Allen Kinsel - SQL DBA

SQL Server, PASS, and other data mishaps

Community Choice Sessions at the PASS Summit 2010

By Allen Kinsel, 9 days ago

Its Still Alive

Yes this blog is still alive!  I recently had some hard decisions to make with regards to what I needed to drop in order to get at least 3 hours of sleep in a night.  And unfortunately for the 3 of you that read my blog, it was the blog that lost that battle.  I should be getting back in the habit of writing now that the biggest crunch time for the program committee at the PASS Summit is over.

What happened?

Short answer : The PASS Summit speaker selection process. (Program Committee Manager role)

Longer yet short answer: The PASS Summit program committee leadership position is a very involved volunteer position, taking more hours of my time than I can count (Just ask my wife!!).  For the last month the 4 amigo's (Jeremiah Peschka (Blog|Twitter) , Lori Edwards(Blog|Twitter), Elena Sebastiano (PASSHQ), and myself) have been working tirelessly towards the first goal of announcing the community sessions.  With that out of the way the PASS work doesn't stop, we get to do other «fun» stuff.  Innovate with PASS if you like, because that's what we're going to try to do!!   

Community Choice Sessions

Ive talked about this before  and I'm happy to say, after quite a bit of work in ironing out the details, it is going to be a reality.  We're in the process of building the pages, but I can already say that 20 Speakers are going to get a second chance at being selected to present one of their sessions at the Summit.   In order to make this happen, we went over the summit track selections, looking at alternates first, then other sessions that were ranked highly by the review teams.  We collected 20 sessions that we thought could fill in gaps in the educational offering, or that we thought deserved another look.  Essentially, we took the work the selection teams did and distilled it down to give the community 5 session choices in each of 4 different groups

We split up the sessions into 4 groups, 1 each for the tracks AD/BI/DBA and then added a fourth as a sort of menagerie containing sessions across all 4 tracks.  We plan on using the «PASS voting booth» to facilitate the voting in each category, so each «registered PASS Member» will have a vote for a session in each of the categories.  At the end of the voting period, the session in each category that has the most votes will be confirmed & put in the lineup to be presented at the 2010 PASS Summit in Nov.

Next week we should have all of the details finalized and Ill write more about it then but, for now be on the lookout for an email from PASS with more details about how you can help directly shape the sessions at the 2010 Summit.

Related posts

Share this post

Sql Server and SSPI handshake failed error hell

By Allen Kinsel, 1 month and 13 days ago

The infamous SSPI Failed error strikes again!

One of our SQL servers was generating these errors for «some» Windows logins but not all.

Error: 17806, Severity: 20, State: 2.

SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.1.1]

Error: 18452, Severity: 14, State: 1.

Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 192.168.1.1]

After exhausting all of the normal troubleshooting for this error (accounts locked, disabled, Sql Service accts, bad connection strings, SPN's, etc.) I spent the next few hours learning more about the way SQL handles authentication requests than I had ever wanted to know.

The Scenario –

A couple of separate individual Windows ID's started generating these errors while attempting connections, all other windows logins were working properly. The connections were initially happening through applications, but also occurred through sqlcmd. When logged in to the server locally with the offending ID's the connections to SQL would succeed.

The Troubleshooting process –

Check all the regular SSPI issues, I wont bore you with the details as they are easily searchable

  • A relatively easy way of checking the «easy» authentication issues If possible/appropriate is to log into the SQL Server locally with the offending ID and fire up sqlcmd and connect to the server via sqlcmd –Sservername,port –E  (by specifying the port you force TCP/IP instead of LPC, thereby forcing the network into the equation)

Verify whether the login is trying to use NTLM or Kerberos (many ways to do this but simplest is to see if there are any other KERBEROS connections on the machine)

  • SELECT DISTINCT auth_scheme FROM sys.dm_exec_connections
  • If Kerberos is in use, there are a few additional things to verify related to SPN's, since only NTLM was in use on this server I skipped that

Determine if the accounts were excluded from connecting to the machine through the network through a group policy or some other AD setting

After all of these checked out OK, I began to try and figure out what the error code 0x8009030c meant, turns out, its fairly obvious what the description is : sec_e_logon_denied.  This description was so helpful I thought about making this server into a boat anchor but, luckily for my employer the server room is located many miles away and has armed guards.

Since I knew we could logon locally to the SQL Server with the ID that SQL was rejecting with logon denied something else was trying to make my life miserable.

