Categories
Troubleshooting

Troubleshooting Login failed Error 18456

Input : select * from sys.sysmessages where error = 18456

Output: Login failed for user ‘%.*ls’.%.*ls%.*ls

This is one of the infamous error message (and number) that most of the DBAs and developers have come across while working on SQL server. This message simply denotes that the client call was able to reach the SQL server and then an ACCESS was denied to the particular login for a reason. To figure out the exact reason, this error number 18456 with its STATE number is logged into the SQL server error log file, if SQL server was allowed or configured to capture the failed logins.

Configuring SQL server for capturing login failures:

By default, SQL server is configured to capture only failed logins but it can be changed to any of the options as mentioned in this books online link http://technet.microsoft.com/en-us/library/ms188470.aspx

Below figure shows these options to have login failed messages written into error log

error_18456_1

Accessing Error log:

Now that, we know SQL server logs all login failed messages into its error log and windows event viewer but how do I access them?

Windows event viewer:

GO to start –> Run –> Eventvwr –> open up the application logs, and now we could see the login failed error message with computer name, instance name, date and time and finally the reason for the login failed

error_18456_2

SQL Error log:

SQL server error log can be viewed from multiple places

  • If we have gained access or can gain access to SQL server with different logon credentials then always use sp_readerrorlog, xp_readerrorlog or use the GUI option of opening up Management node –> SQL server Logs –> View –> SQL server log. Same sample shown above looks like

error_18456_3

  • In a case where we cannot gain access to SQL server, then we may use the actual error log path and open the txt file physically from the file system. Use SQL server configuration manager to find the error log path and from there you could open the file. Get the value next to –e parameter and that gives the actual error log file location

error_18456_5

Typically the error log files are available in install directory for SQL server.

SQL server 2005:

C:\MSSQL\MSSQL.1\MSSQL\LOG\Errorlog

SQL server 2008:

C:\MSSQL\MSSQL10.instanceID\MSSQL\Log\Errorlog

InstanceID – MSSQLSERVER for default instance and for named instance it’s the name of the instance

STATES of 18456

State 1:

This is a very generic error message that is sent to the client tools to deliberately hide the nature of the login failure issue. However, the SQL Server error log, a corresponding error contains an error state that maps to an authentication failure condition with its state number.

error_18456_6

State 2 and 5:

This state occurs when a SQL server login logs in with the name that doesn’t exist in sql server. This error mostly comes in when users specify wrong user name or misspell the login name. I am logging in to my instance with a login name called DOESNTEXIST that really doesn’t exist and let’s see what the error state in error log is.

error_18456_7

Error: 18456, Severity: 14, State: 5.

Login failed for user ‘DOESNT EXIST’. Reason: Could not find a login matching the name provided. [CLIENT: ]

State 6:

This state occurs when a user tries to login with a WINDOWS account but specifying that as a sql server account. I have a windows account test (domain\test) but I am specifying it as a sql account and trying to login into SQL server, let’s see what state the error log has

error_18456_8

Error: 18456, Severity: 14, State: 6.

Login failed for user ‘domain\test’. Reason: Attppting to use an NT account name with SQL Server Authentication. [CLIENT: ]

State 7:

This state occurs when a wrong password is specified for a login which is disabled too. In this case, my SQL server user ‘Leks’ is disabled and I’m mentioning a wrong password for the connection

error_18456_9

Error: 18456, Severity: 14, State: 7.

Login failed for user ‘Leks’. Reason: An error occurred while evaluating the password. [CLIENT: ]

For the accounts (logins) that are disabled and if you specify the correct password, the error log is logged with 18470

Error: 18470, Severity: 14, State: 1.

Login failed for user ‘Leks’. Reason: The account is disabled. [CLIENT:]

State 8:

This state occurs when password is not correct in the connection string for any SQL server authenticated logins. I’m logging into SQL server using ‘sa’ account with wrong password

error_18456_10

Error: 18456, Severity: 14, State: 8.

Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT:]

State 9:

This state means that the password was rejected by the password policy check as an invalid one. The policy API has rejected the password with error NERR_BadPassword. See more info on this error and visit http://msdn.microsoft.com/library/default.asp?url=/library/enus/netmgmt/netmgmt/net_validate_output_arg.asp

State 10:

This is one of the rare state and is very well documented here – http://support.microsoft.com/kb/925744

State 11 & 12:

This state means the login was valid but server access failed. One such example is when a windows login in trying to access sql server that wasn’t explicitly added to sql server (at least starting from 2008). To overcome this error, you can add that domain\windows account to sql logins explicitly.

Other reasons for this to happen are when a login is denied access (revoking connect permissions to SQL) to SQL server and UAC issues.SQL server product team covered this state extensively here –http://blogs.msdn.com/b/sqlserverfaq/archive/2010/10/27/troubleshooting-specific-login-failed-error-messages.aspx

Windows account which do not have access

Error: 18456, Severity: 14, State: 11.

Login failed for user ‘domain\user’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT:]

SQL account that was denied access

Error: 18456, Severity: 14, State: 12.

