Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 1234»»»

Login failed for user with token-based server access validation error Expand / Collapse
Author
Message
Posted Tuesday, January 27, 2009 3:09 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, July 4, 2014 3:24 AM
Points: 577, Visits: 379
Can anyone help as I am at a loss with this one.

I am running SQL Server 2000 Standard Edition on a Windows Server 2003 standard edition machine.

The way our in-house developed .NET applications and SQL Server work is simply as follows.
Each application has an Active Directory group created for it, and users that are permitted to access the application are then added to the group.
This AD group is then added into SQL Server, mapped to the appropriate databases, and then either granted permissions on the required objects, or are assigned to a database role that carries the required permissions.

Up until today this has worked like a charm. That was until two users requested access to one of the applications. Both were set up identically and we've double checked everything, however when one of the users attempt to run the application reports that they do not have permissions and the following log is recorded in the SQL Server log.

Login failed for users 'xxx\xxx'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: xxx.xxx.xxx.xxx]
Error: 18456, Severity: 14, State: 11

I've tried Googling the problems but what I'm reading makes no sense at all.




---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.
Post #644009
Posted Tuesday, January 27, 2009 7:36 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Is that one user a member of a lot of Windows groups (including nesting)? Is the user having login issues for any other resources (such as file shares, Exchange, etc.)?


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #644139
Posted Tuesday, January 27, 2009 7:53 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, July 4, 2014 3:24 AM
Points: 577, Visits: 379
All users within the company are members of quite numebr of groups as they control all our resources, however we do not allow nesting.

What was peculiar is that other people who can gain access are members set up identially, with exactly the same groups.

However we believe we know what the issue might be, and that is down to replication of the Active Directory as a user who was experiencing similar problems yesterday, even after repeatedly logging in and out of the network for over 2 hours, found they had access this morning.

If this user can gain access to the system tomorrow then this is the most likely cause. However I am still open to other suggestions in case I am wrong.



---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.
Post #644162
Posted Tuesday, January 27, 2009 8:02 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Unless you have a lot of sites with multiple site links, it shouldn't normally take that long for security changes to replicate. What may be, though, is that the change was made after the user logged in. When a user logs in, the security token is built based on current memberships (so far as the domain controller knows). If a change is made after that, the security token isn't updated until the user logs in again.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #644171
Posted Tuesday, January 27, 2009 8:08 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, July 4, 2014 3:24 AM
Points: 577, Visits: 379
As soon as a change is made to a group or user, we always ensure that they log out of the network and log back in to ensure that the security token is updated. However I suspect that this may be occuring before replication can take place which will result in the same issue.

We have a considerable number of servers within the domain that are off-site, both in this country and overseas, and I suspect that there is something amiss with its configuration as I sometimes get errors when my Outlook somehow tries to connect to an Exchange server in an branch overseas when sending mail!?!?!? But that is one for the networking department to resolve



---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.
Post #644180
Posted Tuesday, January 27, 2009 8:35 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Rayven (1/27/2009)
As soon as a change is made to a group or user, we always ensure that they log out of the network and log back in to ensure that the security token is updated. However I suspect that this may be occuring before replication can take place which will result in the same issue.

We have a considerable number of servers within the domain that are off-site, both in this country and overseas, and I suspect that there is something amiss with its configuration as I sometimes get errors when my Outlook somehow tries to connect to an Exchange server in an branch overseas when sending mail!?!?!? But that is one for the networking department to resolve


Exchange configuration doesn't necessarily equal how the rest of the domain is configured. There was advice about putting Exchange in its own sites so that it had dedicated global catalog servers, etc. However, if you're connecting to domain controllers overseas, when there are some locally, then that would indicate an issue. I hope that the physical site topology within AD has been set up correctly and not just as one big default site (which I've seen).


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #644201
Posted Tuesday, January 27, 2009 9:23 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, July 4, 2014 3:24 AM
Points: 577, Visits: 379
Erm, having seen the way that the network department configured active directory, it was migrated directory from the original domain, so it is just one huge chunk.

Don't ask me why they did it like that, I'm sure they had their reasons.



---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.
Post #644262
Posted Tuesday, January 27, 2009 9:26 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Rayven (1/27/2009)
Erm, having seen the way that the network department configured active directory, it was migrated directory from the original domain, so it is just one huge chunk.

Don't ask me why they did it like that, I'm sure they had their reasons.


Then I'm glad I'm not the directory services administrator there. I'd be pulling my hair out. I took off my directory services admin hat off as of Dec. 31st and I have no real desire to put it back on. So I'll end my comments about AD on this thread here. :)


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #644266
Posted Monday, April 6, 2009 1:22 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Wednesday, January 29, 2014 2:58 PM
Points: 1,141, Visits: 944
So was this an AD replication issue?

I'm getting the same "Token" based error when I add a user from a new domain to an existing domain. I've detailed the problem

http://www.sqlservercentral.com/Forums/Topic690161-146-1.aspx
Post #691389
Posted Friday, April 24, 2009 12:01 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Wednesday, April 17, 2013 2:47 PM
Points: 88, Visits: 351
I am also having a very similar issue. Did this ever get resolved?

Post #704203
« Prev Topic | Next Topic »

Add to briefcase 1234»»»

Permissions Expand / Collapse