I am creating a SQL Server Replication using a script. When I try to execute
The job failed. Unable to determine if the owner (STAR\moorer7) of job L3BPT2M-Atlas-14 has server access (reason: Could not obtain information about Windows NT group/user 'STAR\moorer7', error code 0x5. [SQLSTATE 42000] (Error 15404)).
This is a job created by a script that defines replication.
How do I debug this?
asked Aug 5, 2009 at 17:13
Raj MoreRaj More
47.2k33 gold badges132 silver badges198 bronze badges
3
Active Directory is refusing access to your SQL Agent. The Agent should be running under an account that is recognized by STAR domain controller.
magnattic
12.7k13 gold badges62 silver badges115 bronze badges
answered Aug 5, 2009 at 17:30
Remus RusanuRemus Rusanu
289k40 gold badges445 silver badges570 bronze badges
7
For me, the jobs were running under DOMAIN\Administrator and failing with the error message "The job failed. Unable to determine if the owner (DOMAIN\administrator) of job Agent history clean up: distribution has server access (reason: Could not obtain information about Windows NT group/user 'DOMAIN\administrator', error code 0x5. [SQLSTATE 42000] (Error 15404)). To fix this, I changed the owner of each failing job to sa. Worked flawlessly after that. The jobs were related to replication cleanup, but I’m unsure if they were manually added or were added as a part of the replication set-up — I wasn’t involved with it, so I am not sure.
answered Sep 19, 2016 at 15:00
Derreck DeanDerreck Dean
3,7181 gold badge26 silver badges45 bronze badges
0
We encountered similar errors in a testing environment on a virtual machine. If the machine name changes due to VM cloning from a template, you can get this error.
If the computer name changed from OLD to NEW.
A job uses this stored procedure:
msdb.dbo.sp_sqlagent_has_server_access @login_name = 'OLD\Administrator'
Which uses this one:
EXECUTE master.dbo.xp_logininfo 'OLD\Administrator'
Which gives this SQL error 15404
select text from sys.messages where message_id = 15404;
Could not obtain information about Windows NT group/user '%ls', error code %#lx.
Which I guess is correct, under the circumstances. We added a script to the VM cloning/deployment process that re-creates the SQL login.
answered Feb 16, 2012 at 21:43
Craig CelesteCraig Celeste
12.2k10 gold badges42 silver badges49 bronze badges
In my case I was getting this error trying to use the IS_ROLEMEMBER() function on SQL Server 2008 R2. This function isn’t valid prior to SQL Server 2012.
Instead of this function I ended up using
select 1
from sys.database_principals u
inner join sys.database_role_members ur
on u.principal_id = ur.member_principal_id
inner join sys.database_principals r
on ur.role_principal_id = r.principal_id
where r.name = @role_name
and u.name = @username
Significantly more verbose, but it gets the job done.
Raj More
47.2k33 gold badges132 silver badges198 bronze badges
answered Jan 3, 2013 at 18:44
Bacon BitsBacon Bits
30.9k5 gold badges59 silver badges67 bronze badges
Just solved this problem. In my case it was domain controller is not accessible, because both dns servers was google dns.
I just add to checklist for this problem:
- check domain controller is accessible
answered Aug 4, 2014 at 11:26
RailRail
7008 silver badges12 bronze badges
1
I was having the same issue, which turned out to be caused by the Domain login that runs the SQL service being locked out in AD. The lockout was caused by an unrelated usage of the service account for another purpose with the wrong password.
The errors received from SQL Agent logs did not mention the service account’s name, just the name of the user (job owner) that couldn’t be authenticated (since it uses the service account to check with AD).
answered Mar 4, 2015 at 0:51
I had to connect to VPN for the publish script to successfully deploy to the DB.
answered Apr 25, 2015 at 17:42
PetePete
1692 silver badges14 bronze badges
In our case, the Windows service account that SQL Server and SQL Agent were running under were locked out in Active Directory.
answered Jul 12, 2019 at 12:57
I just got this error and it turns out my AD administrator deleted the service account used by EVERY SQL Server instance in the entire company. Thank goodness AD has its own recycle bin.
See if you can run the Active Directory Users and Computers utility (%SystemRoot%\system32\dsa.msc), and check to make sure the account you are relying on still exists.
answered May 26, 2020 at 22:03
I am creating a SQL Server Replication using a script. When I try to execute
The job failed. Unable to determine if the owner (STAR\moorer7) of job L3BPT2M-Atlas-14 has server access (reason: Could not obtain information about Windows NT group/user 'STAR\moorer7', error code 0x5. [SQLSTATE 42000] (Error 15404)).
This is a job created by a script that defines replication.
How do I debug this?
asked Aug 5, 2009 at 17:13
Raj MoreRaj More
47.2k33 gold badges132 silver badges198 bronze badges
3
Active Directory is refusing access to your SQL Agent. The Agent should be running under an account that is recognized by STAR domain controller.
magnattic
12.7k13 gold badges62 silver badges115 bronze badges
answered Aug 5, 2009 at 17:30
Remus RusanuRemus Rusanu
289k40 gold badges445 silver badges570 bronze badges
7
For me, the jobs were running under DOMAIN\Administrator and failing with the error message "The job failed. Unable to determine if the owner (DOMAIN\administrator) of job Agent history clean up: distribution has server access (reason: Could not obtain information about Windows NT group/user 'DOMAIN\administrator', error code 0x5. [SQLSTATE 42000] (Error 15404)). To fix this, I changed the owner of each failing job to sa. Worked flawlessly after that. The jobs were related to replication cleanup, but I’m unsure if they were manually added or were added as a part of the replication set-up — I wasn’t involved with it, so I am not sure.
answered Sep 19, 2016 at 15:00
Derreck DeanDerreck Dean
3,7181 gold badge26 silver badges45 bronze badges
0
We encountered similar errors in a testing environment on a virtual machine. If the machine name changes due to VM cloning from a template, you can get this error.
If the computer name changed from OLD to NEW.
A job uses this stored procedure:
msdb.dbo.sp_sqlagent_has_server_access @login_name = 'OLD\Administrator'
Which uses this one:
EXECUTE master.dbo.xp_logininfo 'OLD\Administrator'
Which gives this SQL error 15404
select text from sys.messages where message_id = 15404;
Could not obtain information about Windows NT group/user '%ls', error code %#lx.
Which I guess is correct, under the circumstances. We added a script to the VM cloning/deployment process that re-creates the SQL login.
answered Feb 16, 2012 at 21:43
Craig CelesteCraig Celeste
12.2k10 gold badges42 silver badges49 bronze badges
In my case I was getting this error trying to use the IS_ROLEMEMBER() function on SQL Server 2008 R2. This function isn’t valid prior to SQL Server 2012.
Instead of this function I ended up using
select 1
from sys.database_principals u
inner join sys.database_role_members ur
on u.principal_id = ur.member_principal_id
inner join sys.database_principals r
on ur.role_principal_id = r.principal_id
where r.name = @role_name
and u.name = @username
Significantly more verbose, but it gets the job done.
Raj More
47.2k33 gold badges132 silver badges198 bronze badges
answered Jan 3, 2013 at 18:44
Bacon BitsBacon Bits
30.9k5 gold badges59 silver badges67 bronze badges
Just solved this problem. In my case it was domain controller is not accessible, because both dns servers was google dns.
I just add to checklist for this problem:
- check domain controller is accessible
answered Aug 4, 2014 at 11:26
RailRail
7008 silver badges12 bronze badges
1
I was having the same issue, which turned out to be caused by the Domain login that runs the SQL service being locked out in AD. The lockout was caused by an unrelated usage of the service account for another purpose with the wrong password.
The errors received from SQL Agent logs did not mention the service account’s name, just the name of the user (job owner) that couldn’t be authenticated (since it uses the service account to check with AD).
answered Mar 4, 2015 at 0:51
I had to connect to VPN for the publish script to successfully deploy to the DB.
answered Apr 25, 2015 at 17:42
PetePete
1692 silver badges14 bronze badges
In our case, the Windows service account that SQL Server and SQL Agent were running under were locked out in Active Directory.
answered Jul 12, 2019 at 12:57
I just got this error and it turns out my AD administrator deleted the service account used by EVERY SQL Server instance in the entire company. Thank goodness AD has its own recycle bin.
See if you can run the Active Directory Users and Computers utility (%SystemRoot%\system32\dsa.msc), and check to make sure the account you are relying on still exists.
answered May 26, 2020 at 22:03
May 6, 2020 by Kenneth Fisher
This is an interesting error that you’ll occasionally get when accessing an AD/Windows ID.
Msg 15404, Level 16, State 11, Line 6
Could not obtain information about Windows NT group/user ‘SQL2019TESTENV\Dopey’, error code 0x534.
Pretty simple reason here. The AD/Windows group/user no longer exists (or is inaccessible) but the entry for it exists inside of SQL.
Now what do I mean by “accessing”? Well the easiest way to get the error is to try to impersonate the id.
EXECUTE AS LOGIN = 'SQL2019TESTENV\Dopey'; EXECUTE AS USER = 'SQL2019TESTENV\Dopey';
I’ve most frequently seen this happen when someone has left the company (or a service account is removed for whatever reason) and the corresponding SQL principals (logins & users) have not been removed.
