Merge pull request #25581 from rwestMSFT/patch-14

Refresh mssqlserver-18456-database-engine-error

Author: prmerger-automator[bot]

docs/relational-databases/errors-events/mssqlserver-18456-database-engine-error.md

@@ -3,8 +3,8 @@ title: MSSQLSERVER_18456
 description: A connection attempt is rejected due to a failure with a bad password or username in SQL Server. See an explanation of the error and possible resolutions.
 author: MashaMSFT
 ms.author: mathoma
-ms.reviewer: pijocoder
-ms.date: 12/19/2022
+ms.reviewer: pijocoder, randolphwest
+ms.date: 01/16/2023
 ms.service: sql
 ms.subservice: supportability
 ms.topic: "reference"
@@ -57,7 +57,7 @@ If the domain name isn't specified, the problem is a failing SQL Server login at
 | You aren't running your application (for example, SSMS) as an administrator. | If you're trying to connect using your administrator credentials, start your application by using the **Run as Administrator** option. When connected, add your Windows user as an individual login. |
 | Login is deleted after a migration to a contained database user. | If the Database Engine supports contained databases, confirm that the login wasn't deleted after migration to a contained database user. For more information, see [Contained Database Authentication: Introduction](https://techcommunity.microsoft.com/t5/sql-server-blog/contained-database-authentication-introduction/ba-p/383696). |
 | Login's default database is offline or otherwise not available. | Check with your SQL Server administrator and resolve issues related to database availability. If the login has permissions to other databases on the server and you don't need to access the currently configured default database in your application, use one of the following options:<br />- Request the administrator to change the default database for the login using [ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md) statement or SSMS.<br />- Explicitly specify a different database in your application [connection string](../../connect/homepage-sql-connection-programming.md). Or if you're using SSMS switch to the [Connection Properties](../../ssms/f1-help/connect-to-server-connection-properties-page-database-engine.md) tab to specify a database that is currently available.</li>Applications like SSMS may show an error message like the following one:<br />`Cannot open user default database. Login failed.`<br />`Login failed for user <user name>. (Microsoft SQL Server, Error: 4064)`<br />SQL Server Errorlog will have an error message like the following one:<br />`Login failed for user '<user name>'. Reason: Failed to open the database '<dbname>' specified in the login properties [CLIENT: <ip address>]`<br />For more information, see [MSSQLSERVER_4064](./mssqlserver-4064-database-engine-error.md). |
-| The database explicitly specified in the connection string or in SSMS is incorrectly spelled, offline, or otherwise not available. | - Fix the database name in the connection string.<br />- If the database name is correct, check with your SQL Server administrator and resolve issues related to database availability. Check if the database is offline, not recovered, and so on.<br />- If the login has been mapped to users with permissions to other databases on the server and you don't need to access the currently configured database in your application, then specify a different database in your [connection string](../../connect/homepage-sql-connection-programming.md). Or if you're connecting with SSMS, use the [Connection Properties](../../ssms/f1-help/connect-to-server-connection-properties-page-database-engine.md) tab to specify a database that is currently available.<br />SQL Server Errorlog will have an error message like the following one:<br />`Login failed for user <UserName>. Reason: Failed to open the explicitly specified database 'dbname'. [CLIENT: <ip address>]`<br />**Note**: If the login's default database is available, SQL Server allows the connection to succeed. For more information, see [MSSQLSERVER_4064](./mssqlserver-4064-database-engine-error.md). |
+| The database explicitly specified in the connection string or in SSMS is incorrectly spelled, offline, or otherwise not available. | - Fix the database name in the connection string. Pay attention to case sensitivity if using a case sensitive collation on the server.<br />- If the database name is correct, check with your SQL Server administrator and resolve issues related to database availability. Check if the database is offline, not recovered, and so on.<br />- If the login has been mapped to users with permissions to other databases on the server and you don't need to access the currently configured database in your application, then specify a different database in your [connection string](../../connect/homepage-sql-connection-programming.md). Or if you're connecting with SSMS, use the [Connection Properties](../../ssms/f1-help/connect-to-server-connection-properties-page-database-engine.md) tab to specify a database that is currently available.<br />SQL Server Errorlog will have an error message like the following one:<br />`Login failed for user <UserName>. Reason: Failed to open the explicitly specified database 'dbname'. [CLIENT: <ip address>]`<br />**Note**: If the login's default database is available, SQL Server allows the connection to succeed. For more information, see [MSSQLSERVER_4064](./mssqlserver-4064-database-engine-error.md). |
 | The user doesn't have permissions to the requested database. | - Try connecting as another user that has sysadmin rights to see if connectivity can be established.<br />- Grant the login access to the database by creating the corresponding user (for example, `CREATE USER [<UserName>] FOR LOGIN [UserName]`) |
 
