TIP: How to Run Programs as a Domain User from a Non-domain Computer

As many of you know, I am an independent consultant and use my own laptop when possible. I’ve got all my tools set up the way I like them and everything else that I need to be productive. Given that I work for multiple clients, I can’t join my laptop to any particular client’s domain. First is the hassle factor, especially when switching between different clients within a week. Each domain join requires a domain admin to authorize the join by typing in his/her credentials when prompted on my laptop. Second I don’t want a client’s Group Policy being applied to my laptop. Third – and more importantly – is the non-disclosure agreements that I sign with clients. If I join my laptop to a domain, the domain admins have full rights to my machine and hence data from other clients. So domain joining just isn’t an option.

In most cases, not being joined to a client’s domain doesn’t make one iota of difference. You need to access a network share or printer, browser to it and you will be prompted for domain credentials. The fact that you’re using different domain credentials to access the resource from those that you logged in with doesn’t matter one bit. If you want to expedite the process and not wait for an authentication time-out, you can utilize NET USE from the command line to tell Windows which credentials you want to use when accessing certain computers. You can even make them persistent or roll the whole thing into a batch script that you can execute whenever at a particular client.

net use \\server /user:domain\username /persistent:yes

Unfortunately this doesn’t work in all cases. One of my longstanding development pet peeves has been certain tools – I’m looking at you SQL Server Management Studio and SQL Query Analyzer – that don’t allow you to specify alternate domain credentials for authentication. For example, SQL Server Management Studio allows you to log into a SQL Server instance using Windows Authentication or SQL Server Authentication. If the SQL instance requires Windows Authentication – the recommended configuration – SQL Server Management Studio uses your logged in credentials. This works well if your computer is part of the domain, but fails horribly if not. It doesn’t let you specify alternate credentials or even prompt you for alternate credentials if the log-in fails.

I’ve tried seemingly everything. NET USE doesn’t help here because NET USE is specifically for network shares.

net use \\sql-server-name /user:domain\username # DOES NOT WORK – Only provides the domain credentials when accessing shares

RUNAS also fails – either the SHIFT right-click variety or command line – as it tries to run the command locally as the domain user, who is unknown by your computer because you’re not part of the domain.

runas /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

 image

For years (yes, years) I have resorted to using Remote Desktop to log into a domain computer so that I could run SQL Server Management Studio, used a domain-joined virtual machine, or begged co-workers to run commands for me. Now I feel foolish because I stumbled upon a solution that has been built into Windows for years. It is a simple command line switch for the RUNAS command that I never noticed: /netonly. (Note that the /netonly flag is not accessible via the SHIFT right-click menu, only via the command line.)

runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

image

Success! And SQL Server Management Studio running using /netonly domain credentials. The command is run as my local user, but uses the supplied domain credentials only when accessing the network.

image

image

I can access remote SQL Servers using Windows Authentication without problem now! (You’ll have to take my word for it or try it yourself as it would be impolite for me to show screenshots of me accessing a client’s SQL Server.) Hopefully this makes some other consultant’s life a little bit easier.

About James Kovacs

James Kovacs is a Technical Evangelist for JetBrains. He is passionate in sharing his knowledge about OO, SOLID, TDD/BDD, testing, object-relational mapping, dependency injection, refactoring, continuous integration, and related techniques. He blogs on CodeBetter.com as well as his own blog, is a technical contributor for Pluralsight, writes articles for MSDN Magazine and CoDe Magazine, and is a frequent speaker at conferences and user groups. He is the creator of psake, a PowerShell-based build automation tool, intended to save developers from XML Hell. James is the Ruby Track Chair for DevTeach, one of Canada’s largest independent developer conferences. He received his Bachelors degree from the University of Toronto and his Masters degree from Harvard University.
This entry was posted in Miscellaneous. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Aquintasii

    I’m trying to add a shared printer from a 2k12 server, on a PC with non-domain credentials. But I don’t want my clients to have to input credentials, any suggestions? This doesn’t work, but I’ve been toying with the idea.
    runas /netonly /user:%user@domain% /password:%password% “\SERVERSHARED_PRINT_QUEUE”

  • http://techdebug.com/ Lantrix

    Best tip ever. Thought I’d have to join my standalone laptop to the client domain; but not required!

