SQL Server on EC2 - Cannot use SQL Server auth in SSMS

Question

SQL Server on EC2 - Cannot use SQL Server auth in SSMS

On a SQL Server on Windows EC2 instance, logging in to SSMS fails silently when using a SQL Server account (sa, usually) when I am logged into RDP using my domain account. The dialog box just goes away but there is no connection shown in Object Explorer (and there are no new entries in any of the Windows Event Logs).

The problem does not exist when:

I use Windows Authentication to log in to SSMS.
OR when I'm logged into RDP using a local Windows account.
OR when I launch SSMS using a local Windows account - this is my current workaround

Additional details:

My workstation is a Mac (and I'm using "Microsoft Remote Desktop" to connect to the RDP session).
My account is in a "trusted" domain with rights in more than one domain. The SQL Server resides in a domain that trusts the domain where my user account resides.
My account is not a domain administrator
My account is a local administrator on the machine, inheriting its rights as follows:
- My user account is a member of a group (in the trusted domain) called "SQLAdmins.TrustedDomain.net" (not what it's really called, but you get the point)
- The computer is in an OU (in the trusting domain) called "SQLServers.TrusingDomain1.net"
- Members of "SQLAdmins.TrustedDomain.net" are local administrators of servers in the "SQLServers.TrusingDomain1.net" OU.
- I am able to perform any "administrative" task I've tried (create accounts, grant local administrator membership, etc) when logged in with my account.
This problem exists on all servers I've tried. Windows Enterprise Edtn 2012R2 running SQL Server Enterprise Edtn. 2014 and Windows 2016 Enterprise Edtn. running SQL Server 2016 Enterprise Edtn. Also tried with Developer Edition - same issue.
I can't say if these details are relevant, so I've set #6 and #7 of this list apart from the others. I also can't install SQL Server (command line nor GUI) with the domain account, but I can with the local account. Setup fails early - setup log containing the error (containing some redactions) posted below - citing delegation (maybe it means "impersonation"? - I can't think of how/why it'd be hitting another server to need "delegation"...)
Our security folks don't like "Unconstrained delegation", though I can't say "specifically why" or "how much" it's frowned upon - honestly, I haven't learned "constrained delegation" yet. :-)

Any ideas what this might be? This problem seems like it should be very "google-able", but I've been unable to get anywhere with it.

Here is the setup log (failing) when I try to use my domain account to install SQL Server. Again, I'm not sure if this problem is related to the SSMS login problem I'm asking about.

Overall summary:
 Final result: Failed: see details below
 Exit code (Decimal): -2068774911
 Exit facility code: 1201
 Exit error code: 1
 Exit message: There was an error generating the XML document.
 Start time: 2018-09-20 20:04:48
 End time: 2018-09-20 20:05:11
 Requested action: Install
 Exception help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=13.0.4001.0&EvtType=0xE0C083E6%400xB2215DAC&EvtType=0xE0C083E6%400xB2215DAC

Setup completed with required actions for features.
Troubleshooting information for those features:
 Next step for SQLEngine: SQL Server Setup was canceled before completing the operation. Try the setup process again.
 Next step for Replication: SQL Server Setup was canceled before completing the operation. Try the setup process again.
 Next step for Conn: SQL Server Setup was canceled before completing the operation. Try the setup process again.
 Next step for Writer: SQL Server Setup was canceled before completing the operation. Try the setup process again.
 Next step for Browser: SQL Server Setup was canceled before completing the operation. Try the setup process again.


Machine Properties:
 Machine name: EC2AMAZ-#######
 Machine processor count: 2
 OS version: Microsoft Windows Server 2016 Datacenter (10.0.14393)
 OS service pack:
 OS region: United States
 OS language: English (United States)
 OS architecture: x64
 Process architecture: 64 Bit
 OS clustered: No

Product features discovered:
 Product Instance Instance ID Feature  Language Edition Version Clustered Configured
 SQL Server 2016  SSMS  1033  13.0.16106.4 No Yes
 SQL Server 2016  Adv_SSMS  1033  13.0.16106.4 No Yes
 SQL Server 2016  Integration Services 1033 Enterprise Edition: Core-based Licensing 13.1.4001.0 No Yes

Package properties:
 Description: Microsoft SQL Server 2016
 ProductName: SQL Server 2016
 Type: RTM
 Version: 13
 Installation location: E:\x64\setup\
 Installation edition: Enterprise Edition: Core-based Licensing

 Slipstream: True
 SP Level 1

Product Update Status:
 Success: KB 3182545

Product Updates Selected for Installation:
 Title: Microsoft SQL Server 2016 with SP1
 Knowledge Based Article: KB 3182545
 Version: 13.1.4001.0
 Architecture: x64
 Language: 1033

