15404 is a critical SQL error. Admins responsible for maintaining the SQL server must take quick steps to fix this error. In this article, learn what the SQL server error 15404 means and how you can fix it at the earliest.
What is the SQL Server Error 15404?
This error usually surfaces when there’s a specification of an invalid principal. Besides that, you may get this error when impersonation or context switching of a particular Windows account fails. This happens because there’s no full trust relationship between the domain with which the Windows account is associated and the SQL Server service account.
One real-life example where admins get the 15404 error is when they run a T-SQL statement that requires high level of privilege. These are statements like sp_addsrvrolemember or Create Login.
When you do that, you’re likely to see the following message on PALLOG:
When you inspect the error message, you’ll notice that the ‘Create Login’ query needs to check permission. The first time this fails and the current permission is invalidated. Next the permission check is executed again. During the permission check, SQL server will go through mysql.keytab file to get the MSA key or machine entry key.
If the server couldn’t find any key, it will return an error.
When you’re faced with this error, here are the things you need to do:
What is the SQL Server Error 15404?
This error usually surfaces when there’s a specification of an invalid principal. Besides that, you may get this error when impersonation or context switching of a particular Windows account fails. This happens because there’s no full trust relationship between the domain with which the Windows account is associated and the SQL Server service account.
One real-life example where admins get the 15404 error is when they run a T-SQL statement that requires high level of privilege. These are statements like sp_addsrvrolemember or Create Login.
When you do that, you’re likely to see the following message on PALLOG:
Code:
03/12/2022 12:36:56.448761588 Debug [security.kerberos] <0000040947/0x00000200> Processing SSPI operation 0x0000000F
03/12/2022 12:36:56.439366379 Error [security.ldap] <0000040947/0x00000200> Initializing credentials for use in new cache failed: Keytab contains no suitable keys for [email protected]
03/12/2022 12:36:56.439613575 Debug [security.kerberos] <0000040947/0x00000200> Import name [[email protected]] returned [[email protected]]
03/12/2022 12:36:56.439633375 Debug [security.kerberos] <0000040947/0x00000200> Import name [red4$] returned [red4$]
03/12/2022 12:36:56.439753473 Debug [security.kerberos] <0000040947/0x00000200> Import name [RED4$] returned [RED4$]
03/12/2022 12:36:56.439905471 Debug [security.kerberos] <0000040947/0x00000200> Import name [red4$] returned [red4$]
03/12/2022 12:36:56.440014469 Error [security.kerberos] <0000040947/0x00000200> GSS MAJOR: 851968 GSS MINOR: 39756033 Error acquiring credentials in AcquireCredCaseInsensitive
03/12/2022 12:36:56.440029069 Error [security.kerberos] <0000040947/0x00000200> Unspecified GSS failure. Minor code may provide more information
03/12/2022 12:36:56.440039869 Error [security.kerberos] <0000040947/0x00000200> No key table entry found for [email protected]
03/12/2022 12:36:56.440053069 Debug [security.kerberos] <0000040947/0x00000200> SSPI operation 0x0000000F returned status: KerberosStream.cpp:2021 Operation unsuccessful
03/12/2022 12:36:56.440119868 Debug [security.kerberos.libos] <0000040961/0x0000020c> GetSecContextByUserABI() return value: 0x80090304
03/12/2022 12:36:56.468617991 Debug [security.kerberos.libos] <0000040961/0x0000020c> QueryContextAttributes() return value: 0x00000000
03/12/2022 12:36:56.468748289 Debug [security.kerberos.libos] <0000040961/0x0000020c> QueryContextAttributes() return value: 0x00000000
03/12/2022 13:56:26.489370580 Debug [security.kerberos.libos] <0000040961/0x0000020c> LookupAccountSid() return value: 0x00000001
In case you have the PALLOG disabled, enable it manually. Create the /var/opt/mssql/logger.ini file and add the following content in it:
[Output:sql]
type=File
filename=/var/opt/mssql/log/pallog.txt
[Logger:security]
level=debug
outputs=sql
If the server couldn’t find any key, it will return an error.
When you’re faced with this error, here are the things you need to do:
- Use an account from the exact Window user domain to connect with SQL Server services
- Make sure the machine accounts like Local System that the SQL Server might be using is trusted by Window User domain
- Make use of SQL Server account instead of others