Sync Server SQL login failure
A user with Domain Admin privs sets up SQL 2008 SP1 on Server One. He is assigned the sysadmin role. On server two, The same Domain Admin user runs the Sync server install. Setup progresses normally, gathering all the usual information needed and begins the install in earnest. Once the SQL configuration starts, this error appears Error 25009 The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified Database. OLEDB Provider Information: Description= 'Login Failed. The login is from an untrusted domain and cannot be used with Windows Authentication' Failure code = 0x8004005 Minor Number = 18452 <hr=0x8023406> On server two, as a troubleshooting step, I install the SSMS tools and I can connect to the SQL server, create databases, tables, etc. as that user. As another troubleshooting step, I verify I am able to install the Sync service locally on the SQL server. What I see in the SQL log is this.. 01/12/2011 15:17:59,Logon,Unknown,Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: xxx.xxx.xxx.xxx] 01/12/2011 15:17:59,Logon,Unknown,Error: 18452<c/> Severity: 14<c/> State: 1. 01/12/2011 15:17:59,Logon,Unknown,SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: xxx.xxx.xxx.xxx] 01/12/2011 15:17:59,Logon,Unknown,Error: 17806<c/> Severity: 20<c/> State: 2. 01/12/2011 15:17:59,spid54,Unknown,Setting database option PARAMETERIZATION to FORCED for database FIMSynchronizationService. 01/12/2011 15:17:59,spid54,Unknown,Setting database option COMPATIBILITY_LEVEL to 90 for database FIMSynchronizationService. 01/12/2011 15:17:58,spid54,Unknown,Setting database option RECOVERY to SIMPLE for database FIMSynchronizationService. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.syssoftobjrefs. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.syssqlguides. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysasymkeys. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysrts. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysremsvcbinds. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysclsobjs. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysidxstats. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysscalartypes. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysxprops. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.syscerts. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysnsobjs. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.syscolpars. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysschobjs. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.sysowners. 01/12/2011 15:17:58,spid54,Unknown,index restored for FIMSynchronizationService.syspriorities. 01/12/2011 15:17:58,spid54,Unknown,Starting up database 'FIMSynchronizationService'. During setup, do we switch from the credentials of the user running setup, to the sync service identity at some point? The default policy is that only members of local administrators group can log on locally. Is there a minimum level of local server rights the sync service account must have on the SQL server itself? All ideas welcome.. Frank If you look in SQL Server before the rollback occurs, the Database is created, and the Sync server service account is added as a user.
January 13th, 2011 1:49am

On Thu, 13 Jan 2011 06:34:33 +0000, Frank Dr wrote: A user with Domain Admin privs sets up SQL 2008 SP1 on Server One. He is assigned the sysadmin role. Frank, this forum is for Windows Server security issues. You'll probably have better luck posting in one of the forums dedicated to SQL Server: http://social.msdn.microsoft.com/Forums/en/category/sqlserver/ Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Foolproof operation: All parameters are hard coded.
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2011 2:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics