Understanding the error message: “Login failed for user ”. The user is not associated with a trusted SQL Server connection.”

Understanding the error message: “Login failed for user ”. The user is not associated with a trusted SQL Server connection.”

This exact Login Failed error, with the empty string for the user name, has two unrelated classes of causes, one of which has already been blogged about here: http://blogs.msdn.com/sql_protocols/archive/2005/09/28/474698.aspx.  In addition to an extra space in the connection string, the other class of causes for this error message is an inability to resolve the Windows account trying to connect to SQL Server.  This list is not intended to be exhaustive, but here are several known root causes for this error message. 

1)      If this error message occurs every time in an application using Windows Authentication, and the client and the SQL Server instance are on separate machines, then ensure that the account which is being used to access SQL Server is a domain account.  If the account being used is a local account on the client machine, then this error message will occur because the SQL Server machine and the Domain Controller cannot recognize a local account on a different machine.  The next step for this is to create a domain account, give it the appropriate access rights to SQL Server, and then use that domain account to run the client application.  Note that this case also includes the special accounts “NT AUTHORITYLOCAL SERVICE” and “NT AUTHORITYNETWORK SERVICE” trying to connect to a remote SQL Server, when authentication uses NTLM rather than Kerberos.

One very common case where this can occur is when creating web applications with SQL Server and IIS; often, the web page will work during development, then errors occur with this message after deploying the web site.  This occurs because the developer’s account has access to SQL Server, but the account IIS runs as does not have access.  To fix this specific problem, refer to this kb article about impersonating a domain user in ASP.NET: http://support.microsoft.com/kb/306158

2)      Similar to above: this error message can appear if the user logging in is a domain account from a different, untrusted domain from the SQL Server’s domain.  The next step for this is either to move the client machine into the same domain as the SQL Server and set it up to use a domain account, or to set up mutual trust between the domains.  Setting up mutual trust is a complicated procedure and should be done with a great deal of care and due security considerations.

3)      This error message can appear immediately after a password change for the user account attempting to login.  This occurs because of caching of the client user’s credentials.  The next step here is to log out the application user with the old password, and re-login with the new password before running the application.

4)      If this error message only appears sporadically in an application using Windows Authentication, it may result because the SQL Server cannot contact the Domain Controller to validate the user.  This may be caused by high network load stressing the hardware, or to a faulty piece of networking equipment.  The next step here is to troubleshoot the network hardware between the SQL Server and the Domain Controller by taking network traces and replacing network hardware as necessary.

5)      This error message can appear consistently for local connections using trusted authentication, when SQL Server’s SPN is not interpreted by SSPI as belonging to the local machine.  This can be caused either by a misconfiguration of DNS, or by a machine having multiple names.  If your machine has multiple names, try to work around the need for multiple names and give it a unique name.  If the machine just has one name, then check your DNS configuration.

Dan Benediktson
SQL Server Protocols

Disclaimer: This posting is provided “AS IS” with no warranties, and confers no rights

Comments (45)

  1. Hosam Kamel says:

    a wonderful explanation about the error message: “Login failed for user ”. The user is not associated

  2. Helge Rutz says:

    I just had trouble with this error message after rebooting a domain controller.

    For SQL Server I get the following log entries:

    SSPI handshake failed with error code 0x80090304 while establishing a connection with integrated security; the connection has been closed.

    Login failed for user ”. The user is not associated with a trusted SQL Server connection.

    But in Security Enventlog i also get the following error:

    The kerberos subsystem encountered a PAC verification failure.

    This indicates that the PAC from the client SVC-Prod-03 in realm LOCAL.NET had a PAC which failed to

    verify or was modified.  Contact your system administrator.

    And I got these errors still 5 minutes after the DC was up and running again.

    What is so special with authentication in SQL Server that I get this kerberos error?

  3. greg aiken says:

    can anyone point me to a definitive page that outlines exact steps to confirm a properly installed and configured ‘sqloledb(.#)’ client connectivity library exists on a computer?

    thanks in advance.

  4. Eric Newton says:

    FYI Sometimes its as simple as "SQL Authentication" wasn’t enabled when the server was setup.

    To fix it (and establish the sa password), go to the server properties in the Management Studio and enable SQL Authentication.

  5. dave choi says:

    Thanks for this. But I do have an issue not listed. When I use the integrated security=true connection string my domain account works fine. However when I use my login and password in the connection string, I get "login failed for user …". Any ideas?

  6. Stoyko Kostov says:

    If you use login and password in the connection string, the connection assumes SQL login and password, not Windows login and password. For example, if SQL authentication is enabled and there is a SQL user "user1" with password "pwd1", you can use "user id=user1;password=pwd1" in the connection string to connect. DO NOT use "integrated security=true" in this context. If you use "integrated security=true", DO NOT specify your Windows domain account credentials.

  7. Fergal says:

    I have BizTalk attempting to communicate to SQL 2005 on the same server but getting this error when it uses a connection string set in the Enterprise Library. I can verify that this connection works correctly but when executed via biztalk it fails with this error.