  • Nobody

    thank you,userfull

  • Alex B

    Thank you, very nice tip.

  • vishu upadhyay

    thanku ……..

  • Shamz Hamz

    Saved my 1 million hours, Thank you

  • Puspal

    My system had 2005 installed but later installed 2008 R2 … Now I can use ssms.exe through netonly command but when opening BIDS thorough netonly I am unable to get remote database list in drop down for remote server( when trying to Tools–> Connect to database ). Whereas am getting them perfectly with my ssms. Please help…

  • Jesse B

    This worked great I forgot to used the “netonly” switch. Thanks for the help!

  • http://jameskovacs.com James Kovacs

    If you run Visual Studio (aka devenv.exe) using the above technique, it will connect to SQL Server using your supplied network credentials. HTH.

  • Jesse B

    This is great for connecting to SMS. Saved me a lot of time and head ache. How could I used this to connect to the sql sever in Visual studio. Any help would be appreciated. :)

  • Mario Henkel

    This tip saved me a lot of time! Thanks alot!

  • César Alejandro Payán

    Quick question which might seem dumb. Do you have to be connected to the company’s network? Or can you do this from an external network?

  • Naggler Markus

    I needed a solution for the SCCM console and this one works just fine. Many thanks!

  • Siva

    Excellent.. Thank you so much boss…

  • Rigo Melendez

    I love you.

  • http://codebetter.com Brendan Tompkins

    James.. So cool when I end up back on codebetter for a solution to a probelm I’m working on :)

  • http://www.phrasememe.com Greg Bray

    For SSMS I have also had to use the default SQL server port when adding Windows Credentails:

    Internet or Network Address: sqlserver.domain.com:1433
    Username: domain.comusername
    Password: password

    This should work for connecting SSMS to the default instance on a remote server. For named instances you might need to change the SQL configuration to use a specific port.

  • Paul

    Brilliant, Thank you!

  • Andres

    Thank you! Very useful.

  • ioan

    Cool stuff! 10x

  • HonzaCZE

    Excellent! Thanks a lot :)

  • Kenneth McMahon

    Thank you.  I have struggled with this on many occasions.  You are awesome!

  • Nworker

    I’m glad people like you share these solutions.  This will help us greatly.  Thank you much!

  • Grateful Guy

    You Sir, are a gentleman – that’s fantastic to share!

  • http://twitter.com/originalmindau Original Mind

    You are a legend!

  • Artificial Lynx

     You sir, are my favorite person in the world today! haha, spent a few hours searching for this connection solution, thanks so much for the article! Saved me the years of pain, heh. :D

  • QABD

    Thanks for the post. I am using this command since 2 years where i have SQL servers on different domain.  But the same technique is not working for other application exe.
    Does any one have any thoughts?

  • AAAAAAAAAAAAA

    Wow! This is awesome!  Thank you!

  • Ken Lewis

    Brilliant!  My XP machine works mysteriously fine without an explicit “runas” but not my Windows 7 machine. This solved it completely. Thanks!

  • yetkin

    really helpful. thanks

  • Chris Schmidt

    This is an awesome tip, thanks for posting this.

  • Rajan

    Good tip James.

  • A a

    Thanks! Thanks! Thanks

  • GColundalur

    Thank you so much! This worked really well both with VS and Ssms!

  • TBenson

    James – Great tip, thanks!

    SAS – To display those properties of the smss.exe file while in use, use ProcessExplorer by SysInternals.  On the PE main window just right-click the running program and choose Properties.

    Ciro – Vista and Windows 7 will force the use the VPN credentials instead of the credentials fed to the SQL client. To disable this, modify the VPN config file (search for a *.PBK file and open it in Notepad) and change UseRasCredentials=1 to UseRasCredentials=0.