 Also, check the extensive list of error codes at [Troubleshooting Error 18456](https://sqlblog.org/2020/07/28/troubleshooting-error-18456).
@@ -69,14 +69,13 @@ For more troubleshooting help, see [Troubleshooting SQL Client / Server Connecti
 There are at least four scenarios for this issue. In the following table, examine each applicable potential cause, and use the appropriate resolution:
 See the note below the table for an explanation of the term *double hop*.
 
-
-|Potential causes  |Suggested resolutions  |
-|---------|---------|
-|You're trying to pass NT LAN Manager (NTLM) credentials from one service to another service on the same computer (for example: from IIS to SQL server), but a failure occurs in the process.| Add the [DisableLoopbackCheck or BackConnectionHostNames](/troubleshoot/windows-server/networking/accessing-server-locally-with-fqdn-cname-alias-denied) registry entries.        |
-|There are [double-hop](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463) (constraint delegation) scenarios across multiple computers. The error could occur if the Kerberos connection fails because of Service Principal Names (SPN) issues.     | Run [SQLCheck](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/SQLCHECK) on each SQL Server and the web server. Use the troubleshooting guides: [0600 Credential Delegation Issue](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/0600-Credential-Delegation-Issue) and [0650 SQL Server Linked Server Delegation Issues](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/0650-SQL-Server-Linked-Server-Delegation-Issues).        |
-|If no double-hop (constraint delegation) is involved, then likely duplicate SPNs exist, and the client is running as a LocalSystem or another machine account that gets NTLM credentials instead of Kerberos credentials.     | Use [SQLCheck](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/SQLCHECK) or [Setspn.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)) to diagnose and fix any SPN-related issues. Also review [Overview of the Kerberos Configuration Manager for SQL Server](/troubleshoot/sql/connect/using-kerberosmngr-sqlserver).        |
-|Windows Local Security policy may have been configured to prevent the use of the machine account for remote authentication requests.     | Navigate to **Local Security Policy** > **Local Policies** > **Security Options** > **Network security: Allow Local System to use computer identity for NTLM**, select the **Enabled** option if the setting is disabled, and then select **OK**.<br />**Note**: As detailed on the **Explain** tab, this policy is enabled in Windows 7 and later versions by default.        |
-|Intermittent occurrence of this issue when using constrained delegation can indicate presence of an expired ticket that cannot be renewed by middle tier. This is an expected behavior with either linked server scenario or any application that is holding a logon session for more than 10 hours.|Change delegation settings on your middle-tier server from **Trust this computer for delegation to specified services only – Use Kerberos Only** to **Trust this computer for delegation to specified services only - Use any protocol.** For more information review [Intermittent ANONYMOUS LOGON of SQL Server linked server double hop](https://techcommunity.microsoft.com/t5/sql-server-support-blog/intermittent-anonymous-logon-of-sql-server-linked-server-double/ba-p/3694876).|
+| Potential causes | Suggested resolutions |
+| --- | --- |
+| You're trying to pass NT LAN Manager (NTLM) credentials from one service to another service on the same computer (for example: from IIS to SQL server), but a failure occurs in the process. | Add the [DisableLoopbackCheck or BackConnectionHostNames](/troubleshoot/windows-server/networking/accessing-server-locally-with-fqdn-cname-alias-denied) registry entries. |
+| There are [double-hop](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463) (constraint delegation) scenarios across multiple computers. The error could occur if the Kerberos connection fails because of Service Principal Names (SPN) issues. | Run [SQLCheck](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/SQLCHECK) on each SQL Server and the web server. Use the troubleshooting guides: [0600 Credential Delegation Issue](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/0600-Credential-Delegation-Issue) and [0650 SQL Server Linked Server Delegation Issues](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/0650-SQL-Server-Linked-Server-Delegation-Issues). |
+| If no double-hop (constraint delegation) is involved, then likely duplicate SPNs exist, and the client is running as a LocalSystem or another machine account that gets NTLM credentials instead of Kerberos credentials. | Use [SQLCheck](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/SQLCHECK) or [Setspn.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)) to diagnose and fix any SPN-related issues. Also review [Overview of the Kerberos Configuration Manager for SQL Server](/troubleshoot/sql/connect/using-kerberosmngr-sqlserver). |
+| Windows Local Security policy may have been configured to prevent the use of the machine account for remote authentication requests. | Navigate to **Local Security Policy** > **Local Policies** > **Security Options** > **Network security: Allow Local System to use computer identity for NTLM**, select the **Enabled** option if the setting is disabled, and then select **OK**.<br />**Note**: As detailed on the **Explain** tab, this policy is enabled in Windows 7 and later versions by default. |
+| Intermittent occurrence of this issue when using constrained delegation can indicate presence of an expired ticket that can't be renewed by middle tier. This is an expected behavior with either linked server scenario or any application that is holding a logon session for more than 10 hours. | Change delegation settings on your middle-tier server from **Trust this computer for delegation to specified services only – Use Kerberos Only** to **Trust this computer for delegation to specified services only - Use any protocol.** For more information review [Intermittent ANONYMOUS LOGON of SQL Server linked server double hop](https://techcommunity.microsoft.com/t5/sql-server-support-blog/intermittent-anonymous-logon-of-sql-server-linked-server-double/ba-p/3694876). |
 
