Could not obtain information about Windows NT group/user - sql-server

I have a Windows 2012 Server running SharePoint 2010 using an SQL Server Express locally installed. Unfortunately my logs are currently flooding with message "An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5." It can be 20 such messages every second!
(...and the 'DOMAIN\user' happens to be my personal account.)
Are there a job running that has missing rights? "Qoute from https://serverfault.com/questions/277551/mssqlserver-exception-occurred-while-enqueueing-a-message-in-the-target-queue-e "Try to changing the owner of the jobs to the sa account, on the properties of the job." If I'm correct the express version of SQL server cannot run jobs? Or is there someone/something that wants access to our AD? Why do that account wants to obtain information about my account 20 times every second?
I do find lot's of blogs and hints about this task, but I just dont understand the solutions. One says "To repair this, login as one of the SA accounts and grant SA access for the account that needs it." But what account needs sa access?

Change the owner to sa. Here are the steps I took to solve this issue:
Right-Click on the database and select properties
Click on Files under the Select a page
Under the Owner, but just below the Database Name on the right-hand pane, select sa as the owner.

In my case, sa was not the owner of the DB, I was. When I tried to execute CLR configuration that required sa privileges, I got the error too.
The solution:
USE MyDB
GO
ALTER DATABASE MyDB set TRUSTWORTHY ON;
GO
EXEC dbo.sp_changedbowner #loginame = N'sa', #map = false
GO
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'clr enabled', 1;
GO
RECONFIGURE;
GO
I used help from the db team at work and this post to find the answer.

In my case the owner of the database was a domain account Domain\Me.
The error message was
Error: 15404, State: 19. Could not obtain information about Windows NT
group/user 'Domain\MyAccount'
The problem was that the database didn't know what to do with the domain account - so the logical thing to do was to use a local account instead.
I tried changing the owner of the database, but things still wouldn't work correctly.
In the end I dropped and recreated the entire database MAKING SURE THAT THE OWNER WAS SA
I also set the Broker to Enabled in the settings
Thing started magically working after this

No Domain Authentication
Failure was ultimately due to the fact that it was not able to authenticate when I was not vpn-ed into the corporate network.
For I was connecting to a local db on my work laptop, however the User 'DOMAIN\user' needed to be authenticated by AD on the corporate network.
Error was resolved as soon as I reconnected and refreshed; the error disappeared.

I had this error from a scheduled job in sql Server Agent, in my case, just after I changed the hostname of the Windows Server. I had also ran sp_dropserver and sp_addserver. My database was owned by "sa", not a Windows user.
I could login into SQL as the Windows user NEWHOSTNAME\username (I guess after a hostname change, the SID doesn't change, that's why it worked automatically?).
However, in SQL, in Security/Logins node, I had SQL logins defined as OLDHOSTNAME\username. I connected to SQL using "sa" instead of Windows Integrated, dropped the old logins, and create new ones with NEWHOSTNAME\username.
The error disappeared.

to do a bulk update for all databases, run this script and then execute its output:
SELECT 'ALTER AUTHORIZATION ON DATABASE::' + QUOTENAME(name) + ' TO [sa];'
from sys.databases
where name not in ('master', 'model', 'tempdb')

I was having the same problem. In my case it was due to the fact that my machine was part of a domain, but I was not connected to the company VPN. The problem was solved after connecting to the VPN (so the domain user could be resolved by the SQLAgent).

I had the same issue where my domain login was not being recognized. All I did was go into the SQL Server configuration manager and start the services as Network Services instead of a local service. The sql server / agent was then able to recognize the AD logins for the jobs.

In my case, it was VPN issue. When I turned on the VPN to connect with my office network & then tried to start the snapshot agent again, it started successfully.

I was facing the same issue.
Fix for me was changing the log-on from NT User to global user in Sql Server Configuration Manager => Sql Server Service => Sql Server Agent => Properties => Account name.

You should be connected with your domain. (VPN)

Related

SQL Srv 2016: Login failed for user 'MicrosoftAccount\...'