Login failed for user ‘Leks’. Reason: Login-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT:]

State 13:

This state occurs when any login tries to access to sql server with services paused on it. But for this reason, there will also be other error number 17142 logged along with 18456.

error_18456_11

Error: 17142, Severity: 14, State: 0.

SQL Server service has been paused. No new connections will be allowed. To resume the service, use SQL Computer Manager or the Services application in Control Panel.

Error: 18456, Severity: 14, State: 13.

Login failed for user ”. Reason: SQL Server service is paused. No new connections can be accepted at this time. [CLIENT:]

State 16:

This state occurs for logins that do not have access to the target database or the database doesn’t exist anymore with the same name or offline. We always specify the database in the connection string as initial catalog or using -d parameter.

This can be fixed by granting access to the database and sometimes orphan users existing in the database. Orphan users can be fixed by sp_change_users_login

error_18456_12

This state occurs in SQL server 2005 and same is changed to 40 in SQL server 2008 and above

Error: 18456, Severity: 14, State: 16.

Login failed for user ‘Leks’. [CLIENT: <local machine>]

State 18:

This state occurs when a sql login is added with USER MUST CHANGE THEIR PASSORD ON FIRST LOGON or a login that needs to have its password changed as per the domain or windows password policy ; this state gets in to error log when the new password box prompts up.

error_18456_14

This error is logged with state 18488

Error: 18488, Severity: 14, State: 1.

Login failed for user ‘Tester’. Reason: The password of the account must be changed. [CLIENT: ]

State 23:

This state can happen due to couple reasons; first being simultaneous action of shutting down SQL SERVER and any incoming logins to sql server takes place. The other one is documented here as an issue http://support.microsoft.com/kb/937745

State 38:

This is similar to state 16 but this was introduced from SQL server 2008 and above.

Database doesn’t exist or login doesn’t have access to the database.

Error: 18456, Severity: 14, State: 38.

Login failed for user ‘Leks’. Reason: Failed to open the explicitly specified database. [CLIENT: ]

State 40:

This state occurs when the login’s default database doesn’t exist in SQL server or offline or the login doesn’t have access to the default database. This state is always logged alongside with error 4064

Error: 18456, Severity: 14, State: 40.

Login failed for user ‘Leks’. Reason: Failed to open the database specified in the login properties. [CLIENT: ]

State 58:

This state occurs when a SQL server login is used for accessing SQL server when SQL server is installed with windows authentication mode.

You may have to use only windows login or change the authentication to mixed authentication for this to work – http://msdn.microsoft.com/en-us/library/ms188670.aspx. The authentication mode change always requires a SQL restart to come into effect.

Error: 18456, Severity: 14, State: 58.

Login failed for user ‘sa’. Reason: An attppt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: <local machine>]

I have tried and covered most of the states that I know of, and if you find states that I haven’t discussed happy to hear and add to this list. Apart from the error 18456, there are other login failure errors that you might have to keep an eye on

18451

Login failed for user ‘%.*ls‘. Only administrators may connect at this time.%.*ls

18452

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.%.*ls

18458

Login failed. The number of simultaneous users already equals the %d registered licenses for this server. To increase the maximum number of simultaneous users, obtain additional licenses and then register them through the Licensing item in Control Panel.%

18459

Login failed. The workstation licensing limit for SQL Server access has already been reached.%.*ls

18460

Login failed. The number of simultaneous users has already reached the limit of %d licenses for this ‘%ls’ server. Additional licenses should be obtained and installed or you should upgrade to a full version.%.*ls

18461

Login failed for user ‘%.*ls‘. Reason: Server is in single user mode. Only one administrator can connect at this time.%.*ls

18462

The login failed for user “%.*ls“. The password change failed. The password for the user is too recent to change. %.*ls

18463

The login failed for user “%.*ls“. The password change failed. The password cannot be used at this time. %.*ls

18464

Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is too short.%.*ls

18465

Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is too long.%.*ls

18466

Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is not complex enough.%.*ls

18467

The login failed for user “%.*ls“. The password change failed. The password does not meet the requirements of the password filter DLL. %.*ls

18468

The login failed for user “%.*ls“. The password change failed. An unexpected error occurred during password validation. %.*ls

18470

Login failed for user ‘%.*ls‘. Reason: The account is disabled.%.*ls

18471

The login failed for user “%.*ls“. The password change failed. The user does not have permission to change the password. %.*ls

18482

Could not connect to server ‘%.*ls’ because ‘%.*ls’ is not defined as a remote server. Verify that you have specified the correct server name. %.*ls.

18483

Could not connect to server ‘%.*ls’ because ‘%.*ls’ is not defined as a remote login at the server. Verify that you have specified the correct login name. %.*ls.

18485

Could not connect to server ‘%.*ls’ because it is not configured to accept remote logins. Use the remote access configuration option to allow remote logins.%.*ls

18486

Login failed for user ‘%.*ls’ because the account is currently locked out. The system administrator can unlock it. %.*ls

18487

Login failed for user ‘%.*ls‘.Reason: The password of the account has expired.%.*ls

18488

Login failed for user ‘%.*ls‘.Reason: The password of the account must be changed.%.*ls

18489

The dedicated administrator connection is in use by “%.*ls” on “%.*ls“.%.*ls

Happy “login failure “troubleshooting

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*