none
Token-based server access validation failed with an infrastructure error

    Question

  • Hi
     
    We have a new Win 2008 Enterprise x64 server running SQL 2008

    When we try to connect to the server using Windows Authentication, from a user account which is a domain administrator, we get the following message:

    "Token-based server access validation failed with an infrastructure error"

    What needs to be configured here for this to work ?

    Thanks
    Bruce
    Sunday, February 15, 2009 10:07 PM

Answers

  • Hi

    If you’re getting a login failed for your Windows user - which you’re sure you put in the sysadmins role - it’s probably because UAC isn’t pasing all your group memberships to SSMS when you run it, and therefore giving you access denied. If you check your SQL errorlog and you see something like this:

    Login failed for user Username Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

    It’s probably UAC. Try right clicking and running as administrator and seeing if it goes away. Of course if you added your user explicitly you’re probably fine, but just to get a cluster up and running I added my domain admins user to the DB - and of course that’s a membership that UAC will mask.

    Thanks
    Sreekar

    Tuesday, February 17, 2009 5:06 AM

All replies

  • Hi

    If you’re getting a login failed for your Windows user - which you’re sure you put in the sysadmins role - it’s probably because UAC isn’t pasing all your group memberships to SSMS when you run it, and therefore giving you access denied. If you check your SQL errorlog and you see something like this:

    Login failed for user Username Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

    It’s probably UAC. Try right clicking and running as administrator and seeing if it goes away. Of course if you added your user explicitly you’re probably fine, but just to get a cluster up and running I added my domain admins user to the DB - and of course that’s a membership that UAC will mask.

    Thanks
    Sreekar

    Tuesday, February 17, 2009 5:06 AM
  • Probably, you used a different account to install SQL 2008, and you are now using another account to login.

    Use the account using whch you had installed SQL 2008 and log in to the server, and then from the Security node, add more users to logins. This should work
    Friday, August 28, 2009 12:35 PM
  • Thank you for this!  This was the issue that we were experiencing and it was indeed caused by UAC.  I had UAC set to a low setting, but just not low enough.  You can leave the UAC set high, just remember to right click SSMS and run as administrator.
    Thursday, September 24, 2009 11:42 PM
  • Having the same issue w/SQL Server 2008, but running it on XP Pro so there's no UAC (that's for Vista, probably Windows 7, too).  What could cause this on XP?
    Friday, April 16, 2010 4:25 PM
  • Two days of searching till I found this answer.  Thank you for the help.  I'm just getting used to 2008 and do not always click Run As Administrator.  Oddly enough as soon as I did this I get right in. 
    • Proposed as answer by TommyRush Wednesday, December 05, 2012 3:53 PM
    Thursday, August 12, 2010 2:19 PM
  • Hello, 

    I have the same problem with connecting to local SQL Server 2008 default instance using windows authentication with a user which has sysadmin role and is owner of each existing database (we tried to make the user as powerful as possible but it didn't work):

    2010-09-07 09:37:20.85 Logon       Error: 18456, Severity: 14, State: 11.

     

    2010-09-07 09:37:20.85 Logon       Login failed for user 'VSERVER\SomeUser'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>]

    I DO NOT WANT to use Run As Administrator - this is not a solution - who wants a web application run using account with administrative privileges ??

     

    I do not want to disable UAC either (by the way it didn't work).

    I just want the web-app be able to use Windows Authentication mode.

    Does anyone know any WORKING solution ?

    Tuesday, September 07, 2010 8:01 AM
  • Same problem as above, except we have UAC disabled...

    Any suggestions are appreciated.

    Regards.

    Thursday, September 16, 2010 6:08 PM
  • I had this error after an inplace server migration of reporting services, i.e. new server but same name, including the credentials used by the reporting server DOMAIN\SERVER$ (so called "Service Credentials").

    To solve the problem I went in SSMS to the databases msdb, master, ReportServer and ReportServerTempDB and removed all users and schemas with the name "DOMAIN\SERVER$". Then in the global Security / Logins I removed this user as well. Then I went in the Reporting Services Configuration Manager and reran the Database step, which recreated the user.

