cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Enterprise Vault 11.0.1 - SQL Server with SQL Authentication

Go to solution
SebastianM_
Level 3
Partner Accredited

‎04-10-2015 11:45 AM

Hi,

I am just testing an EV 11.0.1 installation for Exchange archiving in a domain, which has no SQL server. I am supposed to use a SQL server which is outside the domain. In the documentation it says, that mixed authentication mode is supported.

How can I tell Enterprise Vault to use a SQL server local account for authenticating against SQL Server?

Thanks a lot for you suggestions!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-10-2015 12:26 PM

I don't believe you will be able to do that.  The VSA must have DBCreator rights and be the DBO for it's databases so unless you can add the VSA to that SQL server I don't think you will be able to install.

Here is the technote: http://www.symantec.com/docs/HOWTO109139

 

Creating a SQL login account

The Vault Service account must have a SQL login account for the SQL Server, with the required permissions.

To create a SQL login account

  1. Start SQL Server Management Studio.

  2. In the tree, select Security>Logins

  3. Right-click Logins, and select New Login

  4. Either type in the Vault Service account as domain\username or click Search and search for the account. In the search dialog box, ensure that the correct domain is entered in the Locations box.

  5. Select Windows authentication.

  6. In the tree, click Server roles.

  7. Select the check box beside dbcreator.

  8. Click OK.

  9. In the toolbar, click New Query.

  10. Enter the following script:

    use Master
GRANT VIEW SERVER STATE TO "domain\vsa_account"
GRANT ALTER ANY LOGIN TO "domain\vsa_account"
GO

    where domain\vsa_account is the domain and name of the Vault Service account.

  11. Click Execute.

  12. You can check that the Vault Service account has the dbcreator role as follows:

    • In the tree, select Security > Server Roles.

    • In the right-hand pane, double-click the dbcreator role.

    • The Vault Service account should be displayed in the membership list.

  13. You can check that the Vault Service account has VIEW SERVER STATE and ALTER ANY LOGIN permissions as follows:

    • In the tree, right-click the top level SQL Server object and select Properties.

    • Select the Permissions page.

    • Under Logins or roles, select the Vault Service account and then click Effective Permissions. Check that VIEW SERVER STATE and ALTER ANY LOGIN are included in the list of permissions.

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-10-2015 12:26 PM

I don't believe you will be able to do that.  The VSA must have DBCreator rights and be the DBO for it's databases so unless you can add the VSA to that SQL server I don't think you will be able to install.

Here is the technote: http://www.symantec.com/docs/HOWTO109139

 

Creating a SQL login account

The Vault Service account must have a SQL login account for the SQL Server, with the required permissions.

To create a SQL login account

  1. Start SQL Server Management Studio.

  2. In the tree, select Security>Logins

  3. Right-click Logins, and select New Login

  4. Either type in the Vault Service account as domain\username or click Search and search for the account. In the search dialog box, ensure that the correct domain is entered in the Locations box.

  5. Select Windows authentication.

  6. In the tree, click Server roles.

  7. Select the check box beside dbcreator.

  8. Click OK.

  9. In the toolbar, click New Query.

  10. Enter the following script:

    use Master
GRANT VIEW SERVER STATE TO "domain\vsa_account"
GRANT ALTER ANY LOGIN TO "domain\vsa_account"
GO

    where domain\vsa_account is the domain and name of the Vault Service account.

  11. Click Execute.

  12. You can check that the Vault Service account has the dbcreator role as follows:

    • In the tree, select Security > Server Roles.

    • In the right-hand pane, double-click the dbcreator role.

    • The Vault Service account should be displayed in the membership list.

  13. You can check that the Vault Service account has VIEW SERVER STATE and ALTER ANY LOGIN permissions as follows:

    • In the tree, right-click the top level SQL Server object and select Properties.

    • Select the Permissions page.