  • http://www.uright.ca/ Jack Wong

    Thank you! This post is really helpful to me!

  • Kyle

    This works amazingly well for me and our development machines.  I had been using remote desktop as well.

  • Matt

    Wow this was perfect for the Citrix Delivery Services Console. Worked like a charm and was able to run my discovery from outside the domain.

    Thanks

  • http://jameskovacs.com/ James Kovacs

    Powershell vs. cmd.exe will not make a difference. I’ve used local
    credentials to get to shares on remote computers. So I know that works.
    As for SSMS login window, I wouldn’t trust what it displays. The
    swapping of network credentials happens much lower in the stack. It
    should send the user/password that you typed in cmd.exe, not the one
    displayed in SSMS. If it’s not working, double-check that you typed your
    password correctly. I’ve often fat-fingered a password and you don’t
    know that you have until the login fails.

  • dkpowles

    This did not work for me. I am trying to connect from a domain machine (server01) running SSMS to a domain workstation (desktop01) running SQL Express HOWEVER, i want to send windows credentials that are local on the workstation (desktop01user1) - the ssms login window still tries with Domainuser instead :( – I also used command prompt, not powershell

  • Saurabh Jain

      Very useful post…. Now I can connect to the SQL server instance using
    windows authentication  from the untrusted domain. Now can some one
    tell me how can I connect to the same SQL server from untrusted domain(using windows credentials) on my web application.

  • Ahmed S. AL HAJJAR

    OutStanding… am important document…
    Thanks

  • Joselucho38

    OMG… outstanding! tks bro… You save me! tks a lot!
     greatings from Colombia… 

  • Uday

    Great solution that solved the problem I have been breaking my head on for 4 hours. Could not find it anywhere. Thank you very much.

  • http://twitter.com/TheMandibleClaw Louis van der Merwe

    excellent, thank you  =)

  • Stephen Solt

     OMG doesn’t solve my current problem with a workstation but will be very useful. I do exactly the same thing as you and SMSS is vital for use at client sites.

  • Bob Baldwin

    Most excellent article!!

  • MyNameIs

    Thanks for the tip !
    I was able to create a batch script so my users can use an ADP connecting to a MS SQL Server with a no-domain computer :)

  • David Beardsley

    Thanks for sharing this, you’ve saved me a lot of aggravation.

  • http://codebetter.com/members/james.kovacs/default.aspx james.kovacs

    @Brian – That is quite odd. I just tried running VS2008 using the /netonly flag and successfully authenticated using domain credentials (on a non-domain computer) using Server Explorer. Double-check that your network credentials are correct. If those check out, you’ll have to start looking at auth traffic using Microsoft Network Monitor or WireShark (aka Ethereal).

  • Brian Beatty

    This works great with SQL Server Manager.
    I haven’t had the same luck with Visual Studio 2008 or 2010.
    I get the following error “Login failed for user ”. The user is not associated with a trusted SQL Server connection.”

    I’ve tried runat and shellrunat with /netonly
    Any ideas?
    Thanks

  • http://www.amirrajan.net Amir Rajan

    Thanks. This is exactly what I needed.

  • http://codebetter.com/members/james.kovacs/default.aspx james.kovacs

    @Ciro – I haven’t tried it over VPN and I honestly have no idea why it wouldn’t work over VPN. The best advice I can offer is to capture packet traces using Microsoft Network Monitor or WireShark (formerly Ethereal) to figure out why the credentials aren’t being sent over the wire. Wish I had a better answer, but I seldom have to use VPNs these days.

  • Ciro Martins

    First of all, thanks to share this useful information.
    I would like to ask you if you have been able to put it working even when you are using a VPN.
    I tried it directly and it worked But when I try to use it but connecting to my client by VPN I am not being able to put it working.

    Thanks a lot for your help.

  • Anuj Agarwal

    Saved me a ton of time. Thanks!

  • Adam Czarny

    Saved me a lot trouble, thanks !

