Data Access Technologies

(Data Access, XML, SSIS, LINQ, System.Data ...)

Error Message "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."

Error Message "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."

Rate This
  • Comments 5

My name is Archana CM from Microsoft SQL Developer Support team, we support SQL Connectivity issue along with data access technologies and SSIS.

I had chance to work with SQL DBA who was having issues while connecting to his SQL server machine. We have seen many issue with connectivity to SQL but the solution we provider to his issue was sample and different.

In today's blog I am sharing my experience on how we could resolve the issue for him and what issues he was facing .

Main issue was When the BizTalk service is executed , it was throwing the below error message on the application server

Error Message

==================

Failed to contact the SSO database: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)

Data Source=SQLSERVERNAME;Integrated Security=SSPI;Initial Catalog=SSODB

Error code: 0x800710D9, Unable to read from or write to the database.

I followed all the steps that we do to troubleshoot an connectivity issue but none of those steps were able to resolve this issue. Some important steps are

Step 1:

Did UDL test, it was failing to connect to SQLServer "SQLSERVERNAME" from BIZTalk Server.

Error Message

==============

Microsoft Data Link Error

---------------------------

Test connection failed because of an error in initializing provider. [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.

---------------------------

OK

---------------------------

Step 2:

Created the SQL account and tested it , it was still failing.

Microsoft Data Link Error

---------------------------

Test connection failed because of an error in initializing provider. Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

---------------------------

OK

---------------------------

Step 3:

We forced Np, TCp with port 1433 but it was still same issue.

SQL Server Native Client Data Link Error

---------------------------

[Microsoft SQL Server Native Client 10.0]: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

---------------------------

OK

---------------------------

Step 4:

Made a registry change to " DisableLoopbackCheck" under " HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"

We added this registry change and rebooted, still it was failing with error below

SQL Server Native Client Data Link Error

---------------------------

[Microsoft SQL Server Native Client 10.0]: Login timeout expired [Microsoft SQL Server Native Client 10.0]: A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online. [Microsoft SQL Server Native Client 10.0]: Named Pipes Provider: Could not open a connection to SQL Server [53].

---------------------------

OK

---------------------------

Step 5:

I collected Netmon and Profiler , I could see all the connections and communication happening from BIZTAlk server to SQL Server in SQL Profiler & Netmon but still we could see Login failed issue.

Steps 6:

Checked for Kerberos, Kerberos was not enabled on Active Directory.

We enabled Kerberos on active directory. I could also see correct SPN for SQL account for SQL server but again it was same result.

Even after changes and correct settings BizTalk was not able to successfully connect to SQL server.

Thought may be issue with security.

We added the SQL account to "Access this computer from network" Policy under Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network"

This resolved the issue for us.

Yes, only this setting under Local security Policy didn’t resolve the issue along with that Kerberos was very important.

Hope this blog and my experience will help you to troubleshoot similar issues.

Happy Troubleshooting!!!!

 

Author : Archana(MSFT) SQL Developer Engineer, Microsoft

Reviewed by : Snehadeep(MSFT), SQL Developer Technical Lead , Microsoft

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
  • Thanks Archana! I assume this registers 18456 errors in the log; if so, can you share what state gets associated with the error message?

    Thanks,

    Aaron

  • We have the same issue the Windows team has set policies to not accept connections between different domains. They did not want a trust between production and non production domains. So if I try to connect via SQL account or windows account we get the same error "The login is from an untrusted domain and cannot be used with Windows authentication".

  • Hi Archana, thanks a lot for sharinf this information. Your blog helped me to fix my ongoing production issue.

  • Also check with your TCP port, if it dosn't work try namedpipes option from client configuration during making connection string in dialogue box. I changed to namedpipes and this worked for me.

  • We experienced this issue when we created a dns alias pointing to the servers IPaddress ( in stead of the servers FQN ).

    We didn't register an SPN for the alias name.

    Only after we modified the alias to point to the server FQN the problem disappeared.

Page 1 of 1 (5 items)