I have Windows 10 Pro machine with SQL Server 2016 Dev installed. There are two local user accounts on the machine: [WORK\admin] and [WORK\erop]. [WORK\erop] account was created at first without connecting to Microsoft. But later I connect it to my MS account. [WORK\erop] account was added to sysadmin role when installing SQL Srv.
Now I try to connect to SQL Srv instance with SSMS as [WORK\erop] but receive:
Login failed for user 'MicrosoftAccount\<my_MS_account>'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]
and
Error: 18456, Severity: 14, State: 5.
which means "Invalid userid".
As I guess SSMS is launched under MS account and since MS account has no login on SQL Srv instance it refuses connection.
I executed
CREATE LOGIN [MicrosoftAccount\<MS_account>] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [MicrosoftAccount\MS_account]
GO
and everything is OK. But I wonder are there any smarter way to map MS_account to local user that has a login on SQL Srv instance?
I wouldn't call any solution smarter than yours, depends on your situation and what you want. But alternatively you could have reverted to a local user, assuming you don't care about the OneDrive and such functions.
Start > Avatar button > Change account settings > Your email and accounts > Sign in with local account instead.
But adding the login again is the smartest and easiest solution.
For those who tried the solution above but are still encountering this issue: change your connectionstring within your appsettings by replacing the Server=localhost value with the server name you see when logging onto MSSQL Management Studio.

No process is on the other end of the pipe (SQL Server 2012)

I've got this error:
A connection was successfully established with the server, but then an error occurred
during the login process. (provider: Shared Memory Provider, error: 0 - No process is
on the other end of the pipe.)
(Microsoft SQL Server, Error: 233)
I know, there are similar questions on this site, and the answer is, to enable TCP/IP and pipes.
But I enabled both, and still doesn't work:
I am using Microsoft SQL Server 2012 and the user has full permissions.
The server was set to Windows Authentication only by default. There isn't any notification, that the origin of the errors is that, so it's hard to figure it out. The SQL Management studio does not warn you, even if you create a user with SQL Authentication only.
So the answer is: Switch from Windows to SQL Authentication:
Right click on the server name and select properties;
Select security tab;
Enable the SQL Server and Windows Authentication mode;
Restart the SQL Server service.
You can now connect with your login/password.
Here are the directions by Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/change-server-authentication-mode?view=sql-server-ver15
To solve this, connect to SQL Management Studio using Windows Authentication, then right-click on server node Properties->Security and enable SQL Server and Windows Authentication mode. If you're using 'sa' make sure the account is enabled. To do this open 'sa' under Logins and view Status.
If this didn't work, you may need to reinstall SQL Server
Also you can try to go to services and restart your Sql server instance
So, I had this recently also, for integrated security, It turns out that my issue was actually fairly simple to fix but mainly because I had forgotten to add "Trusted_Connection=True" to my connection string.
I know that may seem fairly obvious but it had me going for 20 minutes or so until I realised that I had copied my connection string format from connectionstrings.com and that portion of the connection string was missing.
Simple and I feel a bit daft, but it was the answer for me.
Another reason for this error could be incorrect or non-existent database name.
Forcing the TCP/IP connection (by providing 127.0.0.1 instead of localhost or .) can reveal the real reason for the error. In my case, the database name specified in connection string was incorrect.
So, here is the checklist:
Make sure Named Pipe is enabled in configuration manager (don't forget to restart the server).
Make sure the database you are connecting to exists.
Make sure SQL Server Authentication (or Mixed Mode) is enabled.
Please check this also Also check in configuration TCP/IP,Names PipeLine and shared memory enabled
If you are trying to login with SQL credentials, you can also try changing the LoginMode for SQL Server in the registry to allow both SQL Server and Windows Authentication.
Open regedit
Go to the SQL instance key (may vary depending on your instance name):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQLServer\
Set LoginMode to 2
Restart SQL service and SQL Server Management Studio and try again.
I face this issue for the second time and all previous answers failed, fortunately the following request do the job:
Alter login [user] with CHECK_POLICY = OFF
go
Alter login [user] with CHECK_POLICY = ON
go
For me the password expired for my login user, and i got the same exception.
Then i login with Windows Authentication mode and change the password for the associated user, and it solved my problem.
Yup, this error might as well be "something failed, good luck figuring out what" - In my case it was a wrong username. SQL Server 2019 RC1.
Had this error too, the cause was simple, but not obvious: incorrect password. Not sure why I didn't get just "Login failed" from freshly installed SQL 2016 server.
I have the same proplem
"A connection was successfully established with the server, but then an error occurred
during the login process. (provider: Shared Memory Provider, error: 0 - No process is
on the other end of the pipe.)"
My connection is:
server=POS06\SQLEXPRESS; AttachDbFilename=C:...\Datas.mdf;Initial Catalog= Datas; User ID= sa; Pwd=12345; Connect Timeout=10;
But My SQL is POS06\MSQL2014
Change the connection string to
server=POS06\MSQL2014 ; AttachDbFilename=C:...\Datas.mdf;Initial Catalog= Datas; User ID= sa; Pwd=12345; Connect Timeout=10;
it worked.
Always try to log in using those credentials with SQL Management Studio. This might reveal some more details that you don't get at runtime in your code.
I had checked the SQL + Windows authentication, restarted the server but still no luck.
After trying to log in using SQL Management, I got this prompt:
Somehow the password had expired although the login was created just minutes before. Anyway, new password set, connection string updated and all's fine.
This might help others. After writing my db routines at home, all working fine. Brought it to work and got this error as well. Might assert same error, different reason. I mistyped the database name when fixing up my code. Ooohh! More coffee ;) Looking back now, kind of makes sense in my case the login/user was good (an admin account) but with a bad database name, there was nothing on the end of the pipe. Why not say "Database does not exists...? And be clear.
make sure that you have specified user in Security-> Logins, if no - add it and try again.
Follow the other answer, and if it's still not working, restart your computer to effectively restart the SQL Server service on Windows.
In my case the database was restored and it already had the user used for the connection. I had to drop the user in the database and recreate the user-mapping for the login.
Drop the user
DROP USER [MyUser]
It might fail if the user owns any schemas. Those has to assigned to dbo before dropping the user. Get the schemas owned by the user using first query below and then alter the owner of those schemas using second query (HangFire is the schema obtained from previous query).
select * from information_schema.schemata where schema_owner = 'MyUser'
ALTER AUTHORIZATION ON SCHEMA::[HangFire] TO [dbo]
Update user mapping for the user. In management studio go to Security-> Login -> Open the user -> Go to user mapping tab -> Enable the database and grant appropriate role.
In my case: Assign a sysadmin role to the user.
Login as windows authenticated user
Go to: Security->Login->Right click user->Assign server role as sysadmin
In my case, login works fine remotely, via VPN. But connecting from the server where sql server was installed, it failed.
Turns out, the instance name is not the default eg. SQLEXPRESS. Hence, it needs to be explictly specified when connecting.
Server name: .<instance_name>
eg. ".\I01"
I don't have to do this if I'm connecting remotely, just <server_hostname>,<port_number>

