locked
Login failed for user 'domain\user' RRS feed

  • Question

  • Hi All,

    I am facing a really strange issue. For some reason the domain account which was used to run SQL Server service got deleted from AD. So out network admin. created exactly same account again. But now I see following informational message in Windows Application Log

    "Login failed for user 'Domain\ServiceAccount'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>]"

    Even if it is asking to chekc "pervious errors" I dont see any other error in log. I know that it is just an information message, but still I am concerned about it. I would like to know if this is a serious issue or not ??

    And also, Do I need to set SQL Server service to use that account again using "SQL Server Configuration Manager" ???

    Thanks in Advance,

    Jack

    Monday, August 8, 2011 3:25 PM

Answers

  • Hi Jack,

    You have deleted the old domain account and added a new domain account.  They have the same name but have different SIDs, because the security identifier (SID) for each account is unique.  You need update the service account.

    You can follow below step-by-step:

    1. Open SQL Server Configuration Manager.
    2. Click SQL Server Services, and then right-click SQL Server<MSSQLSERVER>, you can choose properties.
    3. Then, you should enter the account name and password for the domain user account.  Before do this, you should click the Browse, and enter the account name to make sure whether account name is in the domain, then click Ok and Apply.
    4. Finally,  you should restart your computer.  That will be ok.

    Hope this helps.


    Best Regards, Maggie. Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, August 10, 2011 8:41 AM

All replies

  • Most likely the new service account while it has the same name as the old one, it has a different SID, which is likely to cause some confusion. I would change the service account to LocalSystem or whatever, and then change back. I don't know, but I think it would be sufficient with a restart after the second change. (The first change would only be to convince SSCM that you are actually making a change; maybe it is not necessary.)


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Monday, August 8, 2011 9:26 PM
  • Hi Jack,

    You have deleted the old domain account and added a new domain account.  They have the same name but have different SIDs, because the security identifier (SID) for each account is unique.  You need update the service account.

    You can follow below step-by-step:

    1. Open SQL Server Configuration Manager.
    2. Click SQL Server Services, and then right-click SQL Server<MSSQLSERVER>, you can choose properties.
    3. Then, you should enter the account name and password for the domain user account.  Before do this, you should click the Browse, and enter the account name to make sure whether account name is in the domain, then click Ok and Apply.
    4. Finally,  you should restart your computer.  That will be ok.

    Hope this helps.


    Best Regards, Maggie. Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, August 10, 2011 8:41 AM
  • Hi,

    Also, you might find that the SQL Server login for the service account requires re-sid'ing (is that a word?)... you can run

    select 'alter user [' + b.name + '] with login = [' + b.name + ']'
    from .dbo.sysmembers a 
    join .dbo.sysusers b on a.memberuid = b.uid 
    where b.islogin=1 and b.name <> 'dbo'
    group by b.name
    order by b.name

    Then run the output from this query for the affected user in another query window

    Regards,

    Andrew

    Wednesday, August 10, 2011 9:00 AM