 Update Source: Slipstream


User Input Settings:
 ACTION: Install
 ADDCURRENTUSERASSQLADMIN: false
 AGTSVCACCOUNT: TrustingDomain1\sql.agent
 AGTSVCPASSWORD: *****
 AGTSVCSTARTUPTYPE: Automatic
 ASBACKUPDIR: Backup
 ASCOLLATION: Latin1_General_CI_AS
 ASCONFIGDIR: Config
 ASDATADIR: Data
 ASLOGDIR: Log
 ASPROVIDERMSOLAP: 1
 ASSERVERMODE: MULTIDIMENSIONAL
 ASSVCACCOUNT: <empty>
 ASSVCPASSWORD: <empty>
 ASSVCSTARTUPTYPE: Automatic
 ASSYSADMINACCOUNTS: <empty>
 ASTELSVCACCT: <empty>
 ASTELSVCPASSWORD: <empty>
 ASTELSVCSTARTUPTYPE: 0
 ASTEMPDIR: Temp
 BROWSERSVCSTARTUPTYPE: Disabled
 CLTCTLRNAME: <empty>
 CLTRESULTDIR: <empty>
 CLTSTARTUPTYPE: 0
 CLTSVCACCOUNT: <empty>
 CLTSVCPASSWORD: <empty>
 CLTWORKINGDIR: <empty>
 COMMFABRICENCRYPTION: 0
 COMMFABRICNETWORKLEVEL: 0
 COMMFABRICPORT: 0
 CONFIGURATIONFILE: C:\SetupScripts\ConfigurationFile.ini
 CTLRSTARTUPTYPE: 0
 CTLRSVCACCOUNT: <empty>
 CTLRSVCPASSWORD: <empty>
 CTLRUSERS: <empty>
 ENABLERANU: false
 ENU: true
 EXTSVCACCOUNT: NT Service\MSSQLLaunchpad
 EXTSVCPASSWORD: <empty>
 FEATURES: SQLENGINE, REPLICATION, CONN
 FILESTREAMLEVEL: 0
 FILESTREAMSHARENAME: <empty>
 FTSVCACCOUNT: <empty>
 FTSVCPASSWORD: <empty>
 HELP: false
 IACCEPTROPENLICENSETERMS: true
 INDICATEPROGRESS: false
 INSTALLSHAREDDIR: C:\Program Files\Microsoft SQL Server\
 INSTALLSHAREDWOWDIR: C:\Program Files (x86)\Microsoft SQL Server\
 INSTALLSQLDATADIR: I:\MSSQL\Data
 INSTANCEDIR: C:\Program Files\Microsoft SQL Server
 INSTANCEID: MSSQLSERVER
 INSTANCENAME: MSSQLSERVER
 ISSVCACCOUNT: NT Service\MsDtsServer130
 ISSVCPASSWORD: <empty>
 ISSVCSTARTUPTYPE: Automatic
 ISTELSVCACCT: <empty>
 ISTELSVCPASSWORD: <empty>
 ISTELSVCSTARTUPTYPE: 0
 MATRIXCMBRICKCOMMPORT: 0
 MATRIXCMSERVERNAME: <empty>
 MATRIXNAME: <empty>
 MRCACHEDIRECTORY:
 NPENABLED: 0
 PBDMSSVCACCOUNT: <empty>
 PBDMSSVCPASSWORD: <empty>
 PBDMSSVCSTARTUPTYPE: 0
 PBENGSVCACCOUNT: <empty>
 PBENGSVCPASSWORD: <empty>
 PBENGSVCSTARTUPTYPE: 0
 PBPORTRANGE: <empty>
 PBSCALEOUT: false
 PID: *****
 QUIET: false
 QUIETSIMPLE: true
 ROLE:
 RSINSTALLMODE: DefaultNativeMode
 RSSHPINSTALLMODE: DefaultSharePointMode
 RSSVCACCOUNT: <empty>
 RSSVCPASSWORD: <empty>
 RSSVCSTARTUPTYPE: Automatic
 SAPWD: *****
 SECURITYMODE: SQL
 SQLBACKUPDIR: P:\Backups
 SQLCOLLATION: SQL_Latin1_General_CP1_CI_AS
 SQLSVCACCOUNT: TrustingDomain1\sql.service
 SQLSVCINSTANTFILEINIT: true
 SQLSVCPASSWORD: *****
 SQLSVCSTARTUPTYPE: Automatic
 SQLSYSADMINACCOUNTS: TrustedDomain\SQLAdmins
 SQLTELSVCACCT: NT Service\SQLTELEMETRY
 SQLTELSVCPASSWORD: <empty>
 SQLTELSVCSTARTUPTYPE: Automatic
 SQLTEMPDBDIR: I:\MSSQL\TempDB
 SQLTEMPDBFILECOUNT: 8
 SQLTEMPDBFILEGROWTH: 256
 SQLTEMPDBFILESIZE: 512
 SQLTEMPDBLOGDIR: F:\User Logs
 SQLTEMPDBLOGFILEGROWTH: 128
 SQLTEMPDBLOGFILESIZE: 512
 SQLUSERDBDIR: D:\User Data
 SQLUSERDBLOGDIR: F:\User Logs
 SUPPRESSPRIVACYSTATEMENTNOTICE: false
 TCPENABLED: 1
 UIMODE: Normal
 UpdateEnabled: true
 UpdateSource: Slipstream
 USEMICROSOFTUPDATE: false
 X86: false

 Configuration file: C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\20180920_200447\ConfigurationFile.ini

Detailed results:
 Feature: Database Engine Services
 Status: Failed: see logs for details
 Reason for failure: Setup was canceled for the feature.
 Next Step: SQL Server Setup was canceled before completing the operation. Try the setup process again.

