Home
%3CLINGO-SUB%20id%3D%22lingo-sub-386077%22%20slang%3D%22en-US%22%3EExamples%20of%20some%20connection%20errors%20for%20Azure%20Active%20Directory%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386077%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20MSDN%20on%20Sep%2028%2C%202015%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EMirek%20Sztajno%20%3CBR%20%2F%3E%20Last%20updated%20on%26nbsp%3B09%2F28%2F15%3C%2FP%3E%0A%20%20%3CH2%20id%3D%22toc-hId-1765833558%22%20id%3D%22toc-hId-1765833558%22%3EExamples%20of%20some%20connection%20errors%20for%20Azure%20Active%20Directory%20Authentication%20with%20Azure%20SQL%20DB%20V12%3C%2FH2%3E%0A%20%20%3CP%3E(*)%20Please%20note%20that%20this%20table%20does%20not%20represent%20a%20complete%20sample%20of%20connection%20errors%20for%20Azure%20AD%26nbsp%3Bauthentication%20%3CBR%20%2F%3E%20and%26nbsp%3Bwill%20be%20extended%20based%20on%20new%20connection%20errors%20experienced%20by%20end-users%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CTABLE%3E%0A%20%20%20%3CTBODY%3E%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CSTRONG%3E%20Error%20Message%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CSTRONG%3E%20Reason%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CSTRONG%3E%20Action%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%3A%2018456%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CEM%3E%20Login%20failed%20for%20user%20'NT%20%3CBR%20%2F%3E%20AUTHORITY%5CANONYMOUS%20LOGON'.%20(.Net%20SqlClient%20Data%20Provider)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Cannot%20connect%20xxxxx.database.windows.net%20%3C%2FEM%3E%20%3CEM%3E%20%3C%2FEM%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CEM%3EFor%20help%2C%20click%3A%20%3C%2FEM%3E%20%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%3FProdName%3DMicrosoft%2520SQL%2520Server%26amp%3BEvtsrc%3DMSSQLServer%26amp%3BEvtID%3D18456%26amp%3BLinkId%3D20476%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3CEM%3E%20http%3A%2F%2Fgo.microsoft.com%2Ffwlink%3FProdName%3DMicrosoft%2520SQL%2520Server%26amp%3BEvtsrc%3DMSSQLServer%26amp%3BEvtID%3D18456%26amp%3BLinkId%3D20476%3C%2FEM%3E%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3EThere%20are%20many%20scenarios%20that%20may%20cause%20this%20error.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EGenerally%20user%20does%20not%20have%20permission%20to%20connect%20to%20a%20database%20%3CBR%20%2F%3E%20(i.e.%20Azure%20AD%20user%20has%20not%20been%20granted%20CONNET%20permission%20to%20a%20database%20he%20tries%20to%20connect%20to.%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3EPlease%20check%20user%20connect%20permission%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%3A%2040607%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EWindows%20logins%20are%20not%20supported%20in%20this%20version%20of%20SQL%20%3CBR%20%2F%3E%20Server.%20(Microsoft%20SQL%20Server%2C%20Error%3A%2040607)%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EIndicates%20that%20the%20required%20software%20for%20Azure%20AD%20auth%20is%20not%20installed%20(i.e.%20old%20version%20of%20SSMS%2C%20no%20.NET%204.6%2C%20no%20ADALSQL.DLL)%3C%2FTD%3E%0A%20%20%20%20%3CTD%3ECheck%20the%20necessary%20software%20is%20installed.%20Don%E2%80%99t%20forget%20to%20reboot%20the%20machine%20if%20.NET%204.6%20was%20installed%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%3A%2010054%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ECannot%20connect%20to%20myserver1.database.windows.net.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EA%20connection%20was%20successfully%20established%20with%20the%20server%2C%20but%20then%20an%20error%20occurred%20during%20the%20login%20process.%20(provider%3A%20TCP%20Provider%2C%20error%3A%200%20-%20An%20existing%20connection%20was%20forcibly%20closed%20by%20the%20remote%20host.)%20(Microsoft%20SQL%20Server%2C%20Error%3A%2010054)%3C%2FP%3E%3CBR%20%2F%3E%20For%20help%2C%20%3CBR%20%2F%3E%20click%3A%20%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%3FProdName%3DMicrosoft%2520SQL%2520Server%26amp%3BEvtsrc%3DMSSQLServer%26amp%3BEvtID%3D10054%26amp%3BLinkId%3D20476%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fgo.microsoft.com%2Ffwlink%3FProdName%3DMicrosoft%2520SQL%2520Server%26amp%3BEvtsrc%3DMSSQLServer%26amp%3BEvtID%3D10054%26amp%3BLinkId%3D20476%3C%2FA%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EV11%20server%20with%20managed%2Ffederated%20account%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EMigrate%20to%20V12%20server%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%20code%200xCAA90020%3B%20state%2010%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%20Failed%20to%20authenticate%20the%20user%20aadtest%40live.com%20in%20Active%20Directory%20%3CBR%20%2F%3E%20(Authentication%3DActiveDirectoryPassword).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Error%20code%200xCAA90020%3B%20state%2010%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Url%20for%20WS-Trust%20metadata%20exchange%20endpoint%20is%20not%20a%20secure%20(https).%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EMSA%20account%20is%20not%20supported%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EChoose%20another%20user%20supported%20for%20Azure%20Ad%20auth%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%20code%200xCAA20002%3B%20state%2010%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%20Failed%20to%20authenticate%20the%20user%20admin%40myaad.onmicrosoft.com%20in%20Active%20Directory%20%3CBR%20%2F%3E%20(Authentication%3DActiveDirectoryPassword).