Sql Server Error : An invalid parameter or option was specified for procedure ‘sys.sp_change_users_login’

Interesting one today:

Occasionally, when we restore databases from backups, we need to fix orphan users. Recently, a few years ago, we discussed about fixing orphan users using script. Here we’ll look at a scenario, where the regular orphan users script will not work. 

Error Message:

Msg 15600, Level 15, State 1, Procedure sp_change_users_login, Line 214 [Batch Start Line 61]
An invalid parameter or option was specified for procedure ‘sys.sp_change_users_login’.

The script “EXEC sp_change_users_login 'Auto_Fix', 'user'” only works for Sql Authentication based logins and not for Windows-level principals or non-login based users. See MSDN article for more details.

A user without login would look like this, in SSMS:

Sql Users Without Login

In such scenarios,

• sp_change_users_login cannot be used to map database users to Windows-level principals, certificates, or asymmetric keys.
• sp_change_users_login cannot be used with a SQL Server login created from a Windows principal or with a user created by using CREATE USER WITHOUT LOGIN.

 

Hope this helps,

_Sqltimes

Read Full Post »

Sql Server : What permissions does my account have on the database?

Interesting one today:

Recently, we covered a post on detailed permissions, in the entire database, on all resources assigned to all the principals. Today we’ll see a slight variation of it, that is more focused on current user.

What permissions does my account have in the database?

Sql Server provides a built-in function call ‘fn_my_permissions‘ that lists all permissions current user has on a given object. Once we wrap this into a loop and query all the objects in the database and PIVOT the result set, we get a usable & actionable list of permissions on all objects for the current user.

To extend this further, we could run the same script with ‘EXECUTE AS USER = ”‘ to capture permissions assigned to any other user (of course, you’d first need permissions to be able to impersonate that user)

--
--	What are my permissions
--

--EXECUTE AS USER = 'kelly'
--SELECT SYSTEM_USER, SESSION_USER

--
--	Variable declaration
--
DECLARE @v_Sql VARCHAR(MAX)
DECLARE @Tbl_Perms TABLE (entity_name VARCHAR(100) NULL, Type VARCHAR(50) NULL, permission_name VARCHAR(50) NULL, Permission_value INT NULL)

--
--	Generate Sql Query to get permissions on all the objects
--
SELECT @v_Sql = ''

SELECT @v_Sql = @v_Sql + 'SELECT entity_name, ''' + type_desc + ''' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(''' + s.name + '.' + o.name + ''',''object'') WHERE subentity_name IS NULL OR subentity_name = '''' UNION '
FROM sys.objects AS O
INNER JOIN sys.schemas AS S
	ON O.schema_id = S.schema_id
WHERE O.type IN	(	  'U'		--	USER_TABLE
					, 'V'		--	VIEW
					, 'P'		--	SQL_STORED_PROCEDURE
					, 'FN'		--	SQL_SCALAR_FUNCTION
					, 'IF'		--	SQL_INLINE_TABLE_VALUED_FUNCTION
					, 'TF'		--	SQL_TABLE_VALUED_FUNCTION
					, 'TR'		--	SQL_TRIGGER
					, 'S'		--	SYSTEM_TABLE
					, 'SN'		--	SYNONYM
				)
--	AND O.SCHEMA_ID = 1
ORDER BY O.type ASC, O.name ASC

--
--	Add Certifcate Permissions
--
SELECT @v_Sql = @v_Sql + ' SELECT entity_name, ''Certificate'' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(''' + name + ''', ''Certificate'') UNION '
FROM sys.certificates

--
--	Add symmetric_keys Permissions
--
SELECT @v_Sql = @v_Sql + ' SELECT entity_name, ''Symmetric Keys'' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(''' + name + ''', ''Symmetric Key'') UNION '
FROM sys.symmetric_keys

--
--	Add asymmetric_keys Permissions
--
SELECT @v_Sql = @v_Sql + ' SELECT entity_name, ''Asymmetric Keys'' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(''' + name + ''', ''Asymmetric Key'') UNION '
FROM sys.asymmetric_keys

--
--	Add Server and Database permissions
--
SELECT @v_Sql = @v_Sql + ' SELECT entity_name, ''Database'' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(NULL, ''Database'') UNION SELECT entity_name, ''Server'' AS [Type], permission_name, 1 AS [Permission_value] FROM fn_my_permissions(NULL, ''Server'')'

--PRINT @v_Sql

--
--	Insert into a temp table
--
INSERT INTO @Tbl_Perms
EXEC (@v_Sql)

--
--	Pivot into a matrix
--
; WITH Perms AS
	(
		SELECT entity_name, [Type], [SELECT], [INSERT], [UPDATE], [DELETE], [EXECUTE], [ALTER], [VIEW DEFINITION], [CONTROL], [REFERENCES], [TAKE OWNERSHIP], [CONNECT SQL], [ALTER TRACE], [VIEW ANY DATABASE], [CONTROL SERVER], [CONNECT]
		FROM (SELECT entity_name, [Type], permission_name, Permission_Value FROM @Tbl_Perms) AS S
		PIVOT
			(
				MAX(S.Permission_Value)
				FOR S.Permission_name IN ([SELECT], [INSERT], [UPDATE], [DELETE], [EXECUTE], [ALTER], [VIEW DEFINITION], [CONTROL], [REFERENCES], [TAKE OWNERSHIP], [CONNECT SQL], [ALTER TRACE], [VIEW ANY DATABASE], [CONTROL SERVER], [CONNECT])
			) AS PVT
	)

--
--	Returning it all together
--
SELECT * FROM Perms
ORDER BY [Type] ASC
GO

--
--	Execute as Identified User above
--
--REVERT
--SELECT SYSTEM_USER, SESSION_USER
GO

The result set is a PIVOTed table with clear list of permissions on each object.

 

Hope this helps,
_Sqltimes

 

Read Full Post »

Sql Server : List of Detailed Permissions on Each Object

Interesting one today:

Quite often, we need a quick way to check if correct permissions are granted on the database objects. Since there could be thousands of such objects with hundreds of different possible permissions, this gets a bit daunting.

In the past, we’ve seen some dynamic between Roles, Logins, Users & Permissions. Today, we’ll look into a quick way to a query to retrieve permissions on all objects for all principals; Then we can filter further and focus on the objects/logins we need.

--
-- Detailed Permissions<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;">&#65279;</span>
--
SELECT    P.class_desc                          AS [Permission_Category]
		, P.grantee_principal_id				AS [Principal_ID]
		, L.name                                AS [Principal_Name]
		, L.type_desc							AS [Principal_Type]
		, P.major_id							AS [ID_of_Resource]
		, CASE P.class_desc
			WHEN 'CERTIFICATE' THEN C.name
			WHEN 'SYMMETRIC_KEYS' THEN S.name
			WHEN 'TYPE' THEN T.name
			ELSE O.name
		  END									AS [ObjectName]
		, O.type_desc							AS [Detailed_Object_Type]
		, P.state_desc                          AS [Permission]
		, G.name                                AS [Who_Gave_This_Permission]

FROM sys.database_permissions AS P
INNER JOIN sys.database_principals AS L
       ON L.principal_id = P.grantee_principal_id
LEFT OUTER JOIN sys.database_principals AS G
       ON G.principal_id = P.grantor_principal_id
LEFT OUTER JOIN sys.objects AS O
       ON O.object_id = P.major_id
LEFT OUTER JOIN sys.symmetric_keys AS S
       ON S.symmetric_key_id = P.major_id
LEFT OUTER JOIN sys.Certificates AS C
       ON C.certificate_id = P.major_id
LEFT OUTER JOIN sys.types AS T
	ON T.user_type_id = P.major_id
WHERE P.major_id &gt;= 0      --     Ignore system objects
ORDER BY P.class_desc, L.name ASC
GO

Hope this helps,
_Sqltimes

Read Full Post »

Sql Server : Login failed for user. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: ]

Interesting one today:

In our lab, this error propped up in one of the environments that relies on replication heavily.

Problem Definition:

Sql Agent jobs for all the Logreader Agents & Distribution Agents are spitting out this error message while they are in an endless loop to “retry”.

Login failed for user. 
Reason: Attempting to use an NT account name with SQL Server Authentication.
[CLIENT: 'machine IP']

The error makes sense, but it does not seem actionable.

Context:

Replication is carried out between Publisher-to-Distributor-to-Subscriber (simple terms). This action is carried out by Sql Agent job running on Distributor.

Each agent, runs under the security context of a user account (Local OS or Domain account). Since some of these agents needs to talk to Publisher or Subscriber or both, they need proper privileges on all the machines to be able to carry out operations.

Usually when all the machines are in a domain, a single account runs the Agent jobs and also has permissions to connect to Subscriber & Publisher. But we have an extra option in the replication UI.

We could set up one account to run the agent on Distributor; Another to connect to Publisher or Distributor.

• For LogReader agent, it needs permissions on Distributor & Publisher
• For Distribution Agent, it needs permissions on Distributor & Subscribers

See the image below for how security is set up for LogReader Agent:

In the window above, the top section shows under what user context the agent runs on Distributor. Since it also need to connect to Publisher, in the bottom portion, it shows the account needed to connect to Publisher.

To make things easier, we have two options:

1. By Impersonating the process account:
   1. We could use the same account mentioned the top section or give a new account.
2. Use the following Sql Server Login:
   1. This new account needs to be a Sql Server Login (and not windows or domain account).

Resolution:

The line in red above was the root of the problem.