SQL Server Login error: Login failed for user 'NT AUTHORITY\SYSTEM'

I have created an application pool called "schoolPool" and assigned it to my web application. Identity for this pool has been set to LocalSystem.
When I try to access my database from within the application, i.e. open a SQL connection, I get the following error all the time:
Login failed for user 'NT AUTHORITY\SYSTEM'
I tried to add NT AUTHORITY/SYSTEM to SSMS (SQL Server Management Studio) logins, but it was already a principal, showing the following error:
Allow NT AUTHORITY/SYSTEM to server Role as sysadmin.
I tweaked the application settings a lot, changing the application pool's identity (in Windows 8.1's IIS) to LocalSystem, LocalService, NetworkService, and ApplicationPoolIdentity. However, all of them failed to solve the problem I had logging into my database.
Finally I set the pool identity on LocalSystem and thought why it might be preventing "NT AUTHRITY\SYSTEM" from opening a connection to my database. I opened up SQL Server Management Studio as "Administrator" and checked the Server Roles for NT AUTHORITY\SYSTEM under "logins" section. The default server role for this user was public by default. I also checked sysadmin and refreshed my web application form. This time it worked! Everything working perfectly now.
There is another fix. You should open Command Prompt (cmd) and write the following:
sqlcmd -S (server name)
select name from sys.server_principals where name = 'NT AUTHORITY\SYSTEM'
go
SP_ADDSRVROLEMEMBER 'NT AUTHORITY\SYSTEM','SYSADMIN'
go
The first line will give you an access to the sql server on you machine, the second will
take the following result NT AUTHORITY\SYSTEM an the stored procedure addsrvrolemember will add sysadmin to it. Be careful, because you have to type the following code the way it is.
Rerun following query which will assign 'NT SERVICE\MSSQLSERVER' to sysadmin
EXEC master..sp_addsrvrolemember #loginame = N'NT SERVICE\MSSQLSERVER', #rolename = N'sysadmin'
Musakkhir's answer of granting sysadmin seems poorly thought out as far as security goes, and Pinal's answer involved giving the unknown process db_owner rights, still almost certainly overkill. I've 'solved' it myself by simply granting "public" rights, which normally just allows CONNECT, but nothing else, even SELECT. If gets rid of the login error and stops flooding the error log, since it now logs in, but whatever unknown process is doing the connecting still can't do anything.
You should give your User ID and pwd of SQL server authentication login in the connectionStrings as User ID="username";pwd="yourpassword". You can use the following query
CREATE LOGIN login name WITH PASSWORD = 'password' ;
GO