    This fixed the problem and the message went away.

    Thursday, October 14, 2010 1:19 PM
  • I ran into this on a cross-domain SQL connection.  Try turning off the firewall on the computer you're trying to connect.  If this fixes the problem then create a Connection Security Rule (Server Manager, Windows Firewall, "Authenticate communications between computers").  Right-click, new rule, Server-to-server, Endpoint 1: Any IP address, Endpoint 2: Any IP address, Next, Request authentication ..., Next, Advanced, Customize, First Authentication: Add..., choose NTLM, OK, check "Second auth is optional", OK.  This fixed it for me.

    • Proposed as answer by Brad ATI Thursday, June 16, 2011 11:31 PM
    Thursday, June 16, 2011 11:31 PM
  • we had the same issue with UAC disabled, but found that we re-added the account in the domain in the past, so the token which the account used in the past is different from what it is now.

    we just have to re-provision the account within sql.


    CM
    • Proposed as answer by JHS Chris Wednesday, September 28, 2011 6:14 PM
    Thursday, July 14, 2011 1:56 PM
  • We had the issue after migrating from 2005 to 2008 R2 using the standard ms sp to migrate logins. We only had the issue on one user from a peer domain in the forest...all other accounts including ones in the peer domain worked as expected.

    Dropping the login, and recreating on the new server manually fixed the issue.  I did not look to see if the user changed the AD SID between the time it was created on the source server to the time of the migration.   I did not look to see anything was different in the actual logins table, but perhaps something in the sp to generate the login migration has a cased that does not work.


    UC Berkeley
    Friday, July 15, 2011 5:07 PM
  • What ashwn_acharya says worked for me.

    In my case UAC was disabled, firewall off and running SSMS as administrator.

    I had to use the original account used to install sql 2008 in order to add the user as login.

    Regards,

    PP


    Microsoft MVP Dynamics CRM | My Twitter: http://twitter.com/pabloperalta | My blog: http://weblogs.asp.net/pabloperalta | Blog en Español: http://wwww.elblogdedynamicscrm.com
    Thursday, September 01, 2011 1:09 PM
  • Chandra's answer worked for me.  I logged in to SQL Management Studio as sa, removed the Windows account from the logins, closed Management Studio (may be unnecessary?), logged in to Management Studio as sa again, added back the windows account, all is well.
    Wednesday, September 28, 2011 6:16 PM
  • Hi,
    I am encountering the same error message but it is more around the login, this problem happens only on one server but it is fine on another three, my investigation show it is a ghost SID associated with AD user account

    Background

        1- An Active Directory (AD) account was created for a user [Domain\UserA]
        2- A SQL login was created for the account above and then granted access to a number of databases
        3- The AD account was renamed/modified to [Domain\UserB]

        At this stage the user would encounter an error when connecting to the server

        The sql log show this error message

        Error: 18456, Severity: 14, State: 11.

        Message
        Login failed for user 'domain\user'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.     [CLIENT: xxx]

    Action on Server 1 SQL (the one with the problem)
        1- Dropped the user from the databases
        2- Re-Created the login from the windows account [Domain\UserB]
        3- Created the user in the respective databases

        But the user still unable to connect to the server

    Investigation
        On server 1, the SID of the user in SYSUSERS was Matching SYSLOGINS and matches with result of SUSER_SID(Domain\UserA)
        But it does not match the SID in the AD

        The rest of the servers all have the correct SIDs

        When I use SUSER_SNAME(Incorrect-Sid) and SUSER_SNAME(Correct-Sid) on this server they both return [Domain\UserB]


        The problematic server is always returning the incorrect SID when recreating the user login and when using SUSER_SID(Domain\UserA) as if it is cached somewhere.

    I can't specify the SID when creating the SQL login because it is using the Windows account

    Your ideas on how to fix this problem are much appreciated

    Regards,


    DGL
    Wednesday, November 16, 2011 8:49 PM
  • Hi

    We have installaed SCVMM 2008 R2 Server on one server(While installing we have created SQLDB for this on the remote SqlServer). Installation successfull.

