Microsoft KB Archive/925744

= FIX: Error message when you try to use a SQL Server authenticated login to log on to an instance of SQL Server 2005: &quot;Logon error: 18456&quot; =

Article ID: 925744

Article Last Modified on 11/20/2007

-

APPLIES TO


 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Enterprise Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Standard X64 Edition
 * Microsoft SQL Server 2005 Standard Edition for Itanium-based Systems
 * Microsoft SQL Server 2005 Enterprise X64 Edition
 * Microsoft SQL Server 2005 Enterprise Edition for Itanium-based Systems

-



Bug #: 50000300 (SQL Hotfix)



Notice
Microsoft distributes Microsoft SQL Server 2005 fixes as one downloadable file. Because the fixes are cumulative, each new release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release.



This article describes the following about this hotfix release:
 * The issues that are fixed by this hotfix package
 * The prerequisites for installing the hotfix package
 * Information about whether you must restart the computer after you install the hotfix package
 * Information about whether the hotfix package is replaced by any other hotfix package
 * Information about whether you must make any registry changes
 * The files that are contained in the hotfix package



SYMPTOMS
In SQL Server 2005, you receive a &quot;Logon Error: 18456&quot; error message when you try to log on to an instance of SQL Server 2005 and the following conditions are true:
 * You try to use a SQL Server authenticated login to log on to the instance.
 * The SQL Server service is configured to use a domain account for the service startup account.
 * The SQL authenticated logins that receive the &quot;Logon Error: 18456&quot; error message are configured to use Windows domain password policy enforcement.

Note By default, Windows domain password policy enforcement for SQL authenticated logins is enabled unless you explicitly set the CHECK_POLICY clause of the CREATE LOGIN statement to OFF when you create a given login.
 * The service account for the SQL Server startup service is locked or disabled on the domain controller.

If login auditing is configured to write the event of failed logins to the error log for the instance of SQL Server, the following messages are written to the SQL Server Errorlog file:

Error message 1

Logon Error: 18456, Severity: 14, State: 10.

Error message 2

Logon Login failed for user ' '. [CLIENT: ]

Note The state of this 18456 error is 10. However, you always receive this &quot;Logon Error: 18456&quot; error message that has a state set to 1 in the client application. To increase security, the error message that is returned to the client deliberately hides the nature of the authentication error by always setting the state of the 18456 error to 1. By default, auditing of failed logins is enabled. In this case, the true state of the 18456 error is reported in the SQL Server Errorlog file. For more information about how to troubleshoot 18456 errors, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms366351.aspx



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
You must have SQL Server 2005 Service Pack 1 installed to apply this hotfix.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

913089 How to obtain the latest service pack for SQL Server 2005

Restart information
You do not have to restart the computer after you apply this hotfix.

Registry information
You do not have to change the registry.

Hotfix file information
This hotfix contains only those files that are required to correct the issues that this article lists. This hotfix may not contain of all the files that you must have to fully update a product to the latest build.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

SQL Server 2005 x64-based version


WORKAROUND
To work around this problem, use one of the following methods:  Unlock the service account on the domain controller. Do not use Windows domain password policy enforcement for SQL Server authenticated logins. To disable this property, use the following statements:   For a new SQL Server login CREATE LOGIN  with PASSWORD = , CHECK_POLICY = OFF   For an existing SQL Server login ALTER LOGIN <SQLAuthenticatedLogin> with CHECK_POLICY = OFF </li></ul> </li></ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
This hotfix adds the new trace flag 4614 to SQL Server 2005. When you enable trace flag 4614, you can use SQL Server authenticated logins that use Windows domain password policy enforcement to log on to the instance even though the SQL Server service account is locked out or disabled on the Windows domain controller.

You can interactively enable or disable the trace flag by using the following DBCC TRACEON and DBCC TRACEOFF commands:
 * Enable trace flag 4614

DBCC TRACEON (4614, -1)
 * Disable trace flag 4614

DBCC TRACEOFF (4614, -1)

You can also specify the trace flag as a startup parameter of the SQL Server service. When you specify the trace flag as a startup parameter, the trace flag is automatically enabled when the SQL Server service starts. If you set the trace flag as a startup parameter, you can still use the DBCC TRACEOFF command to disable the trace flag interactively.

<div class="moreinformation_section">

For more information about the naming schema for Microsoft SQL Server updates, click the following article number to view the article in the Microsoft Knowledge Base:

822499 New naming schema for Microsoft SQL Server software update packages

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbtshoot kbqfe kbpubtypekc kbhotfixserver kbsql2005cluster kbsql2005connect KB925744

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.