Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Token-based server access validation failed with an infrastructure error Expand / Collapse
Author
Message
Posted Thursday, July 1, 2010 12:48 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, March 12, 2012 8:45 AM
Points: 4, Visits: 11
I would appreciate help with the following issue:

I have created a local group in our SQL 2008 server and added two Windows user accounts "DOMAIN\UserName" I then added the local group to the database and granted read only access.

The users are trying to link tables using MS Access using and ODBC connection and getting the following error.
Users are not system administrators.

Date                      6/30/2010 1:01:54 PM
Log                         SQL Server (Current - 6/30/2010 1:10:00 PM)
Source                  Logon
Message
Login failed for user 'DOMAIN\UserName'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 999.99.9.99]
 
Date 6/30/2010 1:01:54 PM
Log SQL Server (Current - 7/1/2010 8:12:00 AM)

Source Logon

Message
Error: 18456, Severity: 14, State: 11.

Database Server:
windows Server 2008 R2 Enterprise
System type: 64-bit Operating System
SQL Server 2008
Post #946410
Posted Thursday, July 1, 2010 12:58 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, August 21, 2014 1:54 PM
Points: 1,430, Visits: 3,229
what error are you seeing in the SQL Server Log? What happens if you add the users directly, or add them to a domain group (Vs. a local group?) Sounds like domain trust/delegation issue...



The probability of survival is inversely proportional to the angle of arrival.
Post #946420
Posted Thursday, July 1, 2010 1:01 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, March 12, 2012 8:45 AM
Points: 4, Visits: 11
My original post contains the error from SQL logs.
I added users directly ... same result.
I added them as part of an AD group ... same result.

Thank you
Post #946423
Posted Thursday, July 1, 2010 1:11 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, August 21, 2014 1:54 PM
Points: 1,430, Visits: 3,229
something is not configured right. Check out this link:
http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx




The probability of survival is inversely proportional to the angle of arrival.
Post #946429
Posted Wednesday, July 14, 2010 9:00 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, March 12, 2012 8:45 AM
Points: 4, Visits: 11
Thank you for your response.

I fount the cause of the problem. I just whished the MS error message in the logs could be more clear. The remote user with logging access problems was also part of a group that was denied access to our database. I completely overlooked this configuration. I then created a different group and granted access to the user. I also granted access explicitly and in both instances the users was denied access. Once I remove the group that denied access it all worked fine.

p.reinoso
Post #952421
Posted Friday, October 18, 2013 10:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, June 12, 2014 3:16 PM
Points: 1, Visits: 148
Had this same issue.

What caused it was that I set "Permission to Connect to database engine" to "Denied" in a different Active Directory group. This was in the Login Properties -> Status.

What I did not understand is even if a user is in a different Active Directory group that is Granted access, the Deny access in the other AD group takes precedence. Any user in the "Denied" AD group will never be able to login no matter what other AD groups are granted access.

The error messages are the same as above... wish Microsoft would put an error in saying "login denied access due to permissions" or something like that.

Good luck!
Post #1506254
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse