Input : select * from sys.sysmessages where error = 18456
Output: Login failed for user ‘%.*ls’.%.*ls%.*ls
This is one of the infamous error message (and number) that most of the DBAs and developers have come across while working on SQL server. This message simply denotes that the client call was able to reach the SQL server and then an ACCESS was denied to the particular login for a reason. To figure out the exact reason, this error number 18456 with its STATE number is logged into the SQL server error log file, if SQL server was allowed or configured to capture the failed logins.
Configuring SQL server for capturing login failures:
By default, SQL server is configured to capture only failed logins but it can be changed to any of the options as mentioned in this books online link http://technet.microsoft.com/en-us/library/ms188470.aspx
Below figure shows these options to have login failed messages written into error log
Accessing Error log:
Now that, we know SQL server logs all login failed messages into its error log and windows event viewer but how do I access them?
Windows event viewer:
GO to start –> Run –> Eventvwr –> open up the application logs, and now we could see the login failed error message with computer name, instance name, date and time and finally the reason for the login failed
SQL Error log:
SQL server error log can be viewed from multiple places
- If we have gained access or can gain access to SQL server with different logon credentials then always use sp_readerrorlog, xp_readerrorlog or use the GUI option of opening up Management node –> SQL server Logs –> View –> SQL server log. Same sample shown above looks like
- In a case where we cannot gain access to SQL server, then we may use the actual error log path and open the txt file physically from the file system. Use SQL server configuration manager to find the error log path and from there you could open the file. Get the value next to –e parameter and that gives the actual error log file location
Typically the error log files are available in install directory for SQL server.
SQL server 2005:
C:\MSSQL\MSSQL.1\MSSQL\LOG\Errorlog
SQL server 2008:
C:\MSSQL\MSSQL10.instanceID\MSSQL\Log\Errorlog
InstanceID – MSSQLSERVER for default instance and for named instance it’s the name of the instance
STATES of 18456
State 1:
This is a very generic error message that is sent to the client tools to deliberately hide the nature of the login failure issue. However, the SQL Server error log, a corresponding error contains an error state that maps to an authentication failure condition with its state number.
State 2 and 5:
This state occurs when a SQL server login logs in with the name that doesn’t exist in sql server. This error mostly comes in when users specify wrong user name or misspell the login name. I am logging in to my instance with a login name called DOESNTEXIST that really doesn’t exist and let’s see what the error state in error log is.
Error: 18456, Severity: 14, State: 5.
Login failed for user ‘DOESNT EXIST’. Reason: Could not find a login matching the name provided. [CLIENT: ]
State 6:
This state occurs when a user tries to login with a WINDOWS account but specifying that as a sql server account. I have a windows account test (domain\test) but I am specifying it as a sql account and trying to login into SQL server, let’s see what state the error log has
Error: 18456, Severity: 14, State: 6.
Login failed for user ‘domain\test’. Reason: Attppting to use an NT account name with SQL Server Authentication. [CLIENT: ]
State 7:
This state occurs when a wrong password is specified for a login which is disabled too. In this case, my SQL server user ‘Leks’ is disabled and I’m mentioning a wrong password for the connection
Error: 18456, Severity: 14, State: 7.
Login failed for user ‘Leks’. Reason: An error occurred while evaluating the password. [CLIENT: ]
For the accounts (logins) that are disabled and if you specify the correct password, the error log is logged with 18470
Error: 18470, Severity: 14, State: 1.
Login failed for user ‘Leks’. Reason: The account is disabled. [CLIENT:]
State 8:
This state occurs when password is not correct in the connection string for any SQL server authenticated logins. I’m logging into SQL server using ‘sa’ account with wrong password
Error: 18456, Severity: 14, State: 8.
Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT:]
State 9:
This state means that the password was rejected by the password policy check as an invalid one. The policy API has rejected the password with error NERR_BadPassword. See more info on this error and visit http://msdn.microsoft.com/library/default.asp?url=/library/enus/netmgmt/netmgmt/net_validate_output_arg.asp
State 10:
This is one of the rare state and is very well documented here – http://support.microsoft.com/kb/925744
State 11 & 12:
This state means the login was valid but server access failed. One such example is when a windows login in trying to access sql server that wasn’t explicitly added to sql server (at least starting from 2008). To overcome this error, you can add that domain\windows account to sql logins explicitly.
Other reasons for this to happen are when a login is denied access (revoking connect permissions to SQL) to SQL server and UAC issues.SQL server product team covered this state extensively here –http://blogs.msdn.com/b/sqlserverfaq/archive/2010/10/27/troubleshooting-specific-login-failed-error-messages.aspx
Windows account which do not have access
Error: 18456, Severity: 14, State: 11.
Login failed for user ‘domain\user’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT:]
SQL account that was denied access
Error: 18456, Severity: 14, State: 12.
Login failed for user ‘Leks’. Reason: Login-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT:]
State 13:
This state occurs when any login tries to access to sql server with services paused on it. But for this reason, there will also be other error number 17142 logged along with 18456.
Error: 17142, Severity: 14, State: 0.
SQL Server service has been paused. No new connections will be allowed. To resume the service, use SQL Computer Manager or the Services application in Control Panel.
