SQL Login keeps losing access to databases

  • We created a SQL Login account for reporting use only (SSRS), we'll call it 'MyReportAcct'.

    We've used this account for some time and it is created for every newly installed instance. It has been working as you'd expect, except on a couple of mirrored instances. I've not seen this issue on any standalone instances in my environment.

    Randomly, reports will stop working and there is nothing being changed based on our internal processes for Change Management, Windows Logs, and SQL Error logs. Here are two of the error messages we receive:

    https://www.sqlservercentral/Forums/Uploads/Images/1813441-2.png[/img]

    Upon investigation of the account, it shows up under the Security object folder in SSMS. Also, we find that the account is associated to all the databases under User Mapping for the account properties. I've verified that 'MyReportAcct' has public and db_datareader, so on the surface every looks as expected.

    The rub comes when I try to alter the account or remove the mappings. I'm met with:

  • Cannot alter the user because it does not exists or you do not have permission (Error 15151).
  • Cannot drop the user dbo.. (Error 15150)
  • What I've had to do to fix the issue is delete every instance of 'MyReportAcct' on the server, then recreate it, then add to each database. This doesn't happen all the time, but often enough that it is irritating. Further, we shouldn't have to do this at all.

    I think that we should change this account to an Windows Account instead of a local SQL Login in every instance. I have a feeling that this might fix the issue, but I need to prove why or provide a reasonable answer. I think part of the problem is the mirroring in some way, but I don't know how to prove that either.

    Security is a weakness of mine and I'm employing steps to change this, so any insight you can provide would be greatly appreciated. Please let me know if you need more information.


    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    One of the greatest tragedies in life is to lose your own sense of self and accept the version of you that is expected by everyone else.

  • First, to clarify, you say this only happens on the mirrored instances of SQL Server, not the stand alone instances.

    When you get these errors, has there been a failover from the primary database to the mirrored database? If this is the case I suspect that the problem is a difference in the SID for the login between the principle and mirror database. If this is the case you have three choices.

    1) create a process that runs on the mirrored systems to fix the SID when there is a failover. This will be needed on both systems.

    2) copy the login (master database) from the principal to the secondary. What you really need is the SID. If these match between principal and mirror you don't have to do #1.

    3) switch to using a Windows domain account

  • Lynn Pettis (8/29/2016)


    First, to clarify, you say this only happens on the mirrored instances of SQL Server, not the stand alone instances.

    When you get these errors, has there been a failover from the primary database to the mirrored database? If this is the case I suspect that the problem is a difference in the SID for the login between the principle and mirror database. If this is the case you have three choices.

    1) create a process that runs on the mirrored systems to fix the SID when there is a failover. This will be needed on both systems.

    2) copy the login (master database) from the principal to the secondary. What you really need is the SID. If these match between principal and mirror you don't have to do #1.

    3) switch to using a Windows domain account

    Thank you for replying and your solution, Lynn. 🙂

    Yes, this issue has only been noticed on our mirrored instances and it happens after a failover.

    Now that I know how to fix the problem, I want to know why this happened. I'm trying to understand how/why the SID would make a difference to SSRS when the report is ran.

    Does the SQL login go into a "limbo status" after a failover and break all connections to the databases? Every time we create the account on the new principle databases it works, which means it is a new SID every time. If it works once on SERVER1 and fails over to SERVER2 and then back again to SERVER1, it should still work (in my mind), but that doesn't seem to be the case.


    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    One of the greatest tragedies in life is to lose your own sense of self and accept the version of you that is expected by everyone else.

  • Sean Perkins (8/29/2016)


    Lynn Pettis (8/29/2016)


    First, to clarify, you say this only happens on the mirrored instances of SQL Server, not the stand alone instances.

    When you get these errors, has there been a failover from the primary database to the mirrored database? If this is the case I suspect that the problem is a difference in the SID for the login between the principle and mirror database. If this is the case you have three choices.

    1) create a process that runs on the mirrored systems to fix the SID when there is a failover. This will be needed on both systems.

    2) copy the login (master database) from the principal to the secondary. What you really need is the SID. If these match between principal and mirror you don't have to do #1.

    3) switch to using a Windows domain account

    Thank you for replying and your solution, Lynn. 🙂

    Yes, this issue has only been noticed on our mirrored instances and it happens after a failover.

    Now that I know how to fix the problem, I want to know why this happened. I'm trying to understand how/why the SID would make a difference to SSRS when the report is ran.

    Does the SQL login go into a "limbo status" after a failover and break all connections to the databases? Every time we create the account on the new principle databases it works, which means it is a new SID every time. If it works once on SERVER1 and fails over to SERVER2 and then back again to SERVER1, it should still work (in my mind), but that doesn't seem to be the case.

    It is rather easy to explain actually. If you created the SQL logins on each instance separately they each will have different SIDs in the master database. When the mirrored database fails over the SID in the database matches the SID stored in the master database of the principal server not the mirrored server. That is where the SQL login becomes orphaned. You fix this, but then it needs to be fixed again when you fail back to the original server. The other way is to copy the SID for the SQL login from the principal server to the mirrored server, this way the ISDs will match when the database fails over. The option is to use a domain login that is the same on both servers and you don't need to worry about SIDs.

  • Building on what Lynn said, for SQL logins, the start of authority is the instance, so that's used to build the SID. A different server will have a different start of authority, so the SIDs will be different. For domain logins, the start of authority is the domain, so they're the same on different servers on the same network. Like he said, using a Windows login should eliminate the problem.

    If this isn't realistic in your environment, you'll have to fix the SID of the user to match the login when the failover occurs. This can be done with the sp_change_users_login procedure. You can create a job to fire a procedure that does what you need. When you create it and assign a schedule, pick the "Run when SQL agent starts" in the schedule type.

  • Sean now understands!

    I thank you and greatly appreciate both of you for taking the time to help me and explain how this works.

    I assure you this is a lesson that I'll never forget:-)


    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    One of the greatest tragedies in life is to lose your own sense of self and accept the version of you that is expected by everyone else.

  • Sean Perkins (8/30/2016)


    Sean now understands!

    I thank you and greatly appreciate both of you for taking the time to help me and explain how this works.

    I assure you this is a lesson that I'll never forget:-)

    Excellent. Thanks for the feedback.

  • I had to deal with it at a previous employer where I implemented database mirroring. I used event notifications to handle the fixing of the SID in the databases that were mirrored as well as activating/disabling the scheduled backups as appropriate on the systems.

  • Viewing 8 posts - 1 through 7 (of 7 total)

    You must be logged in to reply to this topic. Login to reply