0010 Specific Error Messages and What They Mean - microsoft/CSS_SQL_Networking_Tools GitHub Wiki

0010 Specific Error Messages and What They Mean

This page lists specific error messages you may encounter in your application or note in the SQL Server ERRORLOG files and what they mean. They may also indicate some sort of action plan or troubleshooting workflow to follow.

  • Communication Link Failure
  • Error -2146893039 (0x80090311): No authority could be contacted for authentication.
  • Error -2146893052 (0x80090304): The Local Security Authority cannot be contacted.
  • Login failed for user 'CONTOSO\JohnDoe'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

Communication Link Failure

This message is seen in the client application. It specifically indicates a Network-related error and not an authentication error. Use one of the Network Issue troubleshooting workflows. A second error message may also be logged that gives additional context.

Error -2146893039 (0x80090311): No authority could be contacted for authentication.

This error is seen in the SQL Server ERRORLOG file. This is an Active Directory error; Windows could not connect to the domain controller. The System Event Log may also log SCHANNEL, KERBEROS, or NETLOGON events related to this error message. Your domain controller may be bad, offline, or overloaded for a period of time. Domain controller logs may give more information.

This assumes all connections are going through NTLM; because of this, we are receiving specific Directory Service Error Messages: No Local Security Authority Could be Contacted.

In case the issue persists after adding the SPNs or applying the workaround, please engage Windows Directory Services.

Error -2146893052 (0x80090304): The Local Security Authority cannot be contacted.

This error is seen in the SQL Server ERRORLOG file. This is an Active Directory error; Windows could not connect to the local security subsystem (LSASS). The System Event Log may also log SCHANNEL, KERBEROS, or NETLOGON events related to this error message. This should be troubleshot as an Active Directory issue and not a SQL Connectivity issue.

Login failed for user 'CONTOSO\JohnDoe'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

This error is seen in the SQL Server ERRORLOG file. If the account name is NT AUTHORITY\ANONYMOUS LOGON, then troubleshoot as an authentication issue or a delegation issue.

If the account name is the expected account, then this is a SQL Server internal permission error. Past experience points to the following as likely causes:

  • About 30% of the cases are for the anonymous account and should be troubleshot as a regular authentication or delegation issue.
  • One issue had a bad entry in the HOSTS file, pointing to the wrong SQL Server.
  • The named account may need to be granted sysadmin rights.
  • Logins may be denied for the endpoint being connected to.
  • The account may belong to a group that has DENY permissions in SQL Server.
  • The account may get access via the Administrators group but needs to be run "As Administrator" for UAC elevation. You can also resolve the issue by granting direct access to the account and via another group that is not Administrators.