早上巡检的的时候,发现一数据库的作业报如下错误(作业名等敏感信息已经替换),该作业的OWNER为一个域账号:
JOB RUN: ‘JOB_NAME’ was run on 2016-6-1 at 7:00:00
DURATION: 0 hours, 0 minutes, 1 seconds
STATUS: Failed
MESSAGES: The job failed. Unable to determine if the owner (Domain\UserName) of job JOB_NAME has server access (reason: Could not obtain information about Windows NT group/user ‘Domain\UserName’, error code 0x2095. [SQLSTATE 42000] (Error 15404)).
在SQL Server Agent错误日志里面,你会看到如下错误信息:
Date 2016/6/1 7:10:01
Log SQL Server Agent (Current – 2016/6/1 8:40:00)
Message
[298] SQLServer Error: 15404, Could not obtain information about Windows NT group/user ‘Domain\UserName’, error code 0x2095. [SQLSTATE 42000] (ConnIsLoginSysAdmin)
关于15404的错误的官方介绍如下所示。具体参考下面链接信息
Product Name | SQL Server |
Event ID | 15404 |
Event Source | MSSQLSERVER |
Component | SQLEngine |
Symbolic Name | SEC_NTGRP_ERROR |
Message Text | Could not obtain information about Windows NT group/user ‘user‘, error code code. |
15404 is used in authentication when an invalid principal is specified. Or, impersonation of a Windows account fails because there is no full trust relationship between the SQL Server service account and the domain of the Windows account.
Check that the Windows principal exists and is not misspelled.
If this error is the result of a lack of a full trust relationship between the SQL Server service account and the domain of the Windows account, one of the following actions can resolve the error:
Use an account from the same domain as the Windows user for the SQL Server service.
If SQL Server is using a machine account such as Network Service or Local System, the machine must be trusted by the domain containing the Windows User.
Use a SQL Server account.
具体来说,是因为当SQL Server实例不能访问AD Server,因为AD Server出现了异常,导致SQL Server服务(本地Windows用户帐户)试图验证AD中的用户“域\用户名”,但是无法验证,因为它没有正确的/权限访问AD资源。
The SQL Server service (a local Windows user account) was trying to authenticate the user “domain\userName” in AD, which it could not do because it does not have the right/permission to access AD resources.
另外关于15404错误,其实有多种可能性,根据具体的代码有所不同(error code 0x5、error code 0x2095 等),以前我遇到一个error code为0x5的案例,总结在这一篇MS SQL Could not obtain information about Windows NT group/user ‘domain\login’, error code 0x5. [SQLSTATE 42000] (Error 15404)。
15404 is the exception when EXECUTE AS context cannot be impersonated. Reasons for these error are plenty. The most common reasons are:
- when the SQL Server instance does not have access to the AD server because is running as a local user or as ‘local service’ (this would have an error code 0x5,
ACCESS_DENIED
) - when the SQL Server is asked to impersonate an unknown user, like an user from a domain the SQL Server has not idea about (this would have the error code 0x54b,
ERROR_NO_SUCH_DOMAIN
)
The proper solution is always dependent on the error code, which is the OS error when trying to obtain the impersonated user identity token: one searches first for the error code in the System Error Codes table (or fires up windbg, does a loopback non-invasive kernel debug connection and goes !error, which is what I prefer cause is faster…).
解决方法一般也很简单,将作业的ower改为sa或将SQL Agent服务改为拥有sysadmin角色的账号即可解决问题。
参考资料:
https://msdn.microsoft.com/en-us/library/dn205134(v=sql.110).aspx