We have the following setup:
- One Domain Controller (DC, Server 2003 R2 Standard x64)
- One SQL Server (SQL, Server 2008 R2 Standard x64)
- some clients.
All machines are in the same domain. All user accounts in use are domain accounts. SQL runs one instance of each SQL Server 2005, 2008, 2008R2, 2012 and 2014.
Since tonight (DC rebooted to install automatic Windows security updates), accessing the SQL 2005, 2008 and 2008R2 instances through Windows authentication does not work properly anymore:
When accessing one of these instances
- from one of the clients
- using Windows authentication
the following error occurs (it's the 2008R2 message, the 2005/2008 messages are similar):
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (Microsoft SQL Server, Error: 18452)
Obviously, the message text does not apply, since there is only one domain.
Now the surprising thing is: As soon as user is logged in on SQL (starting an RDP sesson or even simply running runas /user:MYDOMAIN\someuser cmd
and keeping the window open), this user can access all SQL Server instances from all clients without any problems until the process running with that user's credentials is closed.
This means that I can just workaround this problem by executing the above runas command for all users on SQL once (and keeping the windows open), but, obviously, something is severely broken. I suspect tonight's security updates on DC have something to do with it (since that's the only thing that changed), but I'd rather avoid uninstalling and rebooting each one of them (12 updates were installed and DC is really old and slow).
Has anyone encountered this issue before and knows how to fix it permanently? Any other ideas (other than spending the next few days becoming a Kerberos expert)?
check if your DC installed the update KB3002657 tonight. see http://support2.microsoft.com/?kbid=3002657 I had the same issue. Deinstalling this update solved the problem for me.
The following fix via Group Policy worked for me:
gpupdate /force
on affected computers and servers.