Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Error 18452 state 1 and : Token-based server access validation failed with an infrastructure error

Posted on 2013-11-14
2
Medium Priority
?
860 Views
Last Modified: 2013-11-27
I have been researching this error for the SQL though I am a Sys Admin because he believes the error is not with his SQL despite the mounds of documentation I have presented him with including everything from UAC, SPN, SID, time differences, web config, invalid ID, password, check that database connection using Kerberos authentication etc.

His reasoning is the errors is not continual for the account identified. Meaning the account an App server uses to connect to the SQL Server and Database works most of the time but has thrown the 18452, 17806, along with "Login failed for user 'Domain\Services'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>])"

The issue occurs about twice a day without a routine and last only for a few minutes and then the connection is reestablished and all is well. The problem is if there is large data project going during the fail the project must be redone which is a severe impact on our clients and business.

Questions
1. Has anyone seen this error in the inconstant state we do?
2. Can someone please verify that this is not an AD issue but rather a SQL issue?
3. Any ideas?

Also, I will say I can not confirm he has tried all suggestions and even stated:
1.      Because we’re not open network we don’t use Kerberos explicitly, we make connectivity over TCP using NTLM & SQL authentication. Kerberos is good if you’re making connectivity in open network
2.      Also this error is not a continual error, we’re experiencing for few seconds or sometime few minutes, so obviously not the account lock or password error. These accounts are service accounts and configured for no lock mode.
3.      We are not using any local account, all application/service accounts are domain based account.
4.      Config file should not be an issue because these errors appears as a fluctuations for few minutes

Any help is more than appreciated. Please anyone so I can tell him this is an SQL or Network (maybe) issue and not AD.

Kry
0
Comment
Question by:kryanC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 49

Accepted Solution

by:
PortletPaul earned 1500 total points
ID: 39650203
This all seems related to security, Are you also seeing error 18456?
(but, warning, this is NOT my specialty)

e.g.
that 17806 relates to "Security Support Provider Interface" (SSPI), possibly IIS not running under a domain account with access the SQL server or impersonating that

error       severity       description

17806       20       SSPI handshake failed with error code 0x%x, state %d while establishing a connection with integrated security; the connection has been closed. Reason: %.*ls %.*ls.

18452       14       Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.%.*ls

18456       14       Login failed for user ‘%.*ls’.%.*ls%.*ls

You probably do want to investigate the logs more carefully, those parameterized (%) values in the descriptions above  reveal more specific information.

I'd suggest you read this
Troubleshooting Login failed Error 18456
and then perhaps re-discuss with all related security folk in one room.
0
 

Author Closing Comment

by:kryanC
ID: 39681553
thanks we are now capturing the packets that generate the error and believe it is an App that runs daily. Hope to have a clear resolution soon.

Kry
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question