Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Login failed for user with token-based server access validation error


Login failed for user with token-based server access validation error

Author
Message
Rayven
Rayven
Mr or Mrs. 500
Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)

Group: General Forum Members
Points: 593 Visits: 428
Can anyone help as I am at a loss with this one.

I am running SQL Server 2000 Standard Edition on a Windows Server 2003 standard edition machine.

The way our in-house developed .NET applications and SQL Server work is simply as follows.
Each application has an Active Directory group created for it, and users that are permitted to access the application are then added to the group.
This AD group is then added into SQL Server, mapped to the appropriate databases, and then either granted permissions on the required objects, or are assigned to a database role that carries the required permissions.

Up until today this has worked like a charm. That was until two users requested access to one of the applications. Both were set up identically and we've double checked everything, however when one of the users attempt to run the application reports that they do not have permissions and the following log is recorded in the SQL Server log.

Login failed for users 'xxx\xxx'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: xxx.xxx.xxx.xxx]
Error: 18456, Severity: 14, State: 11

I've tried Googling the problems but what I'm reading makes no sense at all. Crazy


---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.

K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6822 Visits: 1917
Is that one user a member of a lot of Windows groups (including nesting)? Is the user having login issues for any other resources (such as file shares, Exchange, etc.)?

K. Brian Kelley
@‌kbriankelley
Rayven
Rayven
Mr or Mrs. 500
Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)

Group: General Forum Members
Points: 593 Visits: 428
All users within the company are members of quite numebr of groups as they control all our resources, however we do not allow nesting.

What was peculiar is that other people who can gain access are members set up identially, with exactly the same groups.

However we believe we know what the issue might be, and that is down to replication of the Active Directory as a user who was experiencing similar problems yesterday, even after repeatedly logging in and out of the network for over 2 hours, found they had access this morning.

If this user can gain access to the system tomorrow then this is the most likely cause. However I am still open to other suggestions in case I am wrong.


---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.

K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6822 Visits: 1917
Unless you have a lot of sites with multiple site links, it shouldn't normally take that long for security changes to replicate. What may be, though, is that the change was made after the user logged in. When a user logs in, the security token is built based on current memberships (so far as the domain controller knows). If a change is made after that, the security token isn't updated until the user logs in again.

K. Brian Kelley
@‌kbriankelley
Rayven
Rayven
Mr or Mrs. 500
Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)

Group: General Forum Members
Points: 593 Visits: 428
As soon as a change is made to a group or user, we always ensure that they log out of the network and log back in to ensure that the security token is updated. However I suspect that this may be occuring before replication can take place which will result in the same issue.

We have a considerable number of servers within the domain that are off-site, both in this country and overseas, and I suspect that there is something amiss with its configuration as I sometimes get errors when my Outlook somehow tries to connect to an Exchange server in an branch overseas when sending mail!?!?!? But that is one for the networking department to resolve Whistling


---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.

K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6822 Visits: 1917
Rayven (1/27/2009)
As soon as a change is made to a group or user, we always ensure that they log out of the network and log back in to ensure that the security token is updated. However I suspect that this may be occuring before replication can take place which will result in the same issue.

We have a considerable number of servers within the domain that are off-site, both in this country and overseas, and I suspect that there is something amiss with its configuration as I sometimes get errors when my Outlook somehow tries to connect to an Exchange server in an branch overseas when sending mail!?!?!? But that is one for the networking department to resolve Whistling


Exchange configuration doesn't necessarily equal how the rest of the domain is configured. There was advice about putting Exchange in its own sites so that it had dedicated global catalog servers, etc. However, if you're connecting to domain controllers overseas, when there are some locally, then that would indicate an issue. I hope that the physical site topology within AD has been set up correctly and not just as one big default site (which I've seen).

K. Brian Kelley
@‌kbriankelley
Rayven
Rayven
Mr or Mrs. 500
Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)

Group: General Forum Members
Points: 593 Visits: 428
Erm, having seen the way that the network department configured active directory, it was migrated directory from the original domain, so it is just one huge chunk.Crazy

Don't ask me why they did it like that, I'm sure they had their reasons.


---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.

K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6822 Visits: 1917
Rayven (1/27/2009)
Erm, having seen the way that the network department configured active directory, it was migrated directory from the original domain, so it is just one huge chunk.Crazy

Don't ask me why they did it like that, I'm sure they had their reasons.


Then I'm glad I'm not the directory services administrator there. I'd be pulling my hair out. I took off my directory services admin hat off as of Dec. 31st and I have no real desire to put it back on. So I'll end my comments about AD on this thread here. Smile

K. Brian Kelley
@‌kbriankelley
SA-1
SA-1
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1149 Visits: 944
So was this an AD replication issue?

I'm getting the same "Token" based error when I add a user from a new domain to an existing domain. I've detailed the problem

http://www.sqlservercentral.com/Forums/Topic690161-146-1.aspx
Deb Anderson
Deb Anderson
SSC Journeyman
SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)SSC Journeyman (88 reputation)

Group: General Forum Members
Points: 88 Visits: 351
I am also having a very similar issue. Did this ever get resolved?

Cool
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search