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Error%20code%200xCAA20002%3B%20state%2010%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20AADSTS90002%3A%20Requested%20tenant%20identifier%20%3CBR%20%2F%3E%20'00000000-0000-0000-0000-000000000000'%20is%20not%20valid.%20Tenant%20identifiers%20may%20%3CBR%20%2F%3E%20not%20be%20an%20empty%20GUID.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Trace%20ID%3A%2035e5628c-62e2-466f-9f5d-722f1c34d984%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Correlation%20ID%3A%20%3CBR%20%2F%3E%2077d83afa-541a-4ea8-a942-8442e3c367a7%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Timestamp%3A%202015-08-28%2003%3A10%3A01Z%20(.Net%20SqlClient%20Data%20Provider)%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EExternal%20admin%20%3CBR%20%2F%3E%20on%20SQL%20server%20is%20not%20set%3C%2FTD%3E%0A%20%20%20%20%3CTD%3ECheck%20the%20%3CBR%20%2F%3E%20external%20admin%20configuration%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%20code%20%3CBR%20%2F%3E%200xCAA20003%3B%20state%2010%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EFailed%20to%20authenticate%20the%20user%20bob%40contoso.com%20in%20Active%20Directory%20%3CBR%20%2F%3E%20(Authentication%3DActiveDirectoryPassword).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Error%20code%200xCAA20003%3B%20state%2010%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20ID3242%3A%20The%20security%20token%20could%20not%20be%20%3CBR%20%2F%3E%20authenticated%20or%20authorized.%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EWrong%20%3CBR%20%2F%3E%20username%2Fpassword%20for%20Active%20Directory%20Password%20%3CSTRONG%3E%20Authentication%20targeting%20federated%20tenant%3C%2FSTRONG%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EEnsure%20the%20%3CBR%20%2F%3E%20username%20and%20password%20are%20correct%26nbsp%3B%20for%20the%20federated%20%3CBR%20%2F%3E%20domain%20to%20connect%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%20code%20%3CBR%20%2F%3E%200xCAA20003%3B%20state%2010%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%20Failed%20to%20authenticate%20the%20user%20produser%40myaad.onmicrosoft.com%20in%20Active%20%3CBR%20%2F%3E%20Directory%20(Authentication%3DActiveDirectoryPassword).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Error%20code%200xCAA20003%3B%20state%2010%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20AADSTS70002%3A%20Error%20validating%20credentials.%20%3CBR%20%2F%3E%20AADSTS50126%3A%20Invalid%20username%20or%20password%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Trace%20ID%3A%203558d287-3ffd-4c53-98ac-08c152a09304%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Correlation%20ID%3A%20%3CBR%20%2F%3E%20036d8ae8-1a26-4437-b0aa-7912f1ba0b46%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Timestamp%3A%202015-09-04%2020%3A34%3A33Z%20(.Net%20SqlClient%20Data%20Provider)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EWrong%20%3CBR%20%2F%3E%20username%2Fpassword%20for%20Active%20Directory%20Password%20%3CSTRONG%3E%20Authentication%20targeting%20Managed%20tenant%3C%2FSTRONG%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EEnsure%20the%20%3CBR%20%2F%3E%20username%20and%20password%20are%20correct%26nbsp%3B%20for%20the%20managed%20domain%20%3CBR%20%2F%3E%20to%20connect%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%20%3CTR%3E%0A%20%20%20%20%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Error%20code%20%3CBR%20%2F%3E%200xCAA20064%3B%20state%2010%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%20Failed%20to%20authenticate%20the%20user%20alice%40myaad.onmicrosoft.com%20in%20Active%20Directory%20%3CBR%20%2F%3E%20(Authentication%3DActiveDirectoryPassword).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Error%20code%200xCAA20064%3B%20state%2010%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20AADSTS70002%3A%20Error%20validating%20credentials.%20%3CBR%20%2F%3E%20AADSTS50055%3A%20Password%20is%20expired.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Trace%20ID%3A%2025d80a2d-c39b-4f03-ac6c-ae547ee33135%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Correlation%20ID%3A%20%3CBR%20%2F%3E%2078ad0aa5-9f5f-4ff6-881b-76c1bdb87f7a%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Timestamp%3A%202015-09-09%2017%3A26%3A34Z%20(.Net%20SqlClient%20Data%20Provider)%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EAzure%20AD%20password%20expired%3C%2FTD%3E%0A%20%20%20%20%3CTD%3EReset%20Azure%20AD%20%3CBR%20%2F%3E%20password%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%3C%2FTBODY%3E%3C%2FTABLE%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-386077%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Sep%2028%2C%202015%20Mirek%20SztajnoLast%20updated%20on%26nbsp%3B09%2F28%2F15Examples%20of%20some%20connection%20errors%20for%20Azure%20Active%20Directory%20Authentication%20with%20Azure%20SQL%20DB%20V12(*)%20Please%20note%20that%20this%20table%20does%20not%20represent%20a%20complete%20sample%20of%20connection%20errors%20for%20Azure%20AD%26nbsp%3Bauthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20and%26nbsp%3Bwill%20be%20extended%20based%20on%20new%20connection%20errors%20experienced%20by%20end-users%26nbsp%3B%26nbsp%3BError%20Message%26nbsp%3BReason%26nbsp%3BActionError%3A%2018456Login%20failed%20for%20user%20'NT%26nbsp%3B%20AUTHORITY%5CANONYMOUS%20LOGON'.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-386077%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
First published on MSDN on Sep 28, 2015