    On another server we have installed scvmm 2008 R2 administrator console. but while launching the console its throwing the error.At the same time on the remote SQL server we are finding the Event Information.

    Could you please provide the solution which is very urgent for me to complete environment.

    Please find both error screen shots.


    Thanks
    Kishore

    Thursday, January 05, 2012 2:30 PM
  • Afther 3 year .. you're solution worked also form me ! thx :)
    Founder of SharePoint CookBook: http://www.GokanOzcifci.be
    Microsoft Certified Technology Specialist: SharePoint 2010, Configuring
    Microsoft Certified Personal
    Thursday, January 05, 2012 2:39 PM
  • Issue resolved.

    Looks like Permissions issue while creating the Database.

    Thursday, January 05, 2012 4:34 PM
  • TQ VM... i faced the same problem but stupid me, i didn't add the default admin to the sysadmin role.

    :P

     

    Tuesday, January 17, 2012 5:27 AM
  • I had this same error. In the evening it still worked, in the morning there was this problem.

    In my case I had the IUSR added as a user to a Database, while on the other hand there didn't exist a Security / Login for it. Adding the Login solved my problem.

    Best regards,

    Eric Gehring, www.Softex.nl

    • Edited by Softex Monday, February 13, 2012 11:21 AM
    Monday, February 13, 2012 11:20 AM
  • This is a particular annoying error that in some cases is related to a Change to the Windows user account (if you working with windows authentication) where the user login was created in SSMS and for some reason you change the same Windows user password; this will cause the SIDs to be different. 
    Therefore, an alternative is to drop the user Login account from SQL Server and re-create the Login account.
    Thursday, July 12, 2012 10:08 PM
  • We had a test instance and production instance on the same server, using the same domain IDs as Agent service accounts. The developer grabbed an “Operating system (CmdExec) job that was working fine on test and copied it to production without modifying anything, including the database instance specified in the command line. So it was attempting to authorize to the wrong database instance and throwing this Event Id: 18456 validation failure with infrastructure error.

    Saturday, November 03, 2012 1:28 AM
  •  Hi,

    I had the same error and was able to login via sa ONLY. I fixed by dropping and creating the login again

    /****** Object:  Login [Domain\User]   Script Date: 12/25/2012 18:44:27 ******/
    IF  EXISTS (SELECT * FROM sys.server_principals WHERE name = N'Domain\User')
    DROP LOGIN [Domain\User]
    GO

    /****** Object:  Login [Domain\User]    Script Date: 12/25/2012 18:44:27 ******/
    CREATE LOGIN [Domain\User] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
    GO

    The above script was generated from SSMS by right clicking on the Login in question and choosing Sript Login as Drop and create.

    the Domain\User should be replaced with the actual domain and user name used.

    It worked for me.

    Tuesday, December 25, 2012 2:47 PM
  • I know this is an old post, but thanks for your solution which exactly fix one of my current SQL log on issue.

    Wednesday, September 18, 2013 2:14 PM
  • Check this link it will be help to you...

    http://www.technologycrowds.com/2013/03/login-failed-for-user-iis.html#.UyrFRPmSwaA

    Ram


    RAM

    Thursday, March 20, 2014 10:45 AM
  • I know this is an old thread. But I've seen some relatively recent replies.  I had this happen in two instances recently. At least in one case, this was an issue of the security group being denied connect to the server (yes, for this precise error message).  This was probably a result of my refresh process which disables and denies connect to non-system logins while database restores and sanitization procedures are run.  The grant and re-enable counterpart had a problem, too. So the final state was a disabled login.  Also, please note that for the specific login that failed in this way, it was a member of two security groups added to this server.  One was enabled just fine and such, and the other denied connect.  The conflicting access for logins in these groups is probably the culprit.  Additionally, it is worth noting that dropping and recreating the login will have it enabled and grant access for connect by default - so this is another way to deal with the issue as is mentioned here.
    Thursday, August 21, 2014 7:05 PM