SQL Server 2012 - Openrowset - User without sysadmin

Environment :
Server : Windows Server 2012
SQL Server : SQL Server 2012
I want to use openrowset in my production environment without granting sysadmin to the user. saw a lot of posts about this issue but non seem to provide a solution to mine.
I performed the following steps:
Created a non administrator windows account
Created a windows authentication login in my database (not sysadmin)
Enabled 'show advanced options','ad hoc distributed queries'
Verified 'Disallow adhoc access' is disabled in the provider (key does not exist in the registry)
Enabled driver
USE [master]
GO
EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1
GO
EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'DynamicParameters', 1
GO
Changed the user running the SQL server service to be Administraor
Granted full permissions on the TEMP , TMP directory of the Administrator to the user created on Step1.
Whenever I run the query:
SELECT *
FROM OPENROWSET('MICROSOFT.ACE.OLEDB.12.0','Excel 8.0;Database=c:\temp\xxx.xls;','SELECT * FROM [xxx$]')
I get:
Ad hoc access to OLE DB provider 'MICROSOFT.ACE.OLEDB.12.0' has been denied. You must access this provider through a linked server.
It does not seem to even try to access the file because whether it is there or not I get the same error. When I run it with the sysadmin user it works and when I try to query a non existing file I get error it can't find it in oppose to the non sysadmin user.
Maybe I am missing a permission on different directory or the the non sysadmin user is missing other permission.
Can you please advise?
Thanks
Doron

OPENROWSET BULK Permissions to Shared Folder

OBJECTIVE
Use the OPENROWSET feature to JOIN data in a query against a text file.
ERROR
Leveraging the answer from #gbn on this question I am trying to open a row set just like the OP; though the format of the file is a bit different. However, I'm getting the following error trying to access a shared folder:
Msg 4861, Level 16, State 1, Line 1
Cannot bulk load because the file "\MACHINENAME\Share\EC04.txt" could not be opened. Operating system error code 5(Access is denied.).
BACKGROUND
Please understand, I do not and will not have access to the SQL server and so I cannot place a file there.
The file resides on a Windows 7 x64 machine.
The folder has been shared as Read/Write with Everyone.
QUESTION
Can somebody help me understand what other security I need to give to allow the SQL server to access this folder?
If you are logged in as a SQL login then you must create a credential for this login and this credential must have sufficient privileges to read the share.
If you are logged in as a Windows login then you must enable Kerberos constrained delegation for the SQL Server service account.
Right now it seems you're using a Windows login and because the impersonated context cannot flow through the 'double hop' the authentication resolves to ANONYMOUS LOGON, which is not member of Everyone, hence the access denied. All this is exactly the expected behavior. Consult your network administrator about how to setup constrained delegation for the SQL Server service account targeting your desired share.
I had the same issue which was caused by using a SQL DNS-Alias. With Servername\Instance it worked, with ServerAlias\Instance I get Operating system error code 5(Access is denied.).
These steps are required on SQL Server 2017 to make OPENROWSET ('Microsoft.ACE.OLEDB.16.0','Excel 12.0;..) working with a Shared Folder (UNC file-share):
Install Microsoft Access Database Engine 2016 Redistributable
Configure the Service Principal Name (SPN) in Active Directory (as we use Kerberos authentication):
Configure Computer object Security rights (of the Database Server)
Configure Service account Security rights (the user running the SQL-server process)
Check the SQL Server Log for a message like: The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/SRV-DB-01.domain.local:58089 ] for the SQL Server service.
Allow Ad Hoc Distributed Queries
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
EXEC sp_configure 'ad hoc distributed queries', 1
RECONFIGURE
GO
Configure the Driver "Microsoft.ACE.OLEDB.16" with AllowInProcess and DynamicParameters
USE [master]
GO
EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.16.0', N'AllowInProcess', 1
GO
EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.16.0', N'DynamicParameters', 1
GO
Because we enabled AllowInProcess, the service-account and the actual user must have modify-permission to the Temp-Folder on C:\Users\service-account\AppData\Local\Temp. Otherwise you may recieve The provider reported an unexpected catastrophic failure.
Ensure you have proper permissions on the UNC share itself.
Reboot the server to ensure all changes in AD and temp-folder permissions were applied!
Use the actual Database-Server-Name to connect. Don't use an SQL-Alias name.

Resources