Sspi error sec_e_logon_denied

sspi error sec_e_logon_denied

SEC_I_CONTINUE_NEEDED) { failf(data, "SSPI error: %s failed: %d\n", function, break; case SEC_E_LOGON_DENIED: txt="SEC_E_LOGON_DENIED"; break;. I googled for the error code and it turns out that code 8009030C (-2146893044) is SEC_E_LOGON_DENIED, which means the username/password did not match. 0x8009030C: The symbol SEC_E_LOGON_DENIED means "The logon attempt failed". Used for status code returned by Security Support Provider Interface (SSPI). sspi error sec_e_logon_denied sspi error sec_e_logon_denied Server and SSPI handshake failed error hell

The infamous SSPI Failed error strikes again!

One of our SQL servers was generating these errors for “some” Windows logins but not all.

Error: 17806, sspi error sec_e_logon_denied, Severity: 20, State: 2.

SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT:]

Error: 18452, Severity: 14, State: 1.

Login failed for user ”. The user sspi error sec_e_logon_denied not associated with a trusted SQL Server connection. [CLIENT:]

After exhausting all of the normal troubleshooting for this error (accounts locked, disabled, Sql Service accts, bad connection strings, SPN’s, sspi error sec_e_logon_denied, etc.) I spent the next few hours learning more about the way SQL handles authentication requests than I had ever wanted to know.

The Scenario –

A couple of separate individual Windows ID’s started generating these errors while attempting connections, all other windows logins were working properly. The connections were initially happening through applications, but also occurred through sqlcmd. When logged in to the server locally with the offending ID’s the connections to SQL would significa error 113 pascal Troubleshooting process –

Check all the regular SSPI issues, I wont bore you with the details as they are easily searchable

  • A relatively easy way of checking the “easy” authentication issues If possible/appropriate is to log into the SQL Server locally with the offending ID and fire up sqlcmd and connect to the server via sqlcmd –Sservername,port –E  (by specifying the port you force TCP/IP instead of LPC, thereby forcing the network into the equation)

Verify whether the login is trying to use NTLM or Kerberos (many ways to do this but simplest is to see if there are any other KERBEROS connections on the machine)

  • SELECT DISTINCT auth_scheme FROMsys.dm_exec_connections
  • If Kerberos is in use, there are a few additional things to lookupaccountname returned error 1332 related to SPN’s, since only NTLM was in use on this server I skipped that

Determine if the accounts were excluded from connecting to the machine through the network through a group policy or some other AD setting

After all of these checked out OK, I began to try and figure out what the error code 0x8009030c meant, turns out, its fairly obvious what the description is : sec_e_logon_denied.  This description was so helpful I thought about making this server into a boat anchor but, luckily for my employer the server room is located many miles away and has armed guards.

Since I knew we could logon locally to the SQL Server with the ID that SQL was rejecting with logon denied something else was trying to make my life miserable.

We didn’t have logon failure security auditing turned on so, sspi error sec_e_logon_denied, I had no way of getting a better error description, As luck would have it though this would prove instrumental in finding the root cause. To sspi error sec_e_logon_denied a better error message, I found this handy KB article detailing steps needed to put net logon into debug mode.

Say hello to my new best friend!  — nltest.exe

After downloading nltest & using it to enable netlogon debugging on the SQL Server, I got this slightly better message in the netlogon.log file

06/15 14:15:39 [LOGON] SamLogon: Network logon of DOMAIN\USER from Laptop Entered

06/15 14:15:39 [CRITICAL] NlPrintRpcDebug: Couldn’t get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)

06/15 14:15:39 [LOGON] SamLogon: Network logon of DOMAIN\USER from Laptop Returns 0xC0000064

The error code 0XC0000064 maps to “NO_SUCH_USER”

Since I was currently logged in to the server with the ID error 1337 ab6b was returning no such user, something else was obviously wrong, and luckily at this point I knew it wasn’t SQL.

Running “set log” on the server revealed that a local DC (call it DC1) was servicing the local logon request.

After asking our AD guys about DC1 and its synchronization status, sspi error sec_e_logon_denied, as well as whether the user actually existed there, sspi error sec_e_logon_denied, everything still looked OK.

After looking around a bit more I discovered this gem of a command for nltest to determine which DC will handle a html error code 0 request

C:\>nltest /whowill:Domain Account

[16:32:45] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC579)
[16:32:45] Response 0: DC2 D:Domain A:Account (Act found)
The command completed successfully

Even though this command returned “act found” it was returning from DC2.  (I dont exactly understand why the same account would authenticate against 2 different DC’s based on a local desktop login or a SQL login but it apparently can)

After asking the AD guys about Sspi error sec_e_logon_denied the light bulbs apparently went off for them as that server actually exists behind a different set of firewalls, in a totally different location. While DC2 would return a ping, the console wouldn’t allow logons for some reason. After a quick sspi error sec_e_logon_denied of DC2, and some magic AD pixie dust (I am not an AD admin, if it wasn’t totally obvious from my newfound friend nltest) the windows Id’s that were having trouble started authenticating against DC3 and our SSPI errors went away.