We didn't have logon failure security auditing turned on so, I had no way of getting a better error description, As luck would have it though this would prove instrumental in finding the root cause. To get a better error message, I found this handy KB article detailing steps needed to put net logon into debug mode.

Say hello to my new best friend!  -- nltest.exe

After downloading nltest & using it to enable netlogon debugging on the SQL Server, I got this slightly better message in the netlogon.log file

06/15 14:15:39 [LOGON] SamLogon: Network logon of DOMAIN\USER from Laptop Entered

06/15 14:15:39 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)

06/15 14:15:39 [LOGON] SamLogon: Network logon of DOMAIN\USER from Laptop Returns 0xC0000064

The error code 0XC0000064 maps to «NO_SUCH_USER»

Since I was currently logged in to the server with the ID that was returning no such user, something else was obviously wrong, and luckily at this point I knew it wasn't SQL.

Running «set log» on the server revealed that a local DC (call it DC1) was servicing the local logon request.

After asking our AD guys about DC1 and its synchronization status, as well as whether the user actually existed there, everything still looked OK.

After looking around a bit more I discovered this gem of a command for nltest to determine which DC will handle a logon request

C:\>nltest /whowill:Domain Account

[16:32:45] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC579)
[16:32:45] Response 0: DC2 D:Domain A:Account (Act found)
The command completed successfully

Even though this command returned «act found» it was returning from DC2.  (I dont exactly understand why the same account would authenticate against 2 different DC's based on a local desktop login or a SQL login but it apparently can)

After asking the AD guys about DC2 the light bulbs apparently went off for them as that server actually exists behind a different set of firewalls, in a totally different location. While DC2 would return a ping, the console wouldn't allow logons for some reason. After a quick reboot of DC2, and some magic AD pixie dust (I am not an AD admin, if it wasn't totally obvious from my newfound friend nltest) the windows Id's that were having trouble started authenticating against DC3 and our SSPI errors went away.

Interesting tidbit -- During troubleshooting, I found that this particular SQL Server was authenticating accounts against at least 5 different DC's. Some of this might be expected since there are different domains at play but, I haven't heard a final answer from the AD guys about whether it should work that way.

The solution

Reboot the misbehaving DC, of course there may be other ways to fix this by redirecting requests to a different DC without a reboot but, since it was misbehaving anyway, and the AD experts wanted to reboot so we went with that. A reboot of SQL would have likely solved this problem too but, I hate reboot fixes of issues, they always seem to come back!

Related posts

Share this post

SQL Saturday 35 Recap

By Allen Kinsel, 2 months and 4 days ago

sql_saturday_logo

I made my way to Dallas to take part in the SQL Saturday #35 that the NTSSUG was sponsoring.  After reading the excellent reviews from Jonathan Gardner, AJ Mendo, and Bill Fellows.  I thought Id keep this very short and say «I concur!»  --Profound aint it?

Ok, Ill dig a little deeper--

I saw some great Sessions, met some great people, and caught up with some old friends.  All In all a great way to spend a Saturday!

Having had more than a little experience with putting on large SQL events, I think the volunteers and organizers of the event really need to pat themselves on the back, they pulled off a wonderful event and did it with style.  In my opinion, one of the best measures of success when trying to tell how well an event «worked» is to gauge what the event looked like to a normal attendee.  By that measure Id say the even the toughest critic would say it was a resounding success.  Everything looked buttery smooth, and this «normal attendee»  didnt see any obvious distractions.  It looks like the SQL Saturday model appears to be maturing at a very rapid pace, and this is excellent news!  In talking with the organizers at the after party, they were relaying some of their more interesting challenges, I'm not sure I said it at the time (maybe too many beers??) so Ill repeat it here for posterity: I hope the organizers aren't too hard on themselves because no matter what level of prep, thought, or organization you put into an event, something is ALWAYS going to slip through the cracks and/or not work quite as expected.  How these «challenges» opportunities are handled is what separates the avg from the great, and in this case everything was great.

1 general observation I do have –> The after party of the event was, as usual, one of the great benefits of this event and I made plenty of contact with others at Humperdinks and while it was obvious that a few of the speakers, and a most of the volunteers showed up, I suspect I was one of less than 10 «regular» attendees that attended.  This is a tragic situation and something that we in the SQL Community need to figure out how to increase participation.  The information&contact info gained from the social pieces of community events is an aspect that most attendees are obviously overlooking.  I've often wondered if it was apathy or just lack of communication about these events and this time it was obviously not communication, It was pretty tough for anyone to overlook the after party event at #sqlsat35, I saw the after party mentioned in at least 3 different places in the guide book, not to mention verbally at the closing reception.  I'm not sure how we can encourage people to attend these events but, they are a core part of the «connect» piece of the equation.

