Different SIDs

Posted by Barac in Powershell, SQL Server, SQL Tips and Tricks on Dec 5th, 2018 | 0 comments

If you are using Azure SQL Database with geo-replication or auto failover group and if you are using logins and users rather than contained users you can end up with the following error when you try to connect to the secondary/failover database after failover occured.

If you already created a login on the failover server using SQL command

-- ======================================================================================
-- Create SQL Login template for Azure SQL Database and Azure SQL Data Warehouse Database
-- ======================================================================================
CREATE LOGIN <SQL_login_name, sysname, login_name>
WITH PASSWORD = '<password, sysname, Change_Password>'
GO

The SID of the login in the master database will not match with SID in the user database, due to the user will not be able to access that database.

You can use the following SQL Command to set up user access to the secondary database.

-- ======================================================================================
-- Create SQL Login template for Azure SQL Database with SID
-- ======================================================================================
CREATE LOGIN <SQL_login_name, sysname, login_name>
WITH PASSWORD = '<password, sysname, Change_Password>',
SID= SID_VALUE
GO

Firstly you need to determine which logins you need on failover SQL server. To determine that you will need to query master DB, to be able to that you will need to have proper permissions.

Run the following statement on the primary server:

SELECT name, sid, type_desc, principal_id
FROM sys.sql_logins

Depending on the login names you have on your server results of the query should be similar to this

After that run following SQL statement on the user database, again you will need proper permissions to be able to do that.

SELECT name, sid, type_desc, principal_id
FROM sys.database_principals
WHERE type = 'S' AND sid IS NOT NULL AND authentication_type=1

Results of the query should be similar to this

After you determine what is the proper SID for that user on Primary server you need to create a login on the secondary server using that same SID value, for example:

CREATE LOGIN test_user
WITH PASSWORD = 'test_user_password',
SID= 0x01060000000000640000000000000000AFABF8972EFF7042B58BD03765EA804E
GO

Also, you can use PowerShell to do all that in one step.

First, you need to connect to your Azure account and check if you using right subscription

Connect-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Get-AzureRmContext

Then you can use the following PowerShell script to create users on both Primary and Secondary server with the same SID.

param (
# Set an admin login and password for your server
[string]$adminlogin = "",
[string]$password = "",

# Set server name - the logical server name has to be unique
[string]$servername = "",

# Set failover server name - the logical failover server name has to be unique
[string]$failoverservername = "",

# The database name
[string]$databasename = "",

# Database (App) user
[string]$databaseuser = "",
[string]$databaseuserpassword = "",
[string]$databaseuserrole="db_owner"
)
cls

#########################################################################
# Create a login for the SQL Server and add user to the database (Primary Server)
#########################################################################
# Create a login
$ConnStrMaster = @{
'Database' = 'master'
'ServerInstance' = $servername+'.database.windows.net'
'Username' = $adminlogin
'Password' = $password
'Query' = "IF NOT EXISTS (SELECT * FROM sys.sql_logins WHERE name = N'$databaseuser')
CREATE LOGIN $databaseuser WITH PASSWORD=N'$databaseuserpassword'"
}
Invoke-Sqlcmd @ConnStrMaster

# Create DB user and map created login to DB user
$ConnStrDB = @{
'Database' = $databasename
'ServerInstance' = $servername+'.database.windows.net'
'Username' = $adminlogin
'Password' = $password
'Query' = "IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'$databaseuser')
CREATE USER $databaseuser
FOR LOGIN $databaseuser
GO
EXEC sp_addrolemember N'$databaseuserrole', N'$databaseuser'
GO"
}
Invoke-Sqlcmd @ConnStrDB
#########################################################################
#########################################################################

#########################################################################
# Find SID for created user (match SID)
#########################################################################
$SIDMatch = @{
'Database' = $databasename
'ServerInstance' = $servername+'.database.windows.net'
'Username' = $adminlogin
'Password' = $password
'Query' = "SELECT sid FROM sys.database_principals WHERE name = N'$databaseuser'"
}
$results=Invoke-Sqlcmd @SIDMatch
$sidBytes = $results.sid
$sidText = "0x"+ (($sidBytes|ForEach-Object ToString X2) -join '')
$resultsNew=$sidText.Substring(0, 66)
#########################################################################
#########################################################################
###################################################################
# Create a login for the SQL Server (Failover Server)
#########################################################################
$ConnStrMasterFailover = @{
'Database' = 'master'
'ServerInstance' = $failoverservername+'.database.windows.net'
'Username' = $adminlogin
'Password' = $password
'Query' = "IF (EXISTS(SELECT * FROM sys.sql_logins WHERE [name] = N'$databaseuser')) DROP LOGIN [$databaseuser];
CREATE LOGIN $databaseuser WITH PASSWORD=N'$databaseuserpassword', SID =$resultsNew"
}
Invoke-Sqlcmd @ConnStrMasterFailover
#########################################################################
#########################################################################

You can find more information about how to configure and manage Azure SQL Database security for geo-restore or failover on the following MS article

About Me

My name is Zoran, currently living in Auckland, New Zealand. I am a data specialist with more than 15 years of hands-on experience in database administration and optimisation. I am also, Certified Microsoft Trainer (MCT) and Microsoft Certified Solutions Expert (MCSE) with a Master‘s degree in Information Technology. Sharing knowledge and contributing to the SQL Server community is my passion. I am also an organiser of the Auckland SQL User Meetup Group. As well I am active blogger and speaker at different SQL events such as SQL Saturdays, Meetups etc.

Azure / SQL Server / Azure SQL Database Disaster Recovery / Orphaned Users / Different SIDs

Similar Posts:

Leave a Reply Cancel reply

About Me

Email Subscription

Index Usage Report

Auckland SQL Group

MSDN PROFILE

Archives

SQL SERVER UPDATES

Recent Posts

Tag Cloud