Connecting to the SCCM database via Windows Authentication in SAM

book

Article ID: 208592

calendar_today

Updated On:

Products

CA Software Asset Manager (CA SAM)

Issue/Introduction

Clarification on how the csv_db preprocessor will connect to the SCCM (Microsoft System Center Configuration Manager) Database using windows authentication

Environment

Release : 4.5

Component : CA SOFTWARE ASSET MANAGER

Resolution

CA SAM can be configured to either use an SQL Server Login or Integrated Authentication to authenticate against an SQL Server.

An SQL Server Login is a user created on the database server instance itself. Authentication as well as authorization is handled by the SQL Server.
Integrated Authentication means, the user exists in a domain and only the authorization is handled by the SQL Server.

To allow CA SAM to use Integrated Authentication the IIS App Pool and the external Scheduled Task have to be reconfigured to use a domain account.

Once the setup has been done correctly, one can choose the method of authentication by setting the user credentials correctly:
- If one provides user and password in the database connection, an attempt to authenticate with these credentials will be made.
- If one omits user and password, CA SAM will use Integrated Authentication.

This is true for the database connection to the CA SAM database instance itself. This is the connection defined in the config.ini.
For Integrated Authentication one needs to leave the user and password empty.

This is also true for connections to other SQL Servers. The connection to those are configured in the system_configuration table and are used by the csv_db_connector IPP.
For Integrated Authentication one must not create the user/password configuration keys.
In the example below these are db_connect_param_set_sccm_user and db_connect_param_set_sccm_password.
If they already exist, simply delete them.

On the CA SAM database instance the domain user must have db_owner permissions to the CA SAM database.
On other connected SQL Server instances that user must have db_datareader privileges.

It is possible to use a mixed mode of connections. E.g. provide user credentials in one db connection set but not in another.
It is not possible to use different domain accounts for authentication. Only a single domain account can be used.