November 29, 2007 at 3:11 pm
We have a 3-node Active / Active / Active cluster, with an instance of SQL 2000 on each node. We have set up the DBA AD group as sysadmin on each box, and up until today I could connect to all the instances successfully.
Today, my windows authentication started giving me the "Login failed for user '(null)'..." error. SQL is still in mixed auth. mode, my ID is still part of the DBA AD group and I can connect to the other two instances on the cluster with Windows Auth.
The group that controls AD sit across the aisle (literally) from me, and they said they made no changes in AD this week (the Windows Auth login worked on Tuesday).
Anyone have any ideas what might have happened?
Thanks in advance for any help.
November 29, 2007 at 10:25 pm
You probly figured this out already,
but when you get that error it usually means your account got locked, but your security token is out of sinc.
Log off your machine, and try to log in again.
November 29, 2007 at 10:43 pm
Ray, thanks for the thought - I already tried the logoff / logon maneuver, it didn't help. If my AD account was locked - I wouldn't have been able to connect to the other instances on the same cluster with Windows Auth.
I also found another occurance of the same, on a SQL 2005 (non-clustered) instance ... it seems to be spreading.
November 29, 2007 at 11:27 pm
Check if you have proper registry permissions set up in the machines where you get an error. this is sure to be a permission problem.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com
November 30, 2007 at 12:25 am
check the SPN ! if you rely on kerberos authentication.
the service principal name also includes the portnumber of your sqlserver.
Check the sqlserver error log for the spn message at startup time.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
November 30, 2007 at 10:03 am
Sugesh - I'm not sure what Registry permissions you are referring to ...
ALZDBA - the SPN seems to be fine, I think, can I get a little more detail on how to check that, from you.
As another piece on information - I have multiple ID's that I use to RDP onto the servers in our various domains. If I log on to my PC with my RDP ID in the same domain as my regular ID, I can connect to both boxes via SSMS, using Windows Auth.
Thanks for the help so far.
November 30, 2007 at 12:27 pm
more on SPN-info
make sure you can see the server registered with the actualy used portnumber ! (be carefull with dynamic ports !)
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
November 30, 2007 at 12:29 pm
Thanks, ALZDBA, I'll check into that, and leave a reply on whether thats the issue or not.
December 2, 2007 at 4:20 pm
Check the times on the servers and please let us know if you determine the cause.
December 3, 2007 at 7:35 am
So far - Service Principal Names are not the issue, the servers all have the same times, AD changes are not the cause either. We are going to move the cluster group to another node and test connectivity again. Then reboot the server (curent cluster group host) and move the cluster group back and try again.
We can't identify a definitive cause, so we're in the "try it and see" phase, I'll let you know how it goes...
December 3, 2007 at 7:56 am
Please do.
Also, just to be clear, are you connecting to the actual instances or virtual instances?
Any failover events? Can you double check that
- you're hitting the virtual instances correctly
- you're in the DBA AD group (no strange changes)
- No deny groups
- your workstation time is the same as the servers
- Does it cause you issues from any workstation?
December 3, 2007 at 8:07 am
Hello Simon,
Our users used to get this error occasionally when they connect to our development environments and the reason found is that the password policy expires every 30 days. These users do change their password but don't restart their systems and as a result whenever they try to access the SQL box which is already registered with the previous password, they encounter this error message " Login failed for user (null)".
Have you changed your password? If so, try to restart your system and then access the cluster nodes.
Hope this helps.
Thanks
Lucky
December 3, 2007 at 8:43 am
Steve / Lucky,
everything looks good on the cluster - no failovers, time is good all around - everything is successfully synched up on the time servers, I'm still in the DBA's AD group, I did change my password recently, but the last change was about a week before the problem arose, I take my laptop home every night (joys of being DBA on call !!) so it gets cold booted at least once a day.
If I RDP onto our Idera DM box, I can connect using my windows ID, just not from my laptop (tested by creating an ODBC connection in both places). The problem seems to be restricted to my laptop and the one virtual server.
December 3, 2007 at 8:56 am
Ahh, I hate those. Any chance you can open a case with MS? If you have TechNet or MSDN, I think you get some free ones.
This is likely some crazy caching thing on your laptop.
December 3, 2007 at 10:26 am
If the Fileover / Reboot / Failover doesn't resolve the problem, I will open a ticket with MS. It's just an inconvenience for me, but it's a production server - Altiris / SolarWinds / VM Center / etc live on this server, so we need to be sure it's not a problem that could spread to other apps.
The reboot sequence wont happen until later in the week ... I'll keep you posted.
Thanks for all the good suggestions / thoughts.
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply