connect into a SQL instance once added (or updated).
  - Added integration tests to ensure that the default database connected to by
    a `SqlLogin` is the same as specified in the resource's `DefaultDatabase`
    property/parameter.
  - Reversed order in which `PasswordExpirationEnabled` and `PasswordPolicyEnforced`
    are updated within `SqlLogin` resource. `PasswordPolicyEnforced` is now updated
    first.
  - Added integration tests to assert `LoginPasswordExpirationEnabled`,
    `LoginPasswordPolicyEnforced` and `LoginMustChangePassword` properties/parameters
    are applied and updated correctly. Similar integration tests also added to ensure
    the password of the `SqlLogin` is updated if the password within the `SqlCredential`
    value/object is changed (issue #361, issue #1032, and issue #1050).
  - Updated `SqlLogin`, integration tests to make use of amended `Wait-ForIdleLcm`,
    helper function, `-Clear` switch usage to remove intermittent, integration
    test failures (issue #1634).
@johlju johlju removed the help wanted The issue is up for grabs for anyone in the community. label Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
3 participants
@claudiospizzi @johlju @jhoneill