Interesting one today:
In our lab, this error propped up in one of the environments that relies on replication heavily.
Problem Definition:
Sql Agent jobs for all the Logreader Agents & Distribution Agents are spitting out this error message while they are in an endless loop to “retry”.
Login failed for user.
Reason: Attempting to use an NT account name with SQL Server Authentication.
[CLIENT: 'machine IP']
The error makes sense, but it does not seem actionable.
Context:
Replication is carried out between Publisher-to-Distributor-to-Subscriber (simple terms). This action is carried out by Sql Agent job running on Distributor.
Each agent, runs under the security context of a user account (Local OS or Domain account). Since some of these agents needs to talk to Publisher or Subscriber or both, they need proper privileges on all the machines to be able to carry out operations.
Usually when all the machines are in a domain, a single account runs the Agent jobs and also has permissions to connect to Subscriber & Publisher. But we have an extra option in the replication UI.
We could set up one account to run the agent on Distributor; Another to connect to Publisher or Distributor.
- For LogReader agent, it needs permissions on Distributor & Publisher
- For Distribution Agent, it needs permissions on Distributor & Subscribers
See the image below for how security is set up for LogReader Agent:
In the window above, the top section shows under what user context the agent runs on Distributor. Since it also need to connect to Publisher, in the bottom portion, it shows the account needed to connect to Publisher.
To make things easier, we have two options:
- By Impersonating the process account:
- We could use the same account mentioned the top section or give a new account.
- Use the following Sql Server Login:
- This new account needs to be a Sql Server Login (and not windows or domain account).
Resolution:
The line in red above was the root of the problem.
Someone selected “Use the following Sql Server Login” to “Connect to the Publisher” and provided a Domain account, rather than a Sql Server Login.
Hence the error message :
Attempting to use an NT account name with SQL Server Authentication.
Either provide correct Sql Login or choose “By Impersonating the process account”.
More Info: When you “impersonate process account” it uses the same account under which the LogReader agent runs on Distributor — hence called Process Account
_Sqltimes