Home
%3CLINGO-SUB%20id%3D%22lingo-sub-383391%22%20slang%3D%22en-US%22%3EUnderstanding%20the%20error%20message%3A%20%E2%80%9CLogin%20failed%20for%20user%20''.%20The%20user%20is%20not%20associated%20with%20a%20trusted%20SQL%20Server%20connection.%E2%80%9D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-383391%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20MSDN%20on%20May%2002%2C%202008%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EUnderstanding%20the%20error%20message%3A%20%E2%80%9CLogin%20failed%20for%20user%20''.%20The%20user%20is%20not%20associated%20with%20a%20trusted%20SQL%20Server%20connection.%E2%80%9D%3C%2FP%3E%0A%20%20%3CP%3EThis%20exact%20Login%20Failed%20error%2C%20with%20the%20empty%20string%20for%20the%20user%20name%2C%20has%20two%20unrelated%20classes%20of%20causes%2C%20one%20of%20which%20has%20already%20been%20blogged%20about%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Fblogs.msdn.com%2Fsql_protocols%2Farchive%2F2005%2F09%2F28%2F474698.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fblogs.msdn.com%2Fsql_protocols%2Farchive%2F2005%2F09%2F28%2F474698.aspx%20%3C%2FA%3E%20.%26nbsp%3B%20In%20addition%20to%20an%20extra%20space%20in%20the%20connection%20string%2C%20the%20other%20class%20of%20causes%20for%20this%20error%20message%20is%20an%20inability%20to%20resolve%20the%20Windows%20account%20trying%20to%20connect%20to%20SQL%20Server.%26nbsp%3B%20This%20list%20is%20not%20intended%20to%20be%20exhaustive%2C%20but%20here%20are%20several%20known%20root%20causes%20for%20this%20error%20message.%3C%2FP%3E%0A%20%20%3CP%3E1)%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20If%20this%20error%20message%20occurs%20every%20time%20in%20an%20application%20using%20Windows%20Authentication%2C%20and%20the%20client%20and%20the%20SQL%20Server%20instance%20are%20on%20separate%20machines%2C%20then%20ensure%20that%20the%20account%20which%20is%20being%20used%20to%20access%20SQL%20Server%20is%20a%20domain%20account.%26nbsp%3B%20If%20the%20account%20being%20used%20is%20a%20local%20account%20on%20the%20client%20machine%2C%20then%20this%20error%20message%20will%20occur%20because%20the%20SQL%20Server%20machine%20and%20the%20Domain%20Controller%20cannot%20recognize%20a%20local%20account%20on%20a%20different%20machine.%26nbsp%3B%20The%20next%20step%20for%20this%20is%20to%20create%20a%20domain%20account%2C%20give%20it%20the%20appropriate%20access%20rights%20to%20SQL%20Server%2C%20and%20then%20use%20that%20domain%20account%20to%20run%20the%20client%20application.%26nbsp%3B%20Note%20that%20this%20case%20also%20includes%20the%20special%20accounts%20%E2%80%9CNT%20AUTHORITYLOCAL%20SERVICE%E2%80%9D%20and%20%E2%80%9CNT%20AUTHORITYNETWORK%20SERVICE%E2%80%9D%20trying%20to%20connect%20to%20a%20remote%20SQL%20Server%2C%20when%20authentication%20uses%20NTLM%20rather%20than%20Kerberos.%3C%2FP%3E%0A%20%20%3CP%3EOne%20very%20common%20case%20where%20this%20can%20occur%20is%20when%20creating%20web%20applications%20with%20SQL%20Server%20and%20IIS%3B%20often%2C%20the%20web%20page%20will%20work%20during%20development%2C%20then%20errors%20occur%20with%20this%20message%20after%20deploying%20the%20web%20site.%26nbsp%3B%20This%20occurs%20because%20the%20developer%E2%80%99s%20account%20has%20access%20to%20SQL%20Server%2C%20but%20the%20account%20IIS%20runs%20as%20does%20not%20have%20access.%26nbsp%3B%20To%20fix%20this%20specific%20problem%2C%20refer%20to%20this%20kb%20article%20about%20impersonating%20a%20domain%20user%20in%20ASP.NET%3A%20%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F306158%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F306158%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3E2)%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Similar%20to%20above%3A%20this%20error%20message%20can%20appear%20if%20the%20user%20logging%20in%20is%20a%20domain%20account%20from%20a%20different%2C%20untrusted%20domain%20from%20the%20SQL%20Server%E2%80%99s%20domain.%26nbsp%3B%20The%20next%20step%20for%20this%20is%20either%20to%20move%20the%20client%20machine%20into%20the%20same%20domain%20as%20the%20SQL%20Server%20and%20set%20it%20up%20to%20use%20a%20domain%20account%2C%20or%20to%20set%20up%20mutual%20trust%20between%20the%20domains.%26nbsp%3B%20Setting%20up%20mutual%20trust%20is%20a%20complicated%20procedure%20and%20should%20be%20done%20with%20a%20great%20deal%20of%20care%20and%20due%20security%20considerations.%3C%2FP%3E%0A%20%20%3CP%3E3)%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20This%20error%20message%20can%20appear%20immediately%20after%20a%20password%20change%20for%20the%20user%20account%20attempting%20to%20login.%26nbsp%3B%20This%20occurs%20because%20of%20caching%20of%20the%20client%20user%E2%80%99s%20credentials.%26nbsp%3B%20The%20next%20step%20here%20is%20to%20log%20out%20the%20application%20user%20with%20the%20old%20password%2C%20and%20re-login%20with%20the%20new%20password%20before%20running%20the%20application.%3C%2FP%3E%0A%20%20%3CP%3E4)%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20If%20this%20error%20message%20only%20appears%20sporadically%20in%20an%20application%20using%20Windows%20Authentication%2C%20it%20may%20result%20because%20the%20SQL%20Server%20cannot%20contact%20the%20Domain%20Controller%20to%20validate%20the%20user.%26nbsp%3B%20This%20may%20be%20caused%20by%20high%20network%20load%20stressing%20the%20hardware%2C%20or%20to%20a%20faulty%20piece%20of%20networking%20equipment.%26nbsp%3B%20The%20next%20step%20here%20is%20to%20troubleshoot%20the%20network%20hardware%20between%20the%20SQL%20Server%20and%20the%20Domain%20Controller%20by%20taking%20network%20traces%20and%20replacing%20network%20hardware%20as%20necessary.%3C%2FP%3E%0A%20%20%3CP%3E5)%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20This%20error%20message%20can%20appear%20consistently%20for%20local%20connections%20using%20trusted%20authentication%2C%20when%20SQL%20Server%E2%80%99s%20SPN%20is%20not%20interpreted%20by%20SSPI%20as%20belonging%20to%20the%20local%20machine.%26nbsp%3B%20This%20can%20be%20caused%20either%20by%20a%20misconfiguration%20of%20DNS%2C%20or%20by%20a%20machine%20having%20multiple%20names.%26nbsp%3B%20If%20your%20machine%20has%20multiple%20names%2C%20try%20to%20work%20around%20the%20need%20for%20multiple%20names%20and%20give%20it%20a%20unique%20name.%26nbsp%3B%20If%20the%20machine%20just%20has%20one%20name%2C%20then%20check%20your%20DNS%20configuration.%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3EDan%20Benediktson%20%3CBR%20%2F%3E%20SQL%20Server%20Protocols%20%3CBR%20%2F%3E%20Disclaimer%3A%20This%20posting%20is%20provided%20%22AS%20IS%22%20with%20no%20warranties%2C%20and%20confers%20no%20rights%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-383391%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20May%2002%2C%202008%20Understanding%20the%20error%20message%3A%20%E2%80%9CLogin%20failed%20for%20user%20''.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-383391%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerProtocols%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
First published on MSDN on May 02, 2008

