Getting error 18456, need help in figuring out what's wrong

Question

Getting error 18456, need help in figuring out what's wrong

Rod at work

SSC-Dedicated

Points: 34008
More actions
May 1, 2017 at 3:52 pm

#402015

We've got a test user we're using to test how our new app will work. I can't connect, while logged in as that user. (We've using Windows Authentication.) I'm getting SQL error 18456. I've looked it up and found that I need to get to SQL Server's logs.
So that's what I've done. It has the following:
"Login failed for user 'OURDOMAIN\app.test_mgr'. Reason: Token-based server access validation failed with an infrastructure error."
What does "Token-based server access validation failed" mean?
Kindest Regards, Rod Connect with me on LinkedIn.
May 2, 2017 at 10:12 pm

This was removed by the editor as SPAM

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply

Lynn Pettis SSC Guru Points: 442467 More actions · Answer 1

Rod at work - Monday, May 1, 2017 3:52 PM
We've got a test user we're using to test how our new app will work. I can't connect, while logged in as that user. (We've using Windows Authentication.) I'm getting SQL error 18456. I've looked it up and found that I need to get to SQL Server's logs.
So that's what I've done. It has the following:
"Login failed for user 'OURDOMAIN\app.test_mgr'. Reason: Token-based server access validation failed with an infrastructure error."
What does "Token-based server access validation failed" mean?

Here is one thing I found, not sure if it helps: https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2014/02/21/sql-event-id-18456-login-failed-for-user-reason-token-based-server-access-validation-failed/

Rod at work SSC-Dedicated Points: 34008 More actions · Answer 2

JasonClark - Tuesday, May 2, 2017 10:12 PM
If you are confirm putting the sysadmins role then it might be UAC which isnâ€™t pasing all your group memberships to SSMS when you run it, and therefore access denied.
Itâ€™s probably UAC. Try right clicking and running as administrator and seeing if it goes away. Of course if you added your user explicitly youâ€™re probably fine, but just to get a cluster up and running.

The test user isn't in the sysadmins role. In this case they shouldn't be.

Kindest Regards, Rod Connect with me on LinkedIn.

Sue_H SSC Guru Points: 90860 More actions · Answer 3

Is the login related to what you were posting yesterday - when you created the user (Windows Group) in the database and it didn't have a login?
I didn't follow the whole thing but got the gist of it and wondering if this is one of the users in that group that you were having problems with.
I played around with it after you posted and could reproduce the same thing. The group was no different than when you create a user without login. It wasn't explicitly a user without login but the SID length was the same as a user without a login. And the behaviors were the same, essentially like an application role.

Sue

Chris Harshman SSC-Forever Points: 42192 More actions · Answer 4

Rod at work - Monday, May 1, 2017 3:52 PM
"Login failed for user 'OURDOMAIN\app.test_mgr'. Reason: Token-based server access validation failed with an infrastructure error."

Whenever I've seen this, it was someone trying to connect to an instance where they didn't have a windows authenticated login or AD group they are a member of setup as a login for the instance, so that's one thing to check, however the error is a bit generic and could be used for other things.

Rod at work SSC-Dedicated Points: 34008 More actions · Answer 5

Sue_H - Wednesday, May 3, 2017 10:36 AM
Is the login related to what you were posting yesterday - when you created the user (Windows Group) in the database and it didn't have a login?
I didn't follow the whole thing but got the gist of it and wondering if this is one of the users in that group that you were having problems with.
I played around with it after you posted and could reproduce the same thing. The group was no different than when you create a user without login. It wasn't explicitly a user without login but the SID length was the same as a user without a login. And the behaviors were the same, essentially like an application role.
Sue

The DBA appears to have fixed it. She created the login (I didn't have the privileges to do so) I'm double checking, but I believe now that the issue was the AD group wasn't included in the Logins on the server. Its strange to me that SQL Server allows you to create a User with no login.

I've got some other issues now, but I think this one is resolved.

Kindest Regards, Rod Connect with me on LinkedIn.

Sue_H SSC Guru Points: 90860 More actions · Answer 6

Rod at work - Thursday, May 4, 2017 8:52 AM
The DBA appears to have fixed it. She created the login (I didn't have the privileges to do so) I'm double checking, but I believe now that the issue was the AD group wasn't included in the Logins on the server. Its strange to me that SQL Server allows you to create a User with no login.
I've got some other issues now, but I think this one is resolved.

Yup that's what it looked like to me, explains the errors.
You've been able to create users without logins for quite awhile - maybe since 2005? Can't remember exactly which version. It was first billed as a way to replace application roles but they are used for more things now.

Sue