Someone selected “Use the following Sql Server Login” to “Connect to the Publisher” and provided a Domain account, rather than a Sql Server Login.

Hence the error message :

Attempting to use an NT account name with SQL Server Authentication.

Either provide correct Sql Login or choose “By Impersonating the process account”.

More Info: When you “impersonate process account” it uses the same account under which the LogReader agent runs on Distributor — hence called Process Account

 

Hope this helps,
_Sqltimes

 

Read Full Post »

Sql Server : The target principal name is incorrect. Cannot generate SSPI context

Interesting Problem Today:

Ran into this issue a few times and every time its a variation of the same headache. So, here some ideas will be documented for posterity.

In general terms, the error looks like this:

Connecting to Subscriber ''
Agent message code 20084. The process could not connect to Subscriber ''
Microsoft SQL Server Native Client 11.0
SQL Server Network Interfaces: The target principal name is incorrect.
Cannot generate SSPI context

The error message seems nebulous and confusing — but for trained eyes it makes perfect sense. For me it took a while to make sense out of it.

There could be several things wrong under the hood, but essentially it says that the target SQL server that is is trying to connect to, does not have a valid SPN with Active Directory.

Meer from Microsoft has documented some information on troubleshooting this issue here. For more details, please read his article, as I’ll over simplify things and address a variation of the problem in this articles (which will be slightly different from his).

Example:

From SQLServerA, using UserA, if I’m trying to connect to SqlServerB, sometimes I get this error. Essentially, means SqlServerB does not have a valid SPN.

Resolution:

First, log into the machine that has SqlServerB. Open command prompt with Administrative privileges. Run the command below to see if there is a valid SPN.

 

SETSPN -L <SQL Server Instance Service Account>

 

If the output looks like the first image below, then the Sql Server instance does not have a valid SPN. Now its time to generate one.

Output without valid SPN:

Invalid SPN

Step 2: Download Kerberos Configuration Manager for SQL Server from here, and start generating one.

Step 3: Open Kerberos Configuration Manager for SQL Server from the same machine that has SqlServerB instance. When you run it, it shows something like this:

 

Kerberos Tool Output

Notice that for Sql Server service, there is not valid SPN or misplaced SPN. So its time to generate one.

Step 4: Hit the “Fix it” button right next to it and generate one. Make sure the user account that is logged into the machine has domain controller permissions.

Step 5: Now run the same command as in Step 1, and the output looks different.

Output with valid SPN:

Valid SPN

 

Voila !! Now you are able to connect to SqlServerB from SqlServerA using UserA

 

 

Hope this helps,
_Sqltimes

Read Full Post »

Sql Server : Using T-SQL Change Login Password

Quick  one today:

With regular frequency, there is a need sometimes to change the password of a login. Using SSMS, its an easy step. But when we have a lot of such changes, its gets easier to use T-SQL script.

--
-- Change Login Password
--
ALTER LOGIN LoginName
WITH PASSWORD = 'NewPassword'
GO

For more  info

Hope this helps,
_Sqltimes

Read Full Post »

Sql Server: The Activity Monitor is unable to execute queries against server. Activity Monitor for this instance will be placed into a paused state. Use the context menu in the overview pane to resume the Activity Monitor. Access is denied.

Interesting one today:

We have a bunch of lab Sql Server boxes machines and sometimes after a fresh Sql Server install, when we try to open Activity Monitor, we run into this problem.

Error:

 

TITLE: Microsoft SQL Server Management Studio
 ------------------------------

The Activity Monitor is unable to execute queries against server DC2POLTPS02.
 Activity Monitor for this instance will be placed into a paused state.
 Use the context menu in the overview pane to resume the Activity Monitor.

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) (mscorlib)

------------------------------

Since these are lab machines, we are remotely logged into the machines and looks like there is some setting that prevents Activity Monitor from opening successfully. Activity Monitor provides great detail on what is going on with Sql Server at any given point-in-time and such activity needs “high level insight” into the Operating System and Sql Server; Such “high level” permissions are not enabled by default for user accounts.

Following steps show a way to enable elevated permissions when logged in remotely.  From what I could gather from Microsoft Connect this seems like elevated permissions on remote operating system’s DCOM. So we need to enable Remote Launch & Remote Activation permissions on remote Operating System (lab machine)

Resolution:

RDP to the remote machine and

1. Open Component Services (DCOMCNFG) from start menu
2. In the left hand tree, under Console Root, expand Component Services, expand Computers, right-click on My Computer and go to Properties
3. In My computer Properties window, go to COM Security tab.
4. In the Launch and Activation Permissions section, click on Edit Limits button.
   1. In the Security Limits tab, see if your user/group name exists. If not add to the list by clicking on Add button.
   2. Once user is added, highlight the user and make sure it has both Remote Launch & Remote Activation permissions checked.
5. In the Access Permissions section, click on Edit Limits button
   1. In the Security Limits tab, see if your user/group name exists. If not add to the list by clicking on Add button.
   2. Once user is added, highlight the user and make sure it has Remote Access permissions checked.
6. Hit Okay to save changes.
7. Now expand the My Computer in the left-hand tree and go to DCOM Config.
   1. Find Windows Management and Instrumentation and go to Properties.
   2. Go to Security tab and under Launch and Activation Permissions section, click on Edit button
   3. In the Security tab, see if your user/group name exists. If not add to the list by clicking on Add button.
   4. Once user is added, highlight the user and make sure it has both Remote Launch & Remote Activation permissions checked.
   5. (See the image below)
8. Save all changes and re-open Activity Monitor

Activity Monitor Error

 

 

 

Hope this helps,
_Sqltimes

Read Full Post »

Sql Server : SQL Server blocked access to STATEMENT ‘OpenRowset/OpenDatasource’ of component ‘Ad Hoc Distributed Queries’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘Ad Hoc Distributed Queries’ by using sp_configure. For more information about enabling ‘Ad Hoc Distributed Queries’, search for ‘Ad Hoc Distributed Queries’ in SQL Server Books Online

Quick one today:

A few days ago, this error appeared on one of our lab machines.

Error Message:

Msg 15281, Level 16, State 1, Line 16
SQL Server blocked access to STATEMENT 'OpenRowset/OpenDatasource' of component 
'Ad Hoc Distributed Queries' because this component is turned off as part of 
the security configuration for this server. A system administrator can enable 
the use of 'Ad Hoc Distributed Queries' by using sp_configure. For more information 
about enabling 'Ad Hoc Distributed Queries', search for 'Ad Hoc Distributed Queries'
in SQL Server Books Online.

Resolution:

This is an easy error to fix — as the error message is pretty verbose and self-explanatory. After making sure that ad hoc distributed queries are allowed (acceptable to be executed) in your sql environment, run the following query to enable execution of ad hoc in your Sql instance.

--
-- Check current status of Ad Hoc Distributed Queries
--
SELECT * FROM sys.configurations WHERE name LIKE '%ad hoc Dis%'
GO

--
-- Enable Ad Hoc Distributed Queries
--
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'Ad Hoc Distributed Queries', 1
GO
EXEC sp_configure 'show advanced options', 0
GO
RECONFIGURE
GO

 

Hope this helps,
_Sqltimes

 

Read Full Post »

Sql Server : Free Books

Quick one today:

Every now and then, when good Sql Server resources are available, they are posted here for more people to benefit from them. Continuing on that tradition, today we have a gold mine. Microsoft has released many, many & many e-books open to public to download for free. In the list there are several Sql Server books along with BI, Windows, Office, SharePoint, etc

Happy learning !!

 

Hope this helps,
_Sqltimes

Read Full Post »

Sql Server : Login failed for user ‘distributor_admin‘. Error number: 18456)

Quick one today:

Recently, on one of our lab machines, this error occurred with replication. On the surface ‘distributor_admin‘ login seems familiar (Obvious with its naming), but we do not configure this login anywhere during replication set up (on the surface).

Login failed for user ‘distributor_admin‘. (Source: MSSQLServer, Error number: 18456)

First we’ll directly get to ideas on resolving it, then we’ll look at some internal details.

Resolution:

1. If you have the password for Distributor_admin, update publisher with it. Go to Replication >> Publisher Properties >> (enter the password in the ‘Administrative Link Password‘ section).

2. 

   Publisher Properties Password

3. If you do not have the password, then we need to first reset it.
   • Go to Distributor. Right click on Replication >> Distributor Properties >> Publisher tab >> (set new password in the ‘Administrative Link Password‘ section)
   • Now, go to Publisher and implement Step 1 (above) on the Publisher.

Distributor Properties Password

 

Story:

In Sql Server, all interactions are carried out under clearly defined security logins and their corresponding roles (for better security management). Same applies to Replication as well. When we configure Distributor, a new default login (a.k.a. distributor_admin) is created; we specify password as part of ‘Configure Distributor‘ wizard. If you go to logins section on the distributor machine, we could see the new login. This login is used to perform any operations on Distributor.

Distributor_admin Login on Distributor

When we configure Publisher, we specify this password (for the default login ‘distributor_admin‘), that the Publisher uses to connect to Distributor. This servers two purposes.

• Provides proper security context for Publisher to establish linked server connection to Distributor and perform any necessary activities.
• Provides Distributor that this Publisher (with correct password) is authorized to remotely carry out operations in Distributor.

Hence it is called Administrative Link Password. For more information, please go through this MSDN article.

 

Hope this helps,
_Sqltimes

Read Full Post »