 Feature: SQL Server Replication
 Status: Failed: see logs for details
 Reason for failure: Setup was canceled for the feature.
 Next Step: SQL Server Setup was canceled before completing the operation. Try the setup process again.

 Feature: Client Tools Connectivity
 Status: Failed: see logs for details
 Reason for failure: Setup was canceled for the feature.
 Next Step: SQL Server Setup was canceled before completing the operation. Try the setup process again.

 Feature: SQL Writer
 Status: Failed: see logs for details
 Reason for failure: Setup was canceled for the feature.
 Next Step: SQL Server Setup was canceled before completing the operation. Try the setup process again.

 Feature: SQL Browser
 Status: Failed: see logs for details
 Reason for failure: Setup was canceled for the feature.
 Next Step: SQL Server Setup was canceled before completing the operation. Try the setup process again.

Rules with failures:

Global rules:

Scenario specific rules:

Rules report file: C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\20180920_200447\SystemConfigurationCheck_Report.htm

Exception summary:
The following is an exception stack listing the exceptions in outermost to innermost order
Inner exceptions are being indented

Exception type: Microsoft.SqlServer.Chainer.Infrastructure.ChainerInfrastructureException
 Message:
 There was an error generating the XML document.
 HResult : 0x84b10001
 FacilityCode : 1201 (4b1)
 ErrorCode : 1 (0001)
 Data:
 DisableWatson = true
 Stack:
 at Microsoft.SqlServer.Chainer.Infrastructure.DataStoreService.SerializeObject(String rootPath, Object objectToSerialize, Boolean saveToCache)
 at Microsoft.SqlServer.Chainer.Infrastructure.DataStoreService.SerializeObject(Object objectToSerialize)
 at Microsoft.SqlServer.Chainer.Infrastructure.PublicConfigurationBridge.Calculate()
 at Microsoft.SqlServer.Chainer.Infrastructure.InputSettingService.CalculateSettings(IEnumerable`1 settingIds)
 at Microsoft.SqlServer.Chainer.Infrastructure.InputSettingService.CalculateAllSettings(Boolean chainerSettingOnly)
 at Microsoft.SqlServer.Chainer.Infrastructure.Action.Execute(String actionId, TextWriter errorStream)
 at Microsoft.SqlServer.Setup.Chainer.Workflow.ActionInvocation.<>c__DisplayClasse.<ExecuteActionWithRetryHelper>b__b()
 at Microsoft.SqlServer.Setup.Chainer.Workflow.ActionInvocation.ExecuteActionHelper(ActionWorker workerDelegate)
 Inner exception type: System.InvalidOperationException
 Message:
 There was an error generating the XML document.
 HResult : 0x80131509
 Stack:
 at System.Xml.Serialization.XmlSerializer.Serialize(XmlWriter xmlWriter, Object o, XmlSerializerNamespaces namespaces, String encodingStyle, String id)
 at System.Xml.Serialization.XmlSerializer.Serialize(TextWriter textWriter, Object o, XmlSerializerNamespaces namespaces)
 at Microsoft.SqlServer.Chainer.Infrastructure.DataStoreService.SerializeObject(String rootPath, Object objectToSerialize, Boolean saveToCache)
 Inner exception type: System.Security.Cryptography.CryptographicException
 Message:
 The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

 HResult : 0x80090345
 Stack:
 at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope)
 at Microsoft.SqlServer.Common.SqlSecureString.WriteXml(XmlWriter writer)
 at System.Xml.Serialization.XmlSerializationWriter.WriteSerializable(IXmlSerializable serializable, String name, String ns, Boolean isNullable, Boolean wrapped)
 at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterAgentConfigurationPublic.Write6_AgentConfigurationPublic(String n, String ns, AgentConfigurationPublic o, Boolean isNullable, Boolean needType)
 at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterAgentConfigurationPublic.Write7_AgentConfigurationPublic(Object o)

sql-server

amazon-ec2

ssms

asked on Stack Overflow Sep 21, 2018 by

cgilson • edited Sep 21, 2018 by

marc_s

1 Answer

I have no idea why this works, but I googled it ONE MORE TIME after writing this, and I found this article... https://social.technet.microsoft.com/Forums/en-US/d3561211-2a72-4ab8-8675-158a93e16490/error-0x80090345-the-requested-operation-cannot-be-completed-the-computer-must-be-trusted-for?forum=winserver8gen

This server has two "Providers" nodes (same spelling) in \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\

One of them had they key they were talking about, the other didn't. I added it to the second one, and that fixed it. Happy Weekend!

answered on Stack Overflow Sep 21, 2018 by

cgilson

User contributions licensed under CC BY-SA 3.0