 > [!NOTE]  
 > A double-hop typically involves delegation of user credentials across multiple remote computers. For example, assume you have a SQL Server instance named *SQL1* where you created a linked server for a remote SQL Server named *SQL2*. In linked server security configuration, you selected the option **[Be made using the login's current security context](../linked-servers/create-linked-servers-sql-server-database-engine.md#specify-the-default-security-context-for-logins-not-present-in-the-mapping-list)**. When using this configuration, if you execute a linked server query on *SQL1* from a remote client computer named *Client1*, the windows credentials will first have to hop from *Client1* to *SQL1* and then from *SQL1* to *SQL2* (hence, it's called a double-hop). For more information, see [Understanding Kerberos Double Hop](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463) and [Kerberos Constrained Delegation Overview](/windows-server/security/kerberos/kerberos-constrained-delegation-overview)
@@ -143,10 +142,10 @@ To increase security, the error message that is returned to the client deliberat
 | 18 | Password must be changed. |
 | 38, 46 | Couldn't find database requested by user. |
 | 58 | When SQL Server is set to use Windows Authentication only, and a client attempts to log in using SQL authentication. Another cause is when SIDs don't match. |
-| 102 - 111 | AAD failure. |
+| 102 - 111 | Azure AD failure. |
 | 122 - 124 | Failure due to empty user name or password. |
 | 126 | Database requested by user doesn't exist. |
-| 132 - 133 | AAD failure. |
+| 132 - 133 | Azure AD failure. |
 
 Other error states exist and signify an unexpected internal processing error.
 
@@ -158,7 +157,7 @@ The error reason **An attempt to login using SQL authentication failed. Server i
 
 - When SQL server is configured for mixed mode authentication, and an ODBC connection uses named pipes, and the credentials the client used to open the named pipe are used to automatically impersonate the user, and the connection string doesn't explicitly specify the use of a trusted authentication.
 
-To resolve this issue, include **TRUSTED_CONNECTION = TRUE** in the connection string.
+To resolve this issue, include `TRUSTED_CONNECTION = TRUE` in the connection string.
 
 ## Examples
 
@@ -175,4 +174,3 @@ In this example, the authentication error state is 8. This indicates that the pa
 ## See also
 
 - [0420 Reasons for Consistent Auth Issues](https://github.com/microsoft/CSS_SQL_Networking_Tools/wiki/0420-Reasons-for-Consistent-Auth-Issues)
-