3 comments

Service Accounts: Active Directory Permissions Issues: Part #3 SQL 2008 R2

Published on Friday, May 18, 2012 in , ,

And yep, there’s more instances of this phenomena! I also came across the following when install an Active Directory Federation Services farm which uses SQL to store its configuration. Whilst there was not noticeable impact (yet), I saw the SQL loggings being filled with the following warnings:

clip_image002

In words: The activated proc '[IdentityServerPolicy].[SqlQueryNotificationStoredProcedure-616f6b36-c503-4503-a6cd-7e067a1b9e43]' running on queue 'AdfsConfiguration.IdentityServerPolicy.SqlQueryNotificationService-616f6b36-c503-4503-a6cd-7e067a1b9e43' output the following:  'Could not obtain information about Windows NT group/user '***\s_****_adfs', error code 0x5.'

And a slightly other one:

clip_image002[5]

In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user '***\s_****_adfs', error code 0x5.

Error: 28005, Severity: 16, State: 2.

The solution: is to give the “Authenticated Users”  “Read Permissions” on the ADFS service account. An easy way to test this solution is executing the following query:

image

The query xp_logininfo ‘Domain\service account’ will return something like this if things go well:

clip_image002[9]

Or like this if the SQL Server service lacks the mentioned permissions:

clip_image002[7]

If you’re interested in a more definite solution which does not involve modifying the security of all your service accounts, make sure to read Service Accounts: Active Directory Permissions Issues: Part #4 Conclusion.

Related Posts

3 Response to Service Accounts: Active Directory Permissions Issues: Part #3 SQL 2008 R2

12 October, 2012 16:40

Thanks a Lot...It solve my problem after giving Read Permission on the Service account in Active directory.


Regards,
Ashish

Anonymous
05 December, 2013 12:33

Thanks, this solutions works for me. ( ADSF , windows 2012R2)

Anonymous
04 December, 2017 20:36

THANK YOU SO MUCH! This is exactly what I was looking for!

Add Your Comment