  • Alduzz81

    You are the best were seven months I was expecting this solution

  • EC

    Thanks James this article was great, this is exactly what I needed.

    @Einstein – the credentials manger in the 64 bit version of windows 7 passes a null string when trying to log into domain2 server from domain1from mangement studio. This article states as much: http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/47878ff0-c6c8-4568-bd2c-605fb9e9a656

    This article points you here as the workaround.

  • Robbie Couret

    Incredible information in this article!

  • http://codebetter.com/members/james.kovacs/default.aspx james.kovacs

    @SAS – I use Kenny Kerr’s excellent Window Clippings for all my screenshots.

    http://windowclippings.com/

  • SAS

    The screen shot of the smss.exe properties above – what tool is being used?

  • B Grossman

    You are amazing and wonderful!
    Saved my bacon from forced domainization…
    Thanks.

  • Dries Van Hansewijck

    Using SysInternals ShellRunAs you can add a command “Run as different user (netonly)…” to the context menu of an executable. It displays a little login box where you can put your credentials. Just download ShellRunAs (link) and run the command ShellRunas /regnetonly.

  • http://www.indiangeek.net Sijin Joseph

    Holy Crap, I think I am getting old, I’ve had this exact same issue for over a year now and I never bothered looking for a solution. Thanks a ton for sharing!

  • http://programmergrrl.blogspot.com Amy Thorne

    Thank you! I’ve had exactly the same problem and also never found a nice way to fix it. This is great!

  • http://none jeremiah

    I was going to suggest virtual machines as well, but as you mentioned, some companies do not like virtual machines for whatever reason, and will spent hundreds of thousands of dollars to buy real hardware rather than buy a single virtual machine license. I do not understand this. It is probably (like all things of this nature, really) based on ignorance. These are usually the very worst clients.

  • http://blog.badera.us/ Andrew Badera

    HOLY CRAP this may be one of the most valuable pieces of technology consulting practice that has ever been divulged to me in my 13 years of doing independent work, mostly in Windows. Definitely reblogging (and crediting!) this piece!

  • GlenH

    Also… adding two more entries in the Credentials Manager seems to catch some edge cases…

    1. Put (just) the name of the Domain in the server box (instead of an actual server).
    2. Put the fully qualified name of the Domain the the server box.

    To recap, the three “server” entries should look like this…

    Domain
    Domain.com
    Domain\UserId

    Been using this method with great success for years.
    Glen

  • GlenH

    The /savecred switch is very useful as well… you only have to provide your credentials once.

    Another trick:
    1. Create a local (machine) account that exactly matches the domain account. Log in using this account (obviously).
    2. Use the Credentials Manager (“Stored UserIds and Passwords” on Win2003) to add a special domain entry. Even though the input box is labeled “Server,” you can actually provide a set of Domain credentials instead. To be clear, both the Server and “User name” input boxes should BOTH contain the same string, in the form of “Domain\UserId”.

    What does this buy you? In about 90% of cases, you will get pass-through, (prompt-less) authentication. Just make sure the local account password matches the one on the domain.

    Interestingly enough, the /savecred switch on runas actually creates this entry for you!

  • http://codebetter.com/members/james.kovacs/default.aspx james.kovacs

    @Josh – A domain-joined VM is useful as long as your clients domain admins don’t mind domain-joined VMs. (Sometimes they do mind.) I’ll have to explore Credential Manager in Win7. I’ve tried it in previous versions of Windows and found it to be nearly useless. Thanks for the tip.

  • http://www.josheinstein.com Josh Einstein

    I have the same exact situation (and the same reluctance to joining a domain) as you describe. Two things that have helped me get through life are 1) A virtual machine that is joined to the domain and prepped the way they want it but otherwise isolated from my machine. 2) In Windows 7, the credential manager (Control Panel -> Users -> Manage Credentials) lets me assign a login/password by resource. This gets picked up by IE, Explorer, etc. Haven’t tried how a normal app would pass credentials to say – a SQL server though.