Interesting tidbit — During troubleshooting, I found that this particular SQL Server was authenticating accounts against at least 5 different DC’s. Some of this might be expected since there are different domains at play but, sspi error sec_e_logon_denied, I haven’t heard a final answer from the AD guys about whether it should work that way.

The solution

Reboot the misbehaving DC, of course there may be other ways to fix this by redirecting requests to a different DC without a reboot but, sspi error sec_e_logon_denied, since it was misbehaving anyway, and the AD experts wanted to reboot so we went with that. A reboot of SQL would have likely solved this problem too but, I hate reboot fixes of issues, they always seem to come back!

Active DirectoryConnectionsErrorLoginsSecuritySQL ServerSSPI

(sspi_send_token.cbBuffer != (size_t)written)) { failf(data, "Failed to send SSPI encryption type."); s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer); s_pSecFn->DeleteSecurityContext(&sspi_context); return CURLE_COULDNT_CONNECT; } s_pSecFn->FreeContextBuffer(sspi_send_token.pvBuffer); } result=Curl_blockread_all(conn, sock, (char *)socksreq, 4, sspi error sec_e_logon_denied &actualread, timeout); if(result != CURLE_OK actualread != 4) { failf(data, "Failed to receive SSPI encryption response."); s_pSecFn->DeleteSecurityContext(&sspi_context); return CURLE_COULDNT_CONNECT; } if(socksreq[1] == 255) { failf(data, "User was rejected by the Sspi error sec_e_logon_denied server (%d %d).", socksreq[0], socksreq[1]); s_pSecFn->DeleteSecurityContext(&sspi_context); return CURLE_COULDNT_CONNECT; } if(socksreq[1] != 2) { failf(data, "Invalid SSPI encryption response type (%d %d).", socksreq[0], socksreq[1]); s_pSecFn->DeleteSecurityContext(&sspi_context); return CURLE_COULDNT_CONNECT; } memcpy(&us_length, socksreq+2, sizeof(short)); us_length = ntohs(us_length); sspi_w_token[0].cbBuffer = us_length; sspi_w_token[0].pvBuffer = malloc(us_length); if(!sspi_w_token[0].pvBuffer) { s_pSecFn->DeleteSecurityContext(&sspi_context); return CURLE_OUT_OF_MEMORY; } result=Curl_blockread_all(conn, sock, (char *)sspi_w_token[0].pvBuffer, sspi_w_token[0].cbBuffer, &actualread, sspi error sec_e_logon_denied, timeout); if(result != CURLE_OK

Class: Win32::SSPI::SSPIResult


Takes a return result from an function and interprets the value.

Constant Summary


    These are generally returned by InitializeSecurityContext

    # File 'ext/win32/lib/win32/sspi.rb', line 1680x80090300
    # File 'ext/win32/lib/win32/sspi.rb', line 1690x80090304
    # File 'ext/win32/lib/win32/sspi.rb', line 1700x80090301
    # File 'ext/win32/lib/win32/sspi.rb', line 1710x80090308
    # File 'ext/win32/lib/win32/sspi.rb', line 1720x8009030C

    These are generally returned by AcquireCredentialsHandle

    # File 'ext/win32/lib/win32/sspi.rb', line 1800x80090306
    # File 'ext/win32/lib/win32/sspi.rb', line 1730x80090311
    # File 'ext/win32/lib/win32/sspi.rb', line 1740x8009030E
  • SEC_E_OK =# File 'ext/win32/lib/win32/sspi.rb', line 1640x00000000
    # File 'ext/win32/lib/win32/sspi.rb', line 1810x80090305
    # File 'ext/win32/lib/win32/sspi.rb', sspi error sec_e_logon_denied, line 1750x80090303
    # File 'ext/win32/lib/win32/sspi.rb', line 1820x8009030D
    # File 'ext/win32/lib/win32/sspi.rb', line 1760x80090302
    # File 'ext/win32/lib/win32/sspi.rb', line 1770x80090322
    # File 'ext/win32/lib/win32/sspi.rb', line 1650x00090312

Class Method Summary

Instance Attribute Summary

Instance Method Summary

Constructor Details

.new(value) ⇒

[ GitHub ]
# File 'ext/win32/lib/win32/sspi.rb', line 189definitialize(value) value= [value].pack("L").unpack("L").firstraise"#{value.to_s(16)} is not a recognized result"[email protected]@[email protected]=valueend

Instance Attribute Details


[ GitHub ]


[ GitHub ]
# File 'ext/win32/lib/win32/sspi.rb', line 187attr_reader:value

Instance Method Details


[ GitHub ]
# File 'ext/win32/lib/win32/sspi.rb', line 204def==(other) ifother.is_a?(SSPIResult) @value==other.valueelsifother.is_a?(Fixnum) @[email protected]@map[other] elsefalseendend


[ GitHub ]
# File 'ext/win32/lib/win32/sspi.rb', line [email protected]@map[@value].to_send
sspi error sec_e_logon_denied ISC_REQ_CONFIDENTIALITY