SQL Server - Curious case of SQL orphaned users

By
Hello everyone and welcome back to your friendly SQL blog. While working on a recent project, which was to get SQL login related information, I came across an interesting ambiguity regarding orphaned users in SQL Server that a database user could be orphaned and still may not come up in your orphaned users report. Sounds interesting, yes it is. 
Remediation of this scenario unearthed a flaw/miss of our old and reliable inbuilt SQL Server stored procedure i.e. “sp_change_users_login”, which we generally use to verify broken or orphaned Database SQL users. Such interesting facts and useful piece of information are meant to be shared and hence came up this blog of today.

Scenario:

Now let me put more details regarding this particular scenario. Generally, a user is called orphaned when you’ve a database user present on the database that has no corresponding SQL login present on the server level. This relationship between a database user and SQL login is established using SIDs of both the secure object. A regular non-orphaned user will have a corresponding login present on the server level with same SID (there name doesn’t need to be same) as that of database user.

Now what was happening here is that, there was a login which was present on server level and was mapped nearly to every database on the server. I was using the SID matching logic to get report of orphaned users and on few of the databases we’re getting a red flag that this ID is orphaned. As this report would be shared with end users as well as we also they would be dropping these orphan users hence we were validating the data before this goes to production.

As usual for validation we used "sp_change_users_login ‘report’ " command to get report of orphan users on databases. However, when we executed the command on flagged database the ID didn’t get listed as orphan. Obviously, when you get a contradictory result for a reliable logic you ought to dig deeper to get to the root cause and this is exactly what I did.

Issue:

To get to the root cause of this issue I tried to reproduce the scenario on my local system. To recreate this issue all you’ve to do is to create a database user on any database without login as can be seen below.




Now as you can clearly see above this user is not mapped to any login as we have explicitly created it without any mapping, however when you run the orphaned user report you’ll still zero rows returned.

Then I went into the text of “sp_change_user_login” SP to see why this user is not getting reported. Below is the snippet from the SP for the report section. There is a particular line (which I’ve also highlighted) is what causing this user to not get reported.

-- HANDLE REPORT -- 
    if @Action = 'REPORT' 
    begin 
 
        -- CHECK PERMISSIONS -- 
        if not is_member('db_owner') = 1 
        begin 
  raiserror(15247,-1,-1) 
             return (1) 
        end 
 
        -- VALIDATE PARAMS -- 
        if @UserNamePattern IS NOT Null or @LoginName IS NOT Null or @Password IS NOT Null 
        begin 
            raiserror(15600,-1,-1,'sys.sp_change_users_login') 
            return (1) 
        end 
 
        -- GENERATE REPORT -- 
        select UserName = name, UserSID = sid from sysusers 
            where issqluser = 1  
            and   (sid is not null and sid <> 0x0) 
            and   (len(sid) <= 16) 
            and   suser_sname(sid) is null 
            order by name 
        return (0) 
    end 
 
   -- ERROR IF IN USER TRANSACTION -- 
    if @@trancount > 0 
    begin 
        raiserror(15289,-1,-1) 
        return (1) 
    end 



There are four cases which are tested and the third (highlighted) clause was the main reason for the miss. If you see in the below screen-shot even though it is an orphaned user the length of the SID is longer than expected 16 and hence it will not show as orphaned by “sp_change_users_login”.



So, this is it, our curious case of hidden orphaned SQL users. Working on this scenario also highlights the importance of testing and validation of our processes and results. No matter how much you’ve tested on your test system, PROD systems can still throw surprises, which will make you go back to your code and to look for such hidden flaws of system and functions you’re already using.

Hope this will help you in case you’re developing something like that or wondering why a user is not having access to database when he/she is have a mapped login. They could be orphaned and we may have not even noticed it. 

 Please +1 and share the post if you like it. And provide your valuable feedback as comments.



MCSA Certified SQL Server DBA with sublime development skills to automate regular tasks and interest in following and discussing trending technologies, well-being and spirituality.

Comments

Post a Comment

Popular posts from this blog

SQL Server: SQL Server services not starting. TDSSNIClient initialization failed with error 0x139f, status code 0x80. Reason: Unable to initialize SSL support.

By
Hi All, and welcome back. As the computing power and networking is increasing day by day so is the need of more safer and stronger encryption channel methods and algorithms. And we want our databases and database server to use the same as well. But sometimes implementing them may cause undesired results like SQL Server not coming online. In case you’re also facing the same issue or planning to adopt new TLS standards like TLS 1.2 and don’t want to such problems then you should go through this post. Problem: We may require to make changes like enabling higher level cipher suite TLS 1.2 and disable TLS 1.0 for better security of our servers. But in case you make this changes it can be possible that after restart the SQL Services refuse to come online and fails. If you check the SQL Server error logs you’ll get the below errors: Error: 17182, Severity: 16, State: 1. TDSSNIClient initialization failed with error 0x139f, status code 0x80. Reason: Unable to initialize SSL sup
Read more

SQL Server 2014 SP\CU installation getting stuck at “MsiTimingAction”

By
Image
Hello folks, and welcome back to this new post on Sidd's SQL Solutions. Recently I was working on regular SQL Server patching stuff, which often we have to do and I faced this odd situation on one of the server, which troubled me a lot. Fortunately I was able to fix it after two days of struggle, which also gave me my new post. This blog post will cover this issue and its fix in details. The Issue: The odd situation or the issue I faced here was while installing S ervice P ack 2 for SQL Server 2014 on a server running with  Windows Server 2012 R2  OS. The setup starts up normally like others but gets stuck at “MsiTimingAction ” page and  simply refuses to progress any further . No matter how many times you restart the setup or your system\server it end up at the same stage. It seems to be a known issue, which was fixed in C umulative U pdate 2 of S ervice P ack 1 for SQL Server 2014. The system on which I was applying this patch was already running with CU8
Read more

SQL Server: Cluster Installation failed with error “Wait on the Database Engine recovery handle failed.”

By
Image
So, it is a nice fine day and you’re in office doing your BAU. You got this new task of installing SQL Cluster (which you’ve probably done several times before) and after making all necessary arrangements and planning you started it. All went fine and then when the setup is almost done you got this strange error “Wait on the Database Engine recovery handle failed.” which ruins the rest of your day. No worries we are here to sort this out quickly for you. Problem Now the problem here is that SQL Server setup is able to install all the components but is failing for DB engine (and its group). You get the error pop-up stating the below error: “Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.” It may also give some link, which unfortunately (may) not lead you to anywhere. And at the end your see crosses against DB engine and its dependent components. Let me first tell you that why you got this error. In every SQL
Read more