SQL Server Windows Authentication fails after tonight's security updates: The login is from an untrusted domain

active-directory sql-server windows-server-2003 kerberos

We have the following setup:

  • One Domain Controller (DC, Server 2003 R2 Standard x64)
  • One SQL Server (SQL, Server 2008 R2 Standard x64)
  • some clients.

All machines are in the same domain. All user accounts in use are domain accounts. SQL runs one instance of each SQL Server 2005, 2008, 2008R2, 2012 and 2014.

Since tonight (DC rebooted to install automatic Windows security updates), accessing the SQL 2005, 2008 and 2008R2 instances through Windows authentication does not work properly anymore:

When accessing one of these instances

  • from one of the clients
  • using Windows authentication

the following error occurs (it's the 2008R2 message, the 2005/2008 messages are similar):

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (Microsoft SQL Server, Error: 18452)

Obviously, the message text does not apply, since there is only one domain.

Now the surprising thing is: As soon as user is logged in on SQL (starting an RDP sesson or even simply running runas /user:MYDOMAIN\someuser cmd and keeping the window open), this user can access all SQL Server instances from all clients without any problems until the process running with that user's credentials is closed.

This means that I can just workaround this problem by executing the above runas command for all users on SQL once (and keeping the windows open), but, obviously, something is severely broken. I suspect tonight's security updates on DC have something to do with it (since that's the only thing that changed), but I'd rather avoid uninstalling and rebooting each one of them (12 updates were installed and DC is really old and slow).

Has anyone encountered this issue before and knows how to fix it permanently? Any other ideas (other than spending the next few days becoming a Kerberos expert)?


Solution 1:

check if your DC installed the update KB3002657 tonight. see http://support2.microsoft.com/?kbid=3002657 I had the same issue. Deinstalling this update solved the problem for me.

Solution 2:

The following fix via Group Policy worked for me:

  1. Open Group Policy Administrator
  2. Navigate to Computer Configuration >> Windows Settings >> Local Polices >> Security Options
  3. Double Click "Network Security: LAN Manager authentication level"
  4. Change option from "Send NTLM Responses" to "Send LM & NTLM responses"
  5. Run gpupdate /force on affected computers and servers.

Related

How do you configure IIS 7 to use a subdirectory as the default document?
ssh session idle timeout
How can I redirect any ServerAlias to the respective ServerName?
Virtualization: Guest in guest?
IIS URL Rewrite Module Query String Parameters
Is there any way to prevent Storage Spaces Direct from automatically adding disks?
mysql my.cnf ignored
Does an SSL certificate work on CNAME'd urls?
Do I have to have an ssl certificate for my mail server?
zpool status reports error ... what next?
OpenLdap TLS authentication setup
Linux - if I change the hostname, which services need to be restarted?