While trying to do anything related to deploying to Azure/creating a BACPAC in SSMS 2012 I encounter error for each of 3 users in my database (who are not the user that is currently logged on)
Validation of the schema model for data package failed. Error
SQL71501: Error validating element [VARIABLE_USER_NAME_HERE]: User:
[VARIABLE_USER_NAME_HERE] has an unresolved reference to Login
[VARIABLE_USER_NAME_HERE]. (Microsoft.SqlServer.Dac)
Any clues?
This SO question really helped:
Can I ignore logins when publishing a Visual Studio Database project?
I realised that the user I was logged on (to my local database) with, had no permissions to view the login details for the login associated with the peer users that were being complained about in the error message. Written in more plain English, and assuming that there are just 2 database users (mr_spoon and mr_fork), what the error message means is "The currently logged on user [mr_spoon] can see that there is another user called "mr_fork" but cannot view the details of the login [also called "mr_fork" in this case] associated with that user"
Logging onto the master DB with my Windows admin login, and then running this query solved it:
GRANT VIEW DEFINITION ON LOGIN::the_login_name_in_the_error_message TO the_user_i_logged_on_with_and_ran_the_export_from
i.e. admin should run this:
GRANT VIEW DEFINITION ON LOGIN::mr_fork TO mr_spoon
Note that SQL Server permission system supports the notion of both Users and Logins, so I've hopefully been quite careful to say user when I mean user and login where I mean login. Why not just run the export from the admin login you may ask? The machine that can do that doesn't have SSMS2012 nor is it possible to install it, and it's the only machine the admin login works from.. Thus, I'd expect this problem is rare but maybe one day this will help someone
I thought I'd post a Q&A because everywhere I looked I only found reference to SQL71501 within the context of SSDT, not SSMS2012/Azure Deployment
Related
BACKGROUND
The user is defined in Azure AD and in Azure SQL.
test.user#company.com is defined and active in Azure AD. I’m able to log in with this user in Azure portal.
I have created a contained database user with the clause "from external provider" in the Azure SQL database and added the user to the db_datareader system role. The commands commits without error. I have compared the Asset ID in Azure AD and the SID in database and they match. I have tried with different users.
I am able to login as an AD User assigned to the SQL servers assigned "Active Directory Admin"
SQL Server users also login without any issue
Login test in SSMS
I have set default database to the specific database I’m trying to log into (Options-Connect to database).
I have tried with different Authentication modes:
“Azure Active Directory – Universal with MFA” and
“Azure Active Directory – Password”
When I try to login with SSMS I get
Error: 18456, state 1, class 14.
When I query [sys].[event_log] it returns
[event_systype]= 4, [event_subtype_desc] = login_failed_for_user.
PROCESS FOLLOWED
I have a user defined in Azure AD. (test.user#company.com)
In my Azure SQL database, I have set an Active Directory administrator.
I have created a user in SSMS test.user#company.com with the following syntax:
CREATE USER [test.user#company.com] FROM EXTERNAL PROVIDER;
I have assigned the user to the db_datareader role with the following syntax:
ALTER ROLE db_datareader ADD MEMBER [test.user#company.com]
ISSUE: When I try to connect as test.user#company.com, the connection fails and I get this error:
Login Failed for user test.user#company.com
Details of error contains:
Error Number: 18456, State: 1, Class: 14
I have tried to find an answer on learn.microsoft.com, googled my ass off and found some useful resources on this, but none that actually helps me with pinpointing what to do to resolve the issue. If anybody have an Idea of what I'm doing wrong, ref "PROCESS FOLLOWED" I'd be forever grateful :)
I solved it by a workaround, setting up a new database.
I did not find the cause of the problem, but it must be related to database setup "DTU"-"Basic" or some setting that I have managed to set without remembering.
Anyways, my process works when I set up a new database with "DTU"-"Standard" Configuration.
It seems to be some kind of encoding problem. After almost giving up and using a different DB, I tried creating a new one, but without some special characters. And suddenly, it worked.
If you can't change your database's password, you can just edit the connection string in another editor and it works as well (Notepad, VS code, etc).
Our business has just changed Active Directories and the domain changed, from "YMS" to "YMSNET". So I used to be able to log in with "YMS\tkol" and I can now log in with "YMSNET\tkol" (these usernames and domains are faked for the purpose of example), but when I log in as that now, I can't actually expand any of the databases or look at any of the tables, I can just see a list of the database names. When I try to expand a database in the UI it says "This database is not accessible (Object Explorer)."
Now I have another user, called "sqluser", and I keep trying to use that user to log in as well by changing the Authentication Method to SQL Server Authentication rather than Windows Authentication. But I get Microsoft SQL Server, Error: 4064
Now I know this sqluser user exists and the password is correct, because I can authenticate to the server and successfully interact with the tables from an external process on a separate computer on the same network (node.js, package mssql). And I used the query on the accepted answer on this question, and found my sqluser is there, with roles db_accessadmin, db_ddladmin, db_owner. And yet it still won't let me log in with that user in the SQL Server Management Studio UI
How can I get this working again and log in with my sqluser account? Or add the appropriate permissions for my YMSNET\tkol account?
