Orphaned DB Users and Sql Server logins


One of the common tasks in db community is moving databases from one Sql server instance to another.
For simple environments, it could be just a matter of backing up  database on one server/instance and restoring it on another.

Sometimes, even if we successfully restore database on a new server, create all necessary logins and change the application connection string to point to the new instance we still get the Database not accessible or Login failed error messages.

The common reason for the errors is the disconnection between the db users and their logins – The orphaned DB users.
The technique we usually use to re-connect the users, is to call a system stored procedure that will do the Login-DbUser remapping.

Why does the problem occur in the first place and what we can do to prevent it. The following is a little bit of theory and a couple of examples that will illustrate the problem.

In Sql Server, there are eleven different database user types. The type I am focusing on today is:  Db User based on the SQL Server authenticated Login . The complete list can be found here.

Every principal (entity that can request SQL Server resources) has two main properties:

  • Principal ID or ID
  • Security ID or SID

The scope of influence of a principal depends on the level that the principal operates on e.g Sql Server Level principals operates on  an Sql Server Instance level while the Database level principals operates on a database level.

  • Logins are principals whose scope is Sql Server instance
  • DB Users are principals whose scope is Database
DB Users –  based on Sql Server Logins

When  we create an Sql Server  Login,  Sql Server assigns ID and SID to the created principal.

  • ID – (INT) -Uniquely identifies Login as an Sql Server securable (resource managed by Sql Server). The ID is generated by Sql Server
  • SID – (VARBINARY(85)) –  Uniquely identifies the security context of the Login. The security context depends on how the identifier was created. The Login  SIDs can be created by :

    • Windows User/Group. The SID will be unique across the User/group domain and will be created by the domain.
    • Sql Server. The SID is unique within Sql Server and created by Sql Server – used in the example below.
    • Certificate or asymmetric key. (cryptography in Sql Server will be covered in one of the following posts)

The information about the Logins are stored in the master database

The following code will create a few Sql objects to illustrate the problem.

The logins are stored in the master database and can be viewed using sys.server_principals system view:

Query Results (the identifiers may be different on different PCs)
Logins_srvPrincipals

Now we need to create a few database users.

As mentioned before, there are eleven different types of database users. For this exercise we’ll create db users based on  Sql server logins.

Sql Server has  assigned the Principal IDs and Security IDs to the newly created users.

  • ID – (INT) -Uniquely identifies db users as a database securable.
  • SID – (VARBINARY(85)) – Uniquely identifies the security context of the User. The security context depends on how the identifier was created – In the example the db Users security context depends on the Logins and therefore the User SIDs will match the Login SIDs .

The information about the database users are stored on database level an can be viewed using the sys.database_principals system view.

Users_DB1

..and for the second database..

Users_DB2

The diagram below shows the relations between Logins and Users.

LoginsUsers

Image 1, Logins/Users mapping

Case Scenario:
An application uses two databases, TestOrphanedUsers_1 and TestOrphanedUsers_2. We decided to move the application’s backend to a new instance by backing up and restoring the two on the new server.
The restored databases contain all of the previously defined db users since the principals are a part of the databases. The original server logins were not transferred because they belong to the original master database.
At this stage the logins are not mapped to the users and the application is not able to access the backend.

To simulate the scenario, we’ll remove the previously created logins.

If we removed the logins using SSMS UI, we would get a message

DropLoginMsgSSMS

The users left in the databases are now called “The orphaned Users”. The users without the corresponding logins cannot be used to access the databases. This situation mimics the database restore on a new Sql Server instance.

The next step is to create new logins. At this stage we can do two things.

  • Create new logins (as we did before). Sql server’s engine will assign new SIDs to the logins. These identifiers will not match the existing user SIDs and consequently we’ll have to remap the Logins to the Users (to make SIDs match). To make a match, the process will replace the old user SIDs with the new Login ones .

Using the principals’ metadata we can see the mismatch between SIDs .

Login SIDs:
Logins_srvPrincipalsNEW_notMatch

To restore the previous mapping (see Image 1) we need to remap the orphaned users as:
Logins_UsersMapping

.. using the sys.sp_change_users_login system stored procedure.

This will replace the user SIDs with the new Login SIDs
The stored procedure supports Auto_Fix action type that can be used in a specific scenario in which we create a missing login with the same name as the orphaned user the login was created for.
More information about the procedure can be found here.

NOTE: SQL Server 2016 is the last database engine version to support sys.sp_change_users_login procedure.
Microsoft recommends to use ALTER USER instead.

  • Create logins implicitly specifying  SIDs to match the db. user SIDs,

Now we can test the mapping using the Logins to access the databases.

Conclusion:

The database users created for(or based on) Sql Server authenticated logins must have a valid link to the logins. The link is the Security identification(SID) varbinary.
Due to different scopes of the principals, db Users, when restored on a different server, may became disconnected(orphaned) from the corresponding Logins(the new logins may have new SIDs that don’t match the original db User SIDs). In this situation the applications are not able to connect to the database.
To remap the principals we can use two approaches; system sp  sys.sp_change_users_login to change the db user SIDs to match the new Login SIDs  or to create new Logins using the original user SIDs.
It’s worth mentioning that the latter may cause the “Supplied parameter sid is in use” error if the specified SID is already in use by an existing Login.

Thanks for reading.

Dean Mincic

 

2 thoughts on “Orphaned DB Users and Sql Server logins”

  1. Might be worth while altering from sp_change_users_login to ALTER USER instead.

    sp_change_users_login is on the depreciated features list to be removed in an upcoming version and the replacement is ALTER LOGIN and new recommendation from MS.

    1. Thank you for reading the article. You are right, Sequel 2016 is the last to support the sp. I have added an ALTER USER example. That was a great suggestion. Thanks !!

Leave a Reply

Your email address will not be published.