Understanding the error message: “Login failed for user ''. The user is not associated with a trusted SQL Server connection.”

This exact Login Failed error, with the empty string for the user name, has two unrelated classes of causes, one of which has already been blogged about here: http://blogs.msdn.com/sql_protocols/archive/2005/09/28/474698.aspx .  In addition to an extra space in the connection string, the other class of causes for this error message is an inability to resolve the Windows account trying to connect to SQL Server.  This list is not intended to be exhaustive, but here are several known root causes for this error message.

1)      If this error message occurs every time in an application using Windows Authentication, and the client and the SQL Server instance are on separate machines, then ensure that the account which is being used to access SQL Server is a domain account.  If the account being used is a local account on the client machine, then this error message will occur because the SQL Server machine and the Domain Controller cannot recognize a local account on a different machine.  The next step for this is to create a domain account, give it the appropriate access rights to SQL Server, and then use that domain account to run the client application.  Note that this case also includes the special accounts “NT AUTHORITYLOCAL SERVICE” and “NT AUTHORITYNETWORK SERVICE” trying to connect to a remote SQL Server, when authentication uses NTLM rather than Kerberos.

One very common case where this can occur is when creating web applications with SQL Server and IIS; often, the web page will work during development, then errors occur with this message after deploying the web site.  This occurs because the developer’s account has access to SQL Server, but the account IIS runs as does not have access.  To fix this specific problem, refer to this kb article about impersonating a domain user in ASP.NET: http://support.microsoft.com/kb/306158

2)      Similar to above: this error message can appear if the user logging in is a domain account from a different, untrusted domain from the SQL Server’s domain.  The next step for this is either to move the client machine into the same domain as the SQL Server and set it up to use a domain account, or to set up mutual trust between the domains.  Setting up mutual trust is a complicated procedure and should be done with a great deal of care and due security considerations.

3)      This error message can appear immediately after a password change for the user account attempting to login.  This occurs because of caching of the client user’s credentials.  The next step here is to log out the application user with the old password, and re-login with the new password before running the application.

4)      If this error message only appears sporadically in an application using Windows Authentication, it may result because the SQL Server cannot contact the Domain Controller to validate the user.  This may be caused by high network load stressing the hardware, or to a faulty piece of networking equipment.  The next step here is to troubleshoot the network hardware between the SQL Server and the Domain Controller by taking network traces and replacing network hardware as necessary.

5)      This error message can appear consistently for local connections using trusted authentication, when SQL Server’s SPN is not interpreted by SSPI as belonging to the local machine.  This can be caused either by a misconfiguration of DNS, or by a machine having multiple names.  If your machine has multiple names, try to work around the need for multiple names and give it a unique name.  If the machine just has one name, then check your DNS configuration.

Dan Benediktson
SQL Server Protocols
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights