Microsoft KB Archive/159221

= FIX: Xp_cmdshell Run by Non-SA Causes Error 1326 =

Article ID: 159221

Article Last Modified on 10/17/2003

-

APPLIES TO


 * Microsoft SQL Server 6.5 Standard Edition

-



This article was previously published under Q159221



BUG #: 16244 (6.5)



SYMPTOMS
If a non-system administrator (SA) login runs the extended stored procedure xp_cmdshell on a domain controller when the option "xp_cmdshell - Use SQLExecutiveCmdExec Account for Non SAs" is enabled in SQL Enterprise Manager or SQL Server Setup under Set Server Options, the following error will occur:

xpsql.c: Error 1326 from LogonUser on line 359



WORKAROUND
To work around this problem, do one of the following:


 * Disable the "xp_cmdshell - Use SQLExecutiveCmdExec Account for Non SAs" option in SQL Enterprise Manager or in SQL Server Setup under Set Server Options.

-or-
 * Rename the machine name of the domain controller to match the domain name. Note that this solution will only work for one SQL Server on a domain.

-or-
 * Reinstall Windows NT Server as a server in the domain, instead of as a domain controller.



STATUS
Microsoft has confirmed this to be a problem in SQL Server 6.5. This problem has been corrected in U.S. Service Pack 5a for Microsoft SQL Server 6.5. For information about how to download and install the latest SQL Server Service Pack, see the following Microsoft Web site:

http://support.microsoft.com/highlights/sql.asp

For more information, contact your primary support provider.



MORE INFORMATION
Microsoft SQL Server 6.5 is not recommended for installation on a primary domain controller (PDC) or a backup domain controller (BDC), because those computers perform the resource-intensive tasks of maintaining and replicating the domain's security accounts database and performing network logon authentications.

If you enable security auditing for logon and logoff failures, you will see event 529, indicating a logon failure, for the SQLExecutiveCmdExec account, as in the following example:

Logon Failure:

Reason: Unknown user name or bad password

User Name: SQLExecutiveCmdExec

Domain: NTServerName

Logon Type: 4

Logon Process: Advapi

Authentication Package:

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: NTServerName

Additionally, a similar error occurs with CmdExec tasks created by non-SA logins. For more information please see the following article in the Microsoft Knowledge Base:

159792 : FIX: Non-SA CmdExec Task Run on Domain Controller Causes Error

Additional query words: CmdExec Task SQLExecutive privilege

Keywords: kbbug kbfix kbusage KB159221

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.