This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 20%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello,
We are experiencing random authentication issues between applications and SQL that are members of AAD DS managed domain.
Environment:
Issue Description:
All application servers experience connection issues to SQL server with same messages simultaneously:
System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
System.Data.SqlClient.SqlException: System.Data.SqlClient.SqlException: Connection Timeout Expired. The timeout period elapsed during the post-login phase. The connection could have timed out while waiting for server to complete the login process and respond
At same time we see following errors on SQL server:
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
SSPI handshake failed with error code 0x80090304, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The Local Security Authority cannot be contacted
The issue duration is about 10-30 seconds and after that everything works as usual.
There are no performance issues during the issue on SQL or Application servers.
It looks like such messages can be logged at time of domain controller unavailability, it is probably related to DCs reboot and/or patching, or host maintenance. Here is a similar issue related to domain controller unavailability with the same messages logged: https://www.sqlservercentral.com/forums/topic/sspi-handshake-failed-error-when-one-of-several-domain-controllers-is-restarted
How can we check AAD DS or hosts servers logs to check if the time is matched to connection issues? Or can it be related to AAD to AAD DS sync process?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Based on this answer from Stack Overflow, it looks like others were able to resolve this by getting rid of Integrated Security=true.
Hi @MarileeTurscak, thanks for your answer, but the issue from StackOverflow is not related, because it is about non-domain computers. In my case, both Application and SQL are members of the same domain and integrated security woks fine all the time except these random issues (10-30 seconds once a day or once a week) when the App and/or SQL cannot connect to the directory service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 70%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED3%3C/text%3E%3C/svg%3E)
Hi,
We have exactly the same issue since months:
Has anyone run into the same problem and could solve it?
Any help is much appreciated!
Thanks!
Hi Dominik,
We have set a watchdog pinger script to ping our AAD DS domain controllers. We were able to find a correlation with DCs unavailability. That issue also reproduced around same time every months. We made an assumption that the issue is related to DCs or hosts maintenance.
We also discussed that topic with Azure architect, and he explained us that this is just because of the way how AAD DS is designed and also related to the cloud network design, and something specific to broadcast as far as I remember.
We have tried some interesting solutions like load balancer between DCs and other machines, but it didn't help.
Eventually, after a year of working on that ticket, Azure resolved this issue as unsupported configuration. There was nothing like that in documentation and I asked to add a note. After some time documentation was updated and there now a note that AAD DS is not supported with SQL on Azure VM.
As a solution, we switched to SQL authentication for application service accounts. Users and groups are still using domain accounts as these issues are intermittent and do not block ad-hoc activity.
Sergey
Hi Sergey,
Thanks a lot for your answer and coming back to this!
AAD may be the only component differentiate from our case, because we don't use AAD.
Unfortunately SQL authentication is not an option for us now.
We also tried a lot of things until now and deeply analysed our DCs but without success so far.
If we will ever find out the root cause I will post it here.
Regards, Dominik
Hi Dominik,
Ok, so you have your own DCs. At least you can access your logs. In our case DCs are managed by Azure and we were not able to check logs and confirm restart or maintenance time.
Do you host your infrastructure in Azure? I would dig into network and DCs availability in your case.
Sergey