When this can get really interesting when you go to look up the name in AD/Windows and it’s still there!?! Basically what’s happened is that the SID has changed at the AD/Windows level. I believe this can happen when removing/re-adding an id but when I tested in Windows dropping and re-creating the Id gave me the same SID. I could be missing something though. Regardless the SID in SQL no longer has a match in AD/Windows.
Now that we have the error what do we use to fix it? Well, if the Id is gone and is supposed to be gone drop your associated logins and users. If on the other hand the Id still exists but the SID doesn’t match anymore it’s a bit more complicated.
First script the login (server principal) and all of it’s server level role memberships and permissions then drop and re-create it. Generally I use my sp_SrvPermissions stored procedure for this. You do not have drop any users (database principals). You will have to do the following in each of the databases were a related user exists.
ALTER USER Dopey WITH LOGIN = 'Dopey'
This will change the SID of the user to match the login.
To the best of my knowledge this can also happen with Azure SQL databases and AAD although I haven’t tested it yet.
Category: Microsoft SQL Server, Security, SQLServerPedia Syndication
| Tags: Microsoft SQL Server, security
When we reset a SQL Service Account (domain joined) password, we do so using our PAM/Password Vault application. That PAM/Vault reaches out to Active Directory via a proxy server, and sets the new password. It also reaches out to the server that is running
SQL Services (MSSQLSERVER, SQLSERVERAGENT), and puts the new password into the services. We then do not auto-restart the services then and there (as this would cause a production outage). We wait for the servers to get patched or have a reboot scheduled for
updates, and just let them restart the server (which in theory is our replacement for restarting the 2 sql services). Unfortunately, this has become an issue this year. This doesn’t appear to happen every time, but about half of the time we run into the issue
of the service failing to authenticate after we place the new password into the services (and don’t immediately restart the server or restart the services).
From the SQL Server — The job failed. Unable to determine if the owner (Domain\UsernameHere) of job randomJobNameHere has server access (reason: Could
not obtain information about Windows NT group/user ‘Domain\UsernameHere’, error code 0x5. [SQLSTATE 42000] (Error 15404)).
From the server running the 2 SQL services within an hour after setting the new password via PAM/Vault (when the SQL job tried to run)…
Failure Information:
Failure Reason:
An Error occured during Logon.
Status:
0xc000018d
Sub Status:
0x0
Process Information:
Caller Process ID:
0x630
Caller Process Name:
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
From the server running the 2 SQL services ~3 hours after setting the new password via PAM/Vault (when the SQL job tried to run again)…
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xc000006d
Sub Status:
0xc000006a
Process Information:
Caller Process ID:
0x630
Caller Process Name:
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
Last year we used to reset passwords this way, and didn’t have any issues. At that time we were using CyberArk as our PAM/Vault solution, and this year we are using CA PAM as our solution, although I don’t see how the PAM/Vault solution would cause the problem.
Is there some sort of caching issue taking place from an AD perspective? What about a caching related thing with SQL Service? Is it a requirement now to restart the SQL Services after changing the password for the domain joined service account running them?
Thanks.
-
Edited by
Tuesday, December 11, 2018 3:38 PM
typo
I recently received a request for help from a customer about a problem that has started to occur with SQL Server jobs in BizTalk Server. Everything was working fine for the last few months until they begin receiving the following errors while the SQL Jobs was trying to execute:
The job failed. Unable to determine if the owner (domain\username) of job MessageBox_Message_ManageRefCountLog_BizTalkMsgBoxDb has server access (reason: Could not obtain information about Windows NT group/user ‘domain\username’, error code 0x534. [SQLSTATE 42000] (Error 15404)).
Cause
Actually, the reason for this error was quite simple, and it is an error that can happen relatively often if we do not take the necessary steps.
In this case, the user that performed the BizTalk Server installation and configuration was a personal account that was a member of the BizTalk Server Administration group, and by default, he is configured as the owner of that jobs. However, at some point, the employee left or terminated the contract and his account was terminated or disabled and that is the reason for that error started to happen.
Solution
The solution is simple, we need to change the owner. And to do that, we need:
- Open the SQL Server Management Studio.
- Expand SQL Server Agent, and then Jobs.
- Right-click on job name, in this case, MessageBox_Message_ManageRefCountLog_BizTalkMsgBoxDb and select Properties
- In the Owner field, select the sa account, or any other account, as the job owner using the ellipsis button
- Do that steps for all the BizTalk Server SQL Jobs.
After that, the problem should be solved.
Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc.
He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.
View all posts by Sandro Pereira