    • Under Logins or roles, select the Vault Service account and then click Effective Permissions. Check that VIEW SERVER STATE and ALTER ANY LOGIN are included in the list of permissions.

0 Kudos

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-10-2015 12:29 PM

There is also this one.

http://www.symantec.com/docs/HOWTO108614

About assigning permissions and roles in SQL databases

Unless you assign the SQL system administrator (sysadmin) role to the Vault Service account, you must perform the following additional steps before you run the Enterprise Vault Configuration wizard for the first time:

  • Add the Vault Service account to the msdb system database.

  • Grant the Vault Service account Select permissions on the msdb tables sysjobs, sysjobschedules, sysjobservers, and sysjobsteps.

  • Assign the database role SQLAgentUserRole to the Vault Service account.

If you do not perform these steps, the following problems occur:

  • Enterprise Vault fails to purge the history records from the Monitoring database, so these database records continue to grow.

  • Upon completion, the Enterprise Vault Configuration wizard logs an error in the event log with the category 'Monitoring Configuration Utility' and Event ID 41123. The error description begins as follows and then lists the contents of a Purge Job SQL script file:

    Monitoring Configuration Utility reported error: SQL Error at: --

If you run the Enterprise Vault Configuration wizard without performing these additional steps, see the following Enterprise Vault technical note: http://www.symantec.com/docs/TECH72170.

See Assigning permissions and roles in SQL Server databases.

See Preinstallation tasks for Enterprise Vault server

See Creating the Vault Service account

See Creating a SQL login account

See Creating Enterprise Vault DNS aliases

See Turning off or reconfiguring Windows Firewall

0 Kudos

Go to solution
SebastianM_
Level 3
Partner Accredited

‎04-12-2015 11:04 PM

Hi,

yes I know these documents. But it says in the docs that mixed authentication mode is supported, what does this exactly mean then?

I also sent the question to a technical contact that I have at Symantec, but so far I did not receive any answer.

Thanks a lot,
Sebastian

0 Kudos

Go to solution
AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎04-13-2015 03:52 AM

in all the EV implementations i've done myself or have worked on, i've never seen this in practice. the only reference i found to actually using sql auth instead of windows auth is to a registry key on the EV server which you'd have to create and enter the sql credentials in plain text.

http://www.symantec.com/business/support/library/BUSINESS/DOC7414/EV%2011.0.1%20-%20Registry_Values.pdf

Database Username

Location: HKEY_LOCAL_MACHINE \SOFTWARE \Wow6432Node \KVS \Enterprise Vault \Directory \DirectoryService 
Content: DWORD
Description: Reserved for Symantec use

doesnt look like you can use it anyway but at least now we've ruled it out so you can move on.

besides, if you're "just testing EV" then why go through all this trouble instead of installing your own sql server temporarily for the duration of your trial?

0 Kudos

Go to solution
SebastianM_
Level 3
Partner Accredited

‎04-13-2015 04:23 AM

Sorry, maybe I was not clear: I know EV well, but I am testing the possibilities for implementing a solutions to server 3 different Exchange servers in 3 different AD forests, if anyway possible without a trust.

Thanks for your suggestion with the reg key!

0 Kudos

Go to solution
FreKac2
Level 6
Partner Accredited Certified

‎04-13-2015 04:32 AM

Don't think you can do that not just from a SQL perspective but from an EV perspective.

Seems like you are looking for a multi-tenant solution and unless something exist that I'm not aware of you can't solve that via EV natively.

 

0 Kudos

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎04-13-2015 05:33 AM

Sorry, but no.  You are not going to be able to have a properly installed EV environment without a trust between domains.

0 Kudos

Go to solution
SebastianM_
Level 3
Partner Accredited

‎04-13-2015 05:42 AM

Yes, appearentely I was looking for multi tenancy. But as EV.cloud is not an option (because we cannot have it on premise, right?) I wanted to examine EV a bit deeper regarding this.

0 Kudos