Related posts

Share this post

I'll be attending SQL Saturday 35

By Allen Kinsel, 2 months and 12 days ago

I'm happy that I finally figured out how to clear my schedule enough to get to Dallas and soak up some free SQL Server Training

If you happen to be at the SQL Saturday #35 in Dallas this weekend, please introduce yourself.  Ill be there and as always wearing my (Ugly)green SQLPASS 2006 laptop bag.

I really wish PASS still gave out real laptop bags, you'd be surprised how many people will stop and ask you about it if they're SQL Server related.  Its too bad they decided to do away with this ice breaking networking tool in favor of a 1 time use, throw it in the trash poly bag.

I'm excited that I'll finally be able to experience a SQL Saturday firsthand.  Sure its about a 6ish hour drive but I'm sure the experience will be worth it.  Not to mention being able to catch up with a few friends who I've spied on the attendance list

Expect a post after the event with my first SQL Saturday impressions

Related posts

Share this post

Special Houston Area SQL Server group meeting

By Allen Kinsel, 2 months and 13 days ago

Want to learn SQL from a master (or even better a pair of masters?)  Have a free evening?  Live within a reasonable drive of Houston?  You wont want to miss this presentation.  Over the years I've had the opportunity to listen to hundreds of different SQL speakers and 2 people who would make my short list of «don't miss presenters» happen to be presenting at a HASSUG meeting this month.

If your not in Houston, I'd recommend using the LiveMeeting link!!

The following Info is from the http://houston.sqlpass.org site

Special Evening Meeting in THE WOODLANDS!

When: Tuesday, May 18, 2010 – 6:30pm-8:30pm

Where: Woodforest National Bank

25231 Grogans Mill, Suite 550
The Woodlands, TX 77380

Topic: Essential Database Maintenance

Presenters: Kimberly Tripp & Paul Randal, SQLSkills

LiveMeeting Link for May 18 presentation –

https://www.livemeeting.com/cc/usergroups/join?id=HASSUG_WOODLANDS&role=attend

Online portion of meeting to begin at 7pm

Conference Call for audio – 1-888-320-3585 (passcode 76027128)

Related posts

Share this post

← Previous 01 02 03 04 05 ... 08 Next →

Follow Me


Tags

Allen Kinsel on Twitter

Categories

Most Recent Posts

Subscribe

Archives

Next Posts

Latest comments

  • Community Choice Sessions at the PASS Summit 2010:
    • Allen Kinsel: Thanks, We hope that this will be a good test of community selections, and hope to expand it a bit in the future
    • robert cook: glad you decided to keep blogging and gracias to you and your amigos for giving an opportunity to the sql community for direct involvement with session choices
  • Sql Server and SSPI handshake failed error hell:
    • Robert L Davis: I agree about the reboot. That's why I check SPN's before DC/Kerberos errors. An SPN can be fixed without rebooting, but if the issue is DC connection and no one can log in to the SQL Server, you're down anyway so a reboot shouldn't be out of the question. The problem with having a...
    • Allen Kinsel: I guess should have worded that a little differently, in my experience in a lot of environments kerberos isnt used since its not configured, so it always falls back to NTLM, with only NTLM and no Kerberos in the result list, its usually safe to say that SPN's arent the issue. I...
    • NULLgarity: This post should win an award. These SSPI errors have cause me all sorts of trouble over the years and are EXTREMELY difficult to troubleshoot. In my experience, they often went away before I even had a chance to look into them. Thanks for the post!
    • Shawn Melton: It's been a while since I have done SA duties with AD but I would be curious too. I actually have a User Group meeting tonight (06/17/10) with an MCT that teaches AD and will ask him if he can explain that authentication mess.
    • Robert L Davis: sys.dm_exec_connections does not tell you what protocol they used to attempt their connection. It tells you which protocol suceeded. Kerberos is ALWAYS tried first and NTLM is used as a failback. So if they show as using NTLM, it's not because they didn't attempt to use Kerberos, its because Kerberos wasn't successful. In my...
  • SQL Saturday 35 Recap:
    • Jen McCown: Cookout, eh? Maybe we'll have the next after party at chez McCown :)

Most commented posts