Skip to content
Unknown's avatar

Bahti Samet Coban

This blog is all about SQL Server

Error: 18456, Severity: 14, State: 5 Login failed for a member of AD group

This is officially my first blog post. I was planning to write a blog for the last 2 years but couldn’t start until now, so here we go.

Last Friday, we ran into a weird login failed error message for a login who is a member of an AD group with sysadmin rights on a new installed SQL Server. I tried conventional methods to find root cause and fix it but I have never experienced this case before. So, I decided to write a blog post about it as my first post!

One of my colleague reported that he can not login into a newly installed Always On Secondary SQL server(let’s call it SQL2) from another database host(let’s call it Host1). I checked error log immediately and saw this errors:

blogLoginFailsAD

This is a typical login failure which a dba sees a lot, however the problem is he is a member of an AD group(let’s call it [AD\Group1]) and [AD\Group1] exists on SQL2 with sysadmin privileges! Furthermore, I am also a member of [AD\Group1] and I can connect to SQL2 as other members. Also, [AD\Group1] is exists on SQL1, primary replica of this Availability Group, and he connected that server without any problem. Things were getting interesting.

First, I created his domain account directly, he was able to connect both SQL1 and SQL2. This way, we eliminated the possibility that his account is not able to login. But why he couldn’t connect through an privileged AD group? There was something going on with AD group and his membership. I used xp_logininfo procedure to retrieve information about [AD\Group1] members and I saw him as a member, so why the hell SQL does not allow him to login and says there is no such login?

I patched both servers with latest SP and CU, didn’t help.

We removed his account from AD group and added him again, didn’t help.

We removed [AD\Group1]  from SQL2 and created again with sysadmin role, didn’t help.

Even though I am embarrassed to tell this, I restarted SQL service, of course didn’t help.

I further searched this issue on internet, also didn’t help.

Then, I installed SSMS on SQL2 host and asked him to try to connect directly from database host, this time it worked. Now, I am even more confused.

So, We have an AD group with sysadmin role which contains 2 members in it. One of them can connect to both SQL1 and SQL2 from anywhere(Host1, local workstation, SQL2 host and so on) without problem, other member can connect to SQL1 without a problem. He can also connect to SQL2 as a member of [AD\Group1] from his workstation and SQL2 host. However, he can’t connect to SQL2 from Host1.

I realized that this needs more careful and detailed examination. I went back to basics and read about AD groups, kerberos authentication and SQL Server authentication-authorization. Then, my colleague told me that he removed himself from [AD\Group1]  one week ago and re-added 1 day before this incident occurred. That moment I realized that his kerberos ticket was different on AD than the one cached in his user profile on Host1 server. I asked him to log off from Host1 and log on again, only then he could connect to SQL2 from Host1.

To sum up, If you encounter a similar login failure make sure that domain user is logged off and logged in again!

 

Bahti Samet Coban SQL Server, Troubleshoot 2 Comments 26th Nov 201829th Nov 2018 2 Minutes

Posts navigation

Newer posts

Blog Stats

  • 117,481 hits

Recent Posts

  • Microsoft SQL Server 2022 is here! – What do we know so far 3rd Nov 2021
  • TempDB files don’t exist/are not reachable anymore, what to do? 29th Sep 2021
  • Wait, Who is taking backup of SQL Server database? 10th Apr 2021
  • Microsoft Announced a Vulnerability(CVE 2021 1636) and Released Security Fix 14th Jan 2021
  • Disable/Enable export data option for Power BI report visuals 19th Nov 2020

Archives

  • Nov 2021 (1)
  • Sep 2021 (1)
  • Apr 2021 (1)
  • Jan 2021 (1)
  • Nov 2020 (1)
  • Jul 2020 (2)
  • Jun 2020 (2)
  • May 2020 (1)
  • Apr 2020 (1)
  • Dec 2019 (1)
  • Nov 2019 (1)
  • Aug 2019 (2)
  • Jul 2019 (1)
  • Feb 2019 (1)
  • Jan 2019 (1)
  • Nov 2018 (3)
Follow Bahti Samet Coban on WordPress.com

Categories

  • Integration Services (1)
  • Power BI (3)
  • Reporting Services (1)
  • SQL Server (14)
    • Backup & Restore (1)
    • High Availability (4)
    • Performance Tuning (1)
    • Security (2)
    • Troubleshoot (5)
    • Upgrade & Migration (2)
  • Uncategorized (4)
  • Disable Print and Export Data Buttons for PowerBI Report Server
  • PowerBI Reporting Services: How to get a previous version of overwritten report
  • Adding DB to Always On Availability Group “Password required”
  • Implement Transparent Data Encryption(TDE) in SQL Server 2019 Standard Edition
  • Upgrading SQL Server 2019 from CTP to RTM version: Is it even possible?
  • Cannot Connect to Integration Services: “Failed to retrieve data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)”
  • Always On Availability Group with Mixed SQL Server versions
  • Always On Secondary Database in Reverting/In Recovery
  • Disable Download Button in Power BI Report Server
  • Always On Availability Groups with Multi-Subnet Failover Cluster
  • Server principal ‘LoginName’ has granted one or more permission(s). Revoke the permission(s) before dropping the server principal
  • Backup script fails due to lack of network share permission
  • Error: 18456, Severity: 14, State: 5 Login failed for a member of AD group
Create a free website or blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Subscribe Subscribed
    • Bahti Samet Coban
    • Already have a WordPress.com account? Log in now.
    • Bahti Samet Coban
    • Subscribe Subscribed
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    Design a site like this with WordPress.com
    Get started