`Lesson 16: Create a Contained User Login and connect using it 1

Lesson 16: Create and Using a

Contained User Login

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
2 Lesson 16: Create a Contained User Login and connect using it

Conditions and Terms of Use

Microsoft Confidential - For Internal Use Only

This training package is proprietary and confidential, and is intended only for uses described in the training
materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be
distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is
strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without
warranty of any kind, whether express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without
notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred.

© 2012 Microsoft Corporation. All rights reserved.

Copyright and Trademarks

© 2012 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 3

Creating and Using a Contained User Login

Introduction
In this lab you will learn how to enable the contained user authentication features and use
them. You will also be able to see the login through SQL Server Management Studio to
get a view from the perspective of the application as to what is visible and possible.

Objectives
After completing this lab, you will be able to:
 Enable Contained Authentication on the server
 Create a database that has contained logins available
 Create a contained user
 Login as contained user

Estimated time to complete this lab

20 minutes

Virtual Machines Needed for this Lab:

 SQL11AdminWork
 SQLAdminCluN1

Scenario
You need to create a contained user for your application for use with Always On and
having the login mirror itself to the replicas.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
4 Lesson 16: Create a Contained User Login and connect using it

Exercise 1: Enable Contained Authentication of

server.
Objectives
In this exercise, you will:
 Enable the SQL server to allow contained authentication.

Task Description
1. Log into SQL11AdminWork if you are not already.
2. Open SQL Server Management Studio.
3. Connect to SQLAdmin11CluN1.
4. Click New Query.
5. Type the follow command in the query window:
Sp_configure 'Contained Database Authentication'

6. Press F5 on your keyboard

7. The run_value for this should be 0 this means it is turned off and we want to use this
so we type the following command to turn it on:
Sp_configure 'Contained Database Authentication', 1
Reconfigure with override

8. Press F5 on your keyboard

9. Now rerun the following command
Sp_configure 'Contained Database Authentication'

10. Press F5, the run_value should now show as 1. This indicates that the server will
allow you to utilize contained database logins.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 5

Exercise 2: Enable a Database to be Contained and

create a Contained User.

Objectives
In this exercise, you will:
 Create a Database that allows for containment of logins
 Create a Contained User in the database
 Login as contained user

Prerequisites
 Completion of Exercise 1

Task Description
1. Log into SQL11AdminWork if you are not already.
2. Open SQL Server Management Studio.
3. In Object Explorer, Expand the SQLAdmin11CluN1.
4. Right click Databases.
5. Choose New Database.
6. Name the new database “ContainedLab”, Click OK.
7. Right-click on ContainedLab database in Object Explorer and choose Properties.
8. Go to the Options Page on the left.
Here you will see an option called Containment type. By default this is turned off of each
database. .

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
6 Lesson 16: Create a Contained User Login and connect using it

Note: You can also change this through TSQL with the following command:

USE [master]
GO
ALTER DATABASE [ContainedLab] SET CONTAINMENT = PARTIAL WITH
NO_WAIT
GO

9. Change Containment type to Partial and Click OK.

10. In Object Explorer expand the ContainedLab database  Expand Security 
Expand Users
11. Right-click on Users and Choose New User.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 7

Note: You will see a new set of options in User Type as shown below.

12. Choose ‘SQL user with password’.

13. For the User Name Type ContainedUser.
14. For the password Type sqladmin11 and the Confirm password box.

15. Click on Membership.

16. Find and Check db_owner.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
8 Lesson 16: Create a Contained User Login and connect using it

17. Click OK to create the user account in the database but not in master.
18. Open a query window to SQLAdmin11CluN1 and run the following commands.
SELECT * FROM sys.syslogins WHERE name = 'ContainedUser'

SELECT * FROM ContainedLab.sys.sysusers WHERE name =

'ContainedUser'

The first shows all of the user accounts in the server level of SQL that can login and you
will see no rows are returned for ContainedUser which means the user does not have
server level access. The second query looks at the local users for the database and we can
see the record here.
19. In Object Explorer, Click Connect and Choose Database Engine.
20. For the server name use SQLAdmin11CluN1, change the Authentication type to
SQL Server Authentication.
21. Type in ContainedUser for the login name and Type in sqladmin11 as the password

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 9

22. Click Connect

When you connect you will get an error like the one below. This is because the user
is not at the server level and cannot login to the server.

23. Click OK on the error message

Note: If there is not an error on the previous step, it may be that the user
‘ContainedUser’ is already created and the “Connect to database” option will
already be selected.

24. The user is not at the server level. In order to be able to connect, the “database option”
must be selected. To do this, In the Connect to Server dialog Click Options on the
bottom right.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
10 Lesson 16: Create a Contained User Login and connect using it

25. Click on the ‘Connect Properties’ tab and Type in the ‘Connect to database:’
ContainedLab if it’s not already selected.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 11

26. Click Connect

Note: If your server is set for Windows Authentication only, this will not work. You
must be in mixed mode in order to connect.

27. Once you connect you will see in Object Explorer what a user or application will be
able to see through SQL Server connections and / or Object Explorer.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
12 Lesson 16: Create a Contained User Login and connect using it

Below you can see the containment being applied for the user’s connection in Object
Explorer.

Note: Notice that you can only see the database you are connected to.

28. Expand Databases for this connection to see more of what you can see via Object
Explorer.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
 `Lesson 16: Create a Contained User Login and connect using it 13

Question 1: What do you see in Object Explorer when connecting via a Contained
User?
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________

Question 2: When using a Contained Database what would happen when trying to
reference data outside this database and why?
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________

29. Right-click on this server from the contained user login and choose New Query

30. Type the following command in the query window and execute it.
SELECT * FROM sys.databases

See how you only see TempDB, master and the ContainedLab database.
31. Type this command and execute it in the query window now.
SELECT * FROM AdventureWorks2012.Person.Person

You should get an error like this:

Msg 916, Level 14, State 1, Line 1
The server principal "5-1-9-3-1750622168-120163757-611265921-4033432508." Is
not able to access the database "AdventureWorks" under the current security
context.
This means that your login will not allow you to the other database.

Note: Even if you tried to create the same login and password in both databases it
will not allow you to do this unless the login is at the server level.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential
14 Lesson 16: Create a Contained User Login and connect using it

You may be asking “What about Windows authentication?” The answer is no matter
whether you are using Windows or SQL Server authentication; if the user is contained at
the database level it will not allow you to cross database query unless it is at the server
level.
Therefore, there are some advantages and disadvantages to Contained Databases. It must
be leveraged where it is appropriate.

Microsoft | Services © 2012 Microsoft Corporation ITOE Educate Workshop

Microsoft Confidential