0

We have multiple IIS web applications running on multiple web servers that connect to a SQL Server on a separate machine on the same domain.

Everything was running smoothly for over a year, then we had some major network issues. There was a problem with the replication between the primary and secondary domain controllers. There was an issue with Distributed File System services, Event ID 14530 ("DFS could not access its private data from the Active Directory.").

We got the network issues sorted out apparently, except now, none of the IIS web applications can connect to the SQL Server. We are using Windows Authentication. The error message is "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." This is weird because we have verified that both the web servers and the SQL Server are in fact on the domain.

To make things weirder, the Network Admin removed the SQL Server from the domain and rejoined it, and the websites worked again... but only for a few minutes. Then the same error started occurring again!

The Network Admin and I have been working on this issue for several days. Any ideas would be appreciated.

Edit:

We can connect using SSMS. Also, applications that do not use IIS can connect. For example, we have a developer with some Fox and Cloud applications that use connection strings that can connect.

We have tried removing and re-adding the web servers to the domain.

The errors in the SQL Server log are as follows:

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: 18452, Severity: 14, State: 1.

SSPI handshake failed with error code 0x80090311 while establishing a connection with integrated security; the connection has been closed.

Error: 17806, Severity: 20, State: 2.

Edit 2:

The system log on one of the web servers contained this error this morning:

This computer could not authenticate with [domain controller], a Windows domain controller for domain [domain name], and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

Edit 3:

I have tried pretty much everything suggested in this thread, including making sure the user was not locked out, the password was not expired, and the hosts file did not contain an invalid entry for localhost.

Community
  • 1
  • 1
Johnny Tisdale
  • 139
  • 10
  • Here is what I would do: using SQL client (management Studio), verify that you can connect to SQL server using windows authentication. If it works, remove and rejoin one web server to the domain and see if that resolves the issue for that particular web server. Check Windows logs for any errors on the web server. – Vasya May 16 '19 at 14:46
  • @Vasya Thank you. I have edited my question accordingly. – Johnny Tisdale May 16 '19 at 15:00
  • @Vasya I added another edit with an error from the log of the web server. – Johnny Tisdale May 16 '19 at 15:09
  • Next, verify that web server is connected to a domain. Can you access network shares from the web sever? Is time on the web server correct? How are web applications setup? Try using SQL logon is web app and see if that works. When you remove web server from the domain, do you also delete computer account in AD? – Vasya May 16 '19 at 15:55
  • Did you check if the service account password is not expired? Check also https://stackoverflow.com/questions/546746/sql-server-2008-windows-auth-login-error-the-login-is-from-an-untrusted-domain – Piotr Palka May 16 '19 at 16:30
  • @Vasya The web server is in fact connected to the domain. I can access web shares from the web server. The time on the web server is correct.Web applications are PHP. They connect to SQL using Windows authentication. My applications specify the user credentials in IIS and the database info in Laravel configuration files. Another developer's application connect using `sqlsrv` functions. When the Network Admin removed computers from the domain, he did not also delete them in AD. Should he have? – Johnny Tisdale May 16 '19 at 16:38
  • @Piotr Yes, I've tried pretty much everything suggested in that thread. – Johnny Tisdale May 16 '19 at 16:49
  • @dreadfulabyss: yes, computer account needs to be deleted from AD before re-joining domain to avoid conflicts. I would do this for both SQL server and web server. – Vasya May 16 '19 at 16:54

0 Answers0