I'm looking for a method to sync users across an AG when they initiate a password change on their own.
Historically (before setting up the AG), they could use the command line or, for app users, they had access to a web front-end that issued sp_password on their behalf; this was elegant because it was connecting as the user and the web server side didn't need elevated permissions set up on it. With a user's default database now in an AG, the password change succeeds on the primary but fails on the secondary because the database is inaccessible.
I've tried changing the user's default database to master temporarily (fails to add it back while in an AG), permanently (some apps expect the default to be their own database), and modifying the CGI to use master as the database when connecting (works on primary, fails on secondary).
I can find docs on synchronizing users the first time (had no trouble with this) but having a hard time finding anything on how a user might change their own password in an AG when they are only allowed to connect to the primary.
Any ideas? I'd still be grateful if it were glaringly obvious and embarrassing.
Edit: I meant to add: I could create a user with elevated permissions (probably 'alter any user') to change the user's password or to copy the password_hash across but I've been asked to try to limit that exposure of credentials on the web server side, if possible.
Thanks.
Best Answer
Passwords are stored in the master database, there is no need to connect to that database on the secondary. Unless the database is a contained database, server logins are also stored in the master database. Contained databases take care of themselves as contained users can be "logins" and are "contained" within the database, thus automatically included.
If you're using must_change or password policies you'll have an event raised or a message returned about this and can do it programmatically.
Ex: https://technet.microsoft.com/en-us/library/ms131024(v=sql.110).aspx
A few come to mind:
There are other combinations of this using server side traces and/or extended events but it all boils down to about the same process.