Error: 18456, Severity: 14, State: 13.
Login failed for user ”. Reason: SQL Server service is paused. No new connections can be accepted at this time. [CLIENT:]
State 16:
This state occurs for logins that do not have access to the target database or the database doesn’t exist anymore with the same name or offline. We always specify the database in the connection string as initial catalog or using -d parameter.
This can be fixed by granting access to the database and sometimes orphan users existing in the database. Orphan users can be fixed by sp_change_users_login
This state occurs in SQL server 2005 and same is changed to 40 in SQL server 2008 and above
Error: 18456, Severity: 14, State: 16.
Login failed for user ‘Leks’. [CLIENT: <local machine>]
State 18:
This state occurs when a sql login is added with USER MUST CHANGE THEIR PASSORD ON FIRST LOGON or a login that needs to have its password changed as per the domain or windows password policy ; this state gets in to error log when the new password box prompts up.
This error is logged with state 18488
Error: 18488, Severity: 14, State: 1.
Login failed for user ‘Tester’. Reason: The password of the account must be changed. [CLIENT: ]
State 23:
This state can happen due to couple reasons; first being simultaneous action of shutting down SQL SERVER and any incoming logins to sql server takes place. The other one is documented here as an issue http://support.microsoft.com/kb/937745
State 38:
This is similar to state 16 but this was introduced from SQL server 2008 and above.
Database doesn’t exist or login doesn’t have access to the database.
Error: 18456, Severity: 14, State: 38.
Login failed for user ‘Leks’. Reason: Failed to open the explicitly specified database. [CLIENT: ]
State 40:
This state occurs when the login’s default database doesn’t exist in SQL server or offline or the login doesn’t have access to the default database. This state is always logged alongside with error 4064
Error: 18456, Severity: 14, State: 40.
Login failed for user ‘Leks’. Reason: Failed to open the database specified in the login properties. [CLIENT: ]
State 58:
This state occurs when a SQL server login is used for accessing SQL server when SQL server is installed with windows authentication mode.
You may have to use only windows login or change the authentication to mixed authentication for this to work – http://msdn.microsoft.com/en-us/library/ms188670.aspx. The authentication mode change always requires a SQL restart to come into effect.
Error: 18456, Severity: 14, State: 58.
Login failed for user ‘sa’. Reason: An attppt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: <local machine>]
I have tried and covered most of the states that I know of, and if you find states that I haven’t discussed happy to hear and add to this list. Apart from the error 18456, there are other login failure errors that you might have to keep an eye on
18451 |
Login failed for user ‘%.*ls‘. Only administrators may connect at this time.%.*ls |
18452 |
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.%.*ls |
18458 |
Login failed. The number of simultaneous users already equals the %d registered licenses for this server. To increase the maximum number of simultaneous users, obtain additional licenses and then register them through the Licensing item in Control Panel.% |
18459 |
Login failed. The workstation licensing limit for SQL Server access has already been reached.%.*ls |
18460 |
Login failed. The number of simultaneous users has already reached the limit of %d licenses for this ‘%ls’ server. Additional licenses should be obtained and installed or you should upgrade to a full version.%.*ls |
18461 |
Login failed for user ‘%.*ls‘. Reason: Server is in single user mode. Only one administrator can connect at this time.%.*ls |
18462 |
The login failed for user “%.*ls“. The password change failed. The password for the user is too recent to change. %.*ls |
18463 |
The login failed for user “%.*ls“. The password change failed. The password cannot be used at this time. %.*ls |
18464 |
Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is too short.%.*ls |
18465 |
Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is too long.%.*ls |
18466 |
Login failed for user ‘%.*ls‘. Reason: Password change failed. The password does not meet Windows policy requirements because it is not complex enough.%.*ls |
18467 |
The login failed for user “%.*ls“. The password change failed. The password does not meet the requirements of the password filter DLL. %.*ls |
18468 |
The login failed for user “%.*ls“. The password change failed. An unexpected error occurred during password validation. %.*ls |
18470 |
Login failed for user ‘%.*ls‘. Reason: The account is disabled.%.*ls |
18471 |
The login failed for user “%.*ls“. The password change failed. The user does not have permission to change the password. %.*ls |
18482 |
Could not connect to server ‘%.*ls’ because ‘%.*ls’ is not defined as a remote server. Verify that you have specified the correct server name. %.*ls. |
18483 |
Could not connect to server ‘%.*ls’ because ‘%.*ls’ is not defined as a remote login at the server. Verify that you have specified the correct login name. %.*ls. |
18485 |
Could not connect to server ‘%.*ls’ because it is not configured to accept remote logins. Use the remote access configuration option to allow remote logins.%.*ls |
18486 |
Login failed for user ‘%.*ls’ because the account is currently locked out. The system administrator can unlock it. %.*ls |
18487 |
Login failed for user ‘%.*ls‘.Reason: The password of the account has expired.%.*ls |
18488 |
Login failed for user ‘%.*ls‘.Reason: The password of the account must be changed.%.*ls |
18489 |
The dedicated administrator connection is in use by “%.*ls” on “%.*ls“.%.*ls |
Happy “login failure “troubleshooting
Leave a Reply