Last night's security updates on our Windows Server 2003 R2 domain controller created a bizarre authentication scenario affecting multiple SQL Server instances (2005 through 2014). The error message claiming "untrusted domain" is particularly misleading since we only have one domain in our environment.
The authentication failures follow these specific patterns:
- Affected SQL versions: 2005, 2008, 2008R2 (2012 and 2014 remain functional)
- Failure occurs when connecting remotely from clients
- Temporary fix: Running
runas /user:MYDOMAIN\\someuser cmdon the SQL Server host
First, let's verify the SPN configuration which is crucial for Kerberos authentication:
setspn -L MSSQLSvc/sqlserver.mydomain.com:1433 setspn -L MSSQLSvc/sqlserver.mydomain.com
If these return no results or incorrect entries, we need to register them properly:
setspn -A MSSQLSvc/sqlserver.mydomain.com:1433 MYDOMAIN\\sqlserviceaccount setspn -A MSSQLSvc/sqlserver.mydomain.com MYDOMAIN\\sqlserviceaccount
Test basic domain connectivity with these commands:
nltest /dsgetdc:mydomain.com ping sqlserver.mydomain.com nslookup sqlserver.mydomain.com
This PowerShell script helps diagnose Kerberos issues:
$ErrorActionPreference = "Stop"
try {
$ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/sqlserver.mydomain.com:1433"
Write-Host "Kerberos ticket acquired successfully for SQL Service"
klist
} catch {
Write-Host "Kerberos ticket acquisition failed: $_"
}
For a more permanent workaround than manual runas commands, create a scheduled task that maintains the credential cache:
schtasks /create /tn "KeepSQLAuthAlive" /tr "cmd /c echo %DATE% %TIME% >> c:\\temp\\sql_auth_keepalive.log" /sc minute /mo 5 /ru MYDOMAIN\\sqlserviceaccount /rp P@ssw0rd /rl HIGHEST
The most likely culprits among the 12 installed updates are those related to:
- Kerberos security hardening (MS15-011, MS15-014)
- Credential validation changes (MS15-027)
- NTLM restrictions (MS15-024)
Consider these architectural improvements:
- Upgrade from Windows Server 2003 R2 (end-of-life and lacking modern security protocols)
- Standardize on newer SQL Server versions (2014+) that support modern authentication
- Implement constrained delegation properly for service accounts
As a last resort, you can relax NTLM restrictions (not recommended for production):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "NTLMMinClientSec"=dword:00000000 "NTLMMinServerSec"=dword:00000000
Remember to restart the server after making these changes and monitor security implications carefully.
When domain authentication suddenly breaks after Windows updates, it feels like the infrastructure gods are playing a cruel joke. Here's what we've observed in this environment:
- SQL Server versions 2005-2008R2 reject Windows auth with error 18452
- 2012/2014 instances work normally
- Active Directory appears healthy otherwise
- The workaround (runas sessions) points to credential caching
The key symptom - working only after credential caching - screams Kerberos delegation issues. Modern Windows updates often tweak security policies that can break legacy authentication flows.
Check your SPNs first:
setspn -L SQLSERVER$
setspn -L MYDOMAIN\\sqlserviceaccountRun this on affected SQL instances to check auth methods:
SELECT
auth_scheme = CONVERT(NVARCHAR(128), connection_info.auth_scheme),
login_name,
COUNT(*) as connections
FROM sys.dm_exec_connections
CROSS APPLY sys.dm_exec_sql_connection_stats(connection_id) as connection_stats
CROSS APPLY sys.dm_exec_sql_text(connection_stats.sql_handle) as sqltext
CROSS APPLY sys.dm_exec_plan_attributes(connection_stats.plan_handle) as attr
CROSS APPLY sys.dm_exec_query_plan(connection_stats.plan_handle) as qp
OUTER APPLY sys.dm_exec_query_plan_stats(connection_stats.plan_handle) as qps
CROSS APPLY sys.dm_exec_text_query_plan(
connection_stats.plan_handle,
connection_stats.statement_start_offset,
connection_stats.statement_end_offset) as tqp
CROSS APPLY sys.dm_exec_sql_text(connection_stats.sql_handle) as st
CROSS APPLY sys.dm_exec_query_profiles(connection_stats.plan_handle) as qp2
CROSS APPLY sys.dm_exec_connection_credentials(connection_id) as cc
CROSS APPLY sys.dm_exec_connection_secure_links(connection_id) as csl
CROSS APPLY sys.dm_exec_connection_traffic(connection_id) as ct
CROSS APPLY sys.dm_exec_connection_encryption_keys(connection_id) as cek
CROSS APPLY sys.dm_exec_connection_properties(connection_id) as cp
CROSS APPLY sys.dm_exec_connection_authentication_info(connection_id) as connection_info
GROUP BY CONVERT(NVARCHAR(128), connection_info.auth_scheme), login_name;For Server 2008 R2 and earlier, create this registry value:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"AllowLoopback"=dword:00000001
"BackConnectionHostNames"=hex(7):53,00,51,00,4c,00,73,00,65,00,72,00,76,00,65,\
00,72,00,2e,00,64,00,6f,00,6d,00,61,00,69,00,6e,00,2e,00,6c,00,6f,00,63,00,\
61,00,6c,00,00,00,00,00Add these SQL Server registry entries to force NTLM when Kerberos fails:
HKLM\Software\Microsoft\MSSQLServer\MSSQLServer\Supersocketnetlibs
"DisableKerberos"=dword:00000001Run this to test authentication pathways:
$servers = "SQL2005","SQL2008","SQL2008R2"
$cred = Get-Credential
foreach($s in $servers) {
try {
$conn = New-Object Microsoft.Data.SqlClient.SqlConnection
$conn.ConnectionString = "Server=$s;Integrated Security=True"
$conn.Open()
Write-Host "SUCCESS: $s - $($conn.ServerVersion)" -ForegroundColor Green
$conn.Close()
}
catch {
Write-Host "FAILURE: $s - $($_.Exception.Message)" -ForegroundColor Red
}
}For environments where you absolutely must get auth working immediately:
- Reboot the domain controller (schedule downtime)
- Run
klist purgeon all SQL Servers - Restart the Kerberos Key Distribution Center service
- Recreate SPNs for all SQL instances