Mirek Sztajno
Last updated on 09/28/15

Examples of some connection errors for Azure Active Directory Authentication with Azure SQL DB V12

(*) Please note that this table does not represent a complete sample of connection errors for Azure AD authentication
and will be extended based on new connection errors experienced by end-users

Error Message Reason Action

Error: 18456


Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'. (.Net SqlClient Data Provider)

Cannot connect xxxxx.database.windows.net


For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer...



There are many scenarios that may cause this error.


Generally user does not have permission to connect to a database
(i.e. Azure AD user has not been granted CONNET permission to a database he tries to connect to.



Please check user connect permission



Error: 40607


Windows logins are not supported in this version of SQL
Server. (Microsoft SQL Server, Error: 40607)


Indicates that the required software for Azure AD auth is not installed (i.e. old version of SSMS, no .NET 4.6, no ADALSQL.DLL) Check the necessary software is installed. Don’t forget to reboot the machine if .NET 4.6 was installed

Error: 10054


Cannot connect to myserver1.database.windows.net.


A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.) (Microsoft SQL Server, Error: 10054)


For help,
click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=100...
V11 server with managed/federated account Migrate to V12 server

Error code 0xCAA90020; state 10


Failed to authenticate the user aadtest@live.com in Active Directory
(Authentication=ActiveDirectoryPassword).

Error code 0xCAA90020; state 10

Url for WS-Trust metadata exchange endpoint is not a secure (https).
MSA account is not supported Choose another user supported for Azure Ad auth

Error code 0xCAA20002; state 10


Failed to authenticate the user admin@myaad.onmicrosoft.com in Active Directory
(Authentication=ActiveDirectoryPassword).

Error code 0xCAA20002; state 10

AADSTS90002: Requested tenant identifier
'00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may
not be an empty GUID.

Trace ID: 35e5628c-62e2-466f-9f5d-722f1c34d984

Correlation ID:
77d83afa-541a-4ea8-a942-8442e3c367a7

Timestamp: 2015-08-28 03:10:01Z (.Net SqlClient Data Provider)
External admin
on SQL server is not set
Check the
external admin configuration

Error code
0xCAA20003; state 10


Failed to authenticate the user bob@contoso.com in Active Directory
(Authentication=ActiveDirectoryPassword).

Error code 0xCAA20003; state 10

ID3242: The security token could not be
authenticated or authorized.


Wrong
username/password for Active Directory Password Authentication targeting federated tenant
Ensure the
username and password are correct  for the federated
domain to connect

Error code
0xCAA20003; state 10


Failed to authenticate the user produser@myaad.onmicrosoft.com in Active
Directory (Authentication=ActiveDirectoryPassword).

Error code 0xCAA20003; state 10

AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password

Trace ID: 3558d287-3ffd-4c53-98ac-08c152a09304

Correlation ID:
036d8ae8-1a26-4437-b0aa-7912f1ba0b46

Timestamp: 2015-09-04 20:34:33Z (.Net SqlClient Data Provider)

Wrong
username/password for Active Directory Password Authentication targeting Managed tenant
Ensure the
username and password are correct  for the managed domain
to connect

Error code
0xCAA20064; state 10


Failed to authenticate the user alice@myaad.onmicrosoft.com in Active Directory
(Authentication=ActiveDirectoryPassword).

Error code 0xCAA20064; state 10

AADSTS70002: Error validating credentials.
AADSTS50055: Password is expired.

Trace ID: 25d80a2d-c39b-4f03-ac6c-ae547ee33135

Correlation ID:
78ad0aa5-9f5f-4ff6-881b-76c1bdb87f7a

Timestamp: 2015-09-09 17:26:34Z (.Net SqlClient Data Provider)
Azure AD password expired Reset Azure AD
password