You want to know why TMES clients cannot register to the server when using Windows account authentication with SQL server.
The root cause of this is that the ESClient cannot register to the server because the IIS (Fast channel) cannot access the SQL server using a Windows account.
As a workaround, do the following:
-
Add the domain account to the Administrator's Group.
-
Make sure the domain account contains the "Log on as a service" and "Log on as a batch job" user rights.
To add the "Log on as a service" right to an account on your local computer:
- Open Local Security Policy.
- In the console tree, double-click Local Policies, and then click User Rights Assignments.
- In the details pane, double-click Log on as a service.
- Click Add User or Group then add the appropriate account to the list of accounts that possess the Log on as a service right.
-
Make sure the SQL Server has the domain account and contains the dbcreator and db_owner database roles.
- On the SQL ServerManagement Studio, select the domain account. The login Properties window appears.
-
On the Select a page pane, choose Server roles.
Tick the checkbox before dbcreator. Make sure the dbcreator and public (default) are selected. Tick the checkbox before db_owner if this role is included in your SQL server version.
The checkboxes selected in this example are dbcreator , public(default).
Click image to enlarge.
-
Add Impersonation setting in IIS.
To configure ASP.NET impersonation authentication:
- Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
- In Features View, double-click Authentication.
- On the Authentication page, select ASP.NET Impersonation.
- In the Actions pane, click Enable to use ASP.NET Impersonation authentication with the default settings.
- In the Actions pane, click Edit to set the security principal.
- In the Edit ASP.NET Impersonation Settings dialog box, select Specific user for the windows account you want to use.
- Click OK to finish or proceed to the next optional steps to change the identity to impersonate.
-
Optionally, click Set to change the Specific user identity.
Click image to enlarge.
- In the Set Credentials dialog box, enter the name of an existing user account in User name, the password associated with that user account in Password, and then the exact same value in Confirm password for a new account IIS should use for anonymous access.
- Click OK to close the Set Credentials dialog box.
- Click OK to close the Edit ASP.NET Impersonation Settings dialog box.