For a user to gain access to a
linked server, the linked server must validate the user for security
reasons. The requesting server (that is, the local server) provides a
login name and password to the linked server on behalf of the local
server user. For this to work, you need to map the local logins with
the linked server logins you are going to use. Remember that sp_addlinkedserver creates a default self-mapping for all local logins to the linked server. You use sp_addlinkedsrvlogin to specifically control the logins that you want to use the linked server.
sp_addlinkedsrvlogin
SQL Server provides the sp_addlinkedsrvlogin
system stored procedure to map local logins to logins on the linked
servers. This stored procedure can be executed by members of the
sysadmin and securityadmin fixed server roles. Its syntax is as follows:
sp_addlinkedsrvlogin [@rmtsrvname =] 'rmtsrvname'
[,[@useself =] 'useself']
[,[@locallogin =] 'locallogin']
[,[@rmtuser =] 'rmtuser']
[,[@rmtpassword =] 'rmtpassword']
The elements in this syntax are as follows:
rmtsrvname— The linked server that will use this login setting (@rmtsrvname parameter).
useself—
The setting that determines whether a user or group of users will use
their own usernames and passwords to log in to the linked server (@useself parameter). There are two possible settings:
‘true’—Local
server logins use their own usernames and passwords to log in to the
linked server. Consequently, the rmtuser and rmtpasswordjdoe user with
a password of shrek would attempt to log in to the linked server with the jdoe username and shrek password. arguments are ignored. For example, the local
’false’—Local server logins use the arguments specified in rmtuser and rmtpassword
to log in to the linked server. For a linked server that does not
require usernames and passwords (such as Microsoft Access), these
arguments can be set to NULL.
locallogin— The local logins affected by this mapping (@locallogin
parameter). You can designate either an individual login or all local
logins. To specify that all logins be affected, you pass a NULL to this argument.
rmtuser— The username used to connect to the linked server if @useself is set to FALSE (@rmtuser parameter).
rmtpassword— The password used to connect to the linked server if @useself is set to FALSE (@rmtpassword parameter).
As noted earlier, by default, after you run sp_addlinkedserver,
all local logins automatically attempt to use their own usernames and
passwords to log in to the new linked server. Essentially, SQL Server
runs the following statement after sp_addlinkedserver:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='My_Linked_Server',
@useself='true', @locallogin=NULL
You can delete this default mapping by using sp_droplinkedsrvlogin, which is described in the next section.
In Windows Authentication
mode, SQL Server submits the Windows username and password to the
linked server if the provider supports Windows authentication and if
security account delegation is available on both the client and server.
The
following example connects all users to the 'ORACLE_DATABASE' linked
server, using the 'guest' username and 'confio' password:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='ORACLE_DATABASE',
@useself='false', @rmtuser='guest', @rmtpassword='confio'
The following example connects all users to the 'DBARCH-LT2\SQL08DE01' linked server, using their own local usernames and passwords:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='DBARCH-LT2\SQL08DE01',
@useself='true'
The
following example logs in the local 'RobinOrdes' user as the remote
user 'ROrdes' with the 'new_orleans' password to the 'ORACLE_DATABASE'
linked server:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='ORACLE_DATABASE',
@useself='false', @locallogin='RobinOrdes', @rmtuser='ROrdes',
@rmtpassword='new_orleans'
The following example logs in the Windows user 'Domain1\DonLarson' as the remote user 'DLarson' with the 'five_sons' password:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='ORACLE_DATABASE',
@useself='false', @locallogin='Domain1\DonLarson',
@rmtuser='DLarson', @rmtpassword='five_sons'
The following example
connects all users to the 'ACCESS_DATABASE_CUSTOMERS' linked server
without providing a username or password:
EXECUTE sp_addlinkedsrvlogin @rmtsrvname='ACCESS_DATABASE_CUSTOMERS',
@useself='false', @rmtuser=NULL, @rmtpassword=NULL
sp_droplinkedsrvlogin
You can delete mappings for linked servers by using sp_droplinkedsrvlogin. Members of the sysadmin and securityadmin fixed server roles can execute this stored procedure:
sp_droplinkedsrvlogin [@rmtsrvname =] 'rmtsrvname',
[@locallogin =] 'locallogin'
The elements of this syntax are as follows:
rmtsrvname— The linked server that will lose this login mapping (@rmtsrvname parameter).
locallogin— The local login that will lose the mapping to the linked server (@locallogin
parameter). You can designate either an individual login or all local
logins. To specify that all logins should be affected, you pass a NULL to this argument.
The following example removes the login mapping for the 'RobinOrdes' user to the 'ORACLE_DATABASE' linked server:
EXECUTE sp_droplinkedsrvlogin @rmtsrvname='ORACLE_DATABASE',
@locallogin='RobinOrdes'
The following example removes the default login mapping for all users using the 'SQL_SERVER_DB' linked server:
EXEC sp_droplinkedsrvlogin @rmtsrvname='SQL_SERVER_DB',
@locallogin=NULL
sp_helplinkedsrvlogin
To
determine the current linked server login settings, you run the
sp_helplinkedsrvlogin procedure, which has the following syntax:
sp_helplinkedsrvlogin [[@rmtsrvname =] 'rmtsrvname',]
[[@locallogin =] 'locallogin']
The elements of this syntax are as follows:
The following example shows the sp_helplinkedsrvlogin output if no arguments are provided:
EXECUTE sp_helplinkedsrvlogin
GO
Linked Server Local Login Is Self Mapping Remote Login
--------------------------------------------------------------------
ACCESS_DATABASE_CUSTOMERS NULL 1 NULL
DBARCHLT\SQL08DE04 NULL 1 NULL
Linked ExcelSW NULL 1 NULL
ORACLE_DATABASE NULL 0 guest
ORACLE_DATABASE RobinOrdes 0 ROrdes
This example displays one line for each linked server login mapping. The first column (Linked Server) shows which linked server owns this mapping. The second column (Local Login) shows which user is affected by this mapping. If set to NULL, this mapping applies to all users who do not have specific mappings. The third column (Is Self Mapping) displays a 1
if the local username and password will be attempted on the remote
server. If it displays a 0, the value in the last column (Remote Login) will be used to log in to the remote server. Note that the remote password is not listed for security reasons.
The next example shows the sp_helplinkedsrvlogin output if only the rmtsrvname argument is provided:
EXECUTE sp_helplinkedsrvlogin @rmtsrvname='ORACLE_DATABASE'
GO
Linked Server Local Login Is Self Mapping Remote Login
------------- ----------- --------------- ------------
ORACLE_DATABASE NULL 0 guest
ORACLE_DATABASE RobinOrdes 0 ROrdes
The
output for this example is identical to that of the preceding example
except that only the entries for the specified server are displayed:
The following example shows the sp_helplinkedsrvlogin output if all arguments are provided:
EXECUTE sp_helplinkedsrvlogin @rmtsrvname='ORACLE_DATABASE',
@locallogin='RobinOrdes'
GO
Linked Server Local Login Is Self Mapping Remote Login
----------------- ----------- --------------- ------------
ORACLE_DATABASE RobinOrdes 0 ROrdes
Again, the output for this
example is identical to that of the previous examples except that it is
limited to the server and is user specified.