--- edit ---
My first idea is that, because I can log into the UI with YMSNET\tkol, but I can interact with the databases externally with sqluser, that there is some query or command I can run with sqluser that will add permissions for YMSNET\tkol so that that user can now look at all the databases and tables. I don't know which commands I'd run for that.
It can be because your account's default database is mapped to some another db which is not available for you, for instance, you have no permissions there, or that database not exists anymore etc.
Your organization DBA can fix it by:
ALTER LOGIN [sqluser] WITH DEFAULT_DATABASE = [rightDB]
Default db name can be checked by:
select default_database_name from sys.server_principals
where name = 'sqluser'
This property can be overridden by opening "Options" of SSMS connection window and specifying it explicitly:
When I try to deploy my SQL Server Analysis Services project to the server, I get the error message No mapping between user and security ids was done. I don't get where this is coming from!
I've checked the user credentials on the Data Source. I've previously deployed projects to the same server with the same credentials with no problems.
When I google this problem, I get a lot of hits for things to do with Active Directory, but nothing that directly links to SSAS. Where does this error spring from?
This error occurs when there are users defined in a role that are either not known to the server (i.e. a local account on the machine the project was designed on) or no longer available in the Active Directory. To solve this:
Open the cube in BIDS / Visual Studio
Go to the Roles node in the Solution Explorer
Per role, go to the tab "memberships"
Per member defined, check to see if that member still exists in the AD.
In my experience, it's advisable not to use local users in Roles, nor personal accounts. Instead, grant the rights to a role to a group, then add and remove users to that group in the Active Directory as needed.
We have a SQL Server that uses SQL Server Authentication, with users that can deploy, and others that can read, for the sake of simplicity, I'll call them "deploy" and "web".
I'm having difficulty setting permissions up using a Visual Studio (2012) Database project, as the "deploy" user does not have sufficient permissions to create new server logins.
I can add scripts to do things like:
GRANT SELECT ON foo.bar TO [web]
This then sulks (with "SQL71501: Permission has an unresolved reference to object [web].") until I add:
CREATE USER [web] FOR LOGIN [web];
This then sulks (with "SQL71501: User: [web] has an unresolved reference to Login [web].") until I add:
CREATE LOGIN [web] WITH PASSWORD = '******';
This then fails to publish with:
Dropping Permission...
Dropping Permission...
Creating [webuser]...
(67,1): SQL72014: .Net SqlClient Data Provider: Msg 15247, Level 16, State 1, Line 1 User does not have permission to perform this action.
(67,0): SQL72045: Script execution error. The executed script:
CREATE LOGIN [webuser]
WITH PASSWORD = '**';
An error occurred while the batch was being executed.
This doesn't make sense, as the user already exists, so shouldn't need creating
How can I allow publishing via the deployment user without trying to (re)create the login each time? Or, is it possible to reference the externally created user, without having to publish it?
As the user already exists, I suspect that the user that is used to perform the deploy doesn't have rights to view it. The below should be all you need to resolve this.
GRANT VIEW DEFINITION ON LOGIN::web TO deploy
Greetings all, I've run into a problem that has me stumped.
I've put together a database in SQL Server Express, and I'm having a strange permissions problem.
The database is on my development machine with a domain user: DOMAIN\albertp.
My development database server is set for "SQL Server and Windows Authentication" mode.
I can edit and query my database without any problems when I log in using Windows Authentication.
However, when I log in to any user that uses SQL Server authentication (Including sa) I get this message when I run queries against my database.
SELECT * FROM [Testing].[dbo].[AuditingReport]
I get:
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'auditor'.
I'm logged into the server from SQL Server Management Studio as 'auditor' and I don't see anything in the error log about the login failure.
I've already run:
Use Testing;
Grant All to auditor;
Go
And I still get the same error. What permissions do I have to set for the database to be usable by others outside of my personal domain login?
Or am I looking at the wrong problem?
My ultimate goal is to have the database be accessible from a set of PHP pages, using a either a common login (hence 'auditor') or a login specific to a set of individual users.
GRANT ALL is not performing the action you believe it to be.
I suggest for testing purposes that you consider using Database Roles in order to manage the privileges of your User.
Here is a list of the available Database-Level Roles
You can add an existing User to a Database Level role by using the system stored procedure sp_AddRoleMember. For example, the following will provide READ permission to your User for all objects within the given database.:
EXEC sp_addrolemember 'db_datareader','auditor'
Ideally, you will likely want to consider defining your own Database Roles in order to manage privileges for your Database Users.