  8. Chani says:

    @Stoyko: so… if specifying hte name and password will make it not use windows authentication… how do I make it use windows authentication *and* give it my windows name and password?

  9. remote says:

    For me,  adding the

    NT AUTHORITYNETWORK SERVICE user solved the problem

  10. Lutz says:

    There must another case where we this message is issued as well.

    I have a SQL Server 2005 that has Mixed Authentication enabled and remote connection enabled.

    I have users both in my domain and connection from outside the domain that I have added as users to SQL.

    In my client app that uses the Microsoft Enterprise Library and .NetTiers, I have a connection string that uses Integrated security and attempts a SQL operation. If that fails, I prompt the user, change the connection string to one that uses the userid/pwd and try again.

    For a user inside the network, I can connect with both variations of the connection string (I forced SQL Auth for kicks once) and I can see that in the SQL Profiler. The exact connection string I’m trying is:

    Data Source=10.52.xx.xx;Initial Catalog=SomeDB;Trusted_connection=false;Integrated Security=false;User Id=Usern;Password=pwd

    For a user outside the network, they see the dialog, enter their User/Pwd combo and that connection fails with the error message mentioned. The Event viewer only shows the two entries for the failed NTLM attempt, SQL Profiler shows nothing. netstat shows a connection on port 1433 for that user. I’ve sniffed all the network packets during a login attempt, but did not see any connection string come through (I assume it’s encrypted somehow).

    I’m at a loss as to how to fix this.

    Any ideas?

  11. Ted says:

    For me, logging in locally was failing using Windows Auth.  The hosts file had 2 names for the same box.  After removing the  unused name, the connection worked.  Thanks for the help.

  12. Winson says:

    I got the same error: SSPI handshake error and login failed as mentioned above.

    i have tried and read alot , but finally i modified the local security policy .

    go to Network access: change from Guest to Classic,

    that’s it !  

    hope it can help !

  13. TR says:

    Good listing of the probable causes of this error msg.

  14. karolanet says:

    Hi, I have this problem:

    I have a SQLServer 2008 installed. This is not an update from SQL2005.

    If I try to connect to it using the same provider as I use with SQL 2005 (SQLOLEDB.1) It doesn’t work.

    I have to use this provider: SQLNCLI10.1

    Using it, I can connect to SQL 2008 throw an UDL file.

    But when I try to use that UDL file to connect to my VB6 app, this error message appears: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."

    In the other hand, I have 3 SQL2005 instance each one updated to SQL2008. I don’t have any problem with them. I can use ‘SQLOLEDB.1’ provider and works fine.

    I cannot install SQL2005 and update it to 2008 because it’s on a server which I can’t modify.

    The SQL2008 instance has mixed mode. I can login from the SQL Server Manager Studio 2008, but not from VB6. Finally, I’ve made a DSN and VB6 can connect to that database throw this DSN but I need to connect by a ConnectionString since I don´t want to make a DSN in each end user machine.

    Do you have any idea?


  15. Munir says:

    i m using this connection string.

    Data Source=server;database=DB;integrated security=true;

    sometime it is connecting and sometime it replies "Login failed for user"

    any idea regarding this problem.

  16. Shohn says:

    This helped a bunch. Saved me about a hour of time! The solution was to add a domain account in my situation.

  17. Lester says:

    Yep, as like Shohn.  Add a domain account in Sql.  In my case I added a new HCUser with password HCUser and gave it read and write permissions as dbowner.

    I set this account and password into my apps connection string.  I’m still able to automatically authenticate and restrict the users in my app, but use this account access the db.  I’ll use this until I’m able to figure out how to propagate the credentials correctly to sql.

  18. k2ace says:

    One common issue I see that causes this exact error is cached network creds in windows.  The quick fix for this is to run the following

    1. Open Command Prompt

    2. Type the following command:

    rundll32.exe keymgr.dll, KRShowKeyMgr

    3. Remove all the cached passwords

    This is the only solution I could find to work on our locked build since the users run locked builds with limited rights.

  19. Count de Roads says:

    Thanks k2ace,

    KRShowKeyMgr worked for me after I had accessed a network drive using a colleagues userid & password in windows explorer.

    And then SQL Server Enterprise Manager would not connect &  message

    "login failed for user" & the wrong userid

  20. K+Runa says:

    ++Thanks, k2ace. We were chasing this problem for a couple of days and you saved us from an OS reload.

    Oddly enough, some of our internal ClickOnce applications which touch the database crash due to an unhandled exception because of this.

  21. Charles says:

    The keymgr fix from k2ace worked for me.

    I have a dual-boot server (2003 and 2008) with a common user name login but different password. After logging in to 2008 I couldn’t use Windows Authentication into SQL Server 2005 on 2003. I cleared the cached credentials and all is well again.


  22. BlackStallion says:

    Question for reason# 5, do you mean the machine has dual booting and has multiple names which can cause the problem? I have this problem, my machine is member or a workgroup and the application uses windows auth which fails each and every time.

  23. Gadi Sridhar says:

    even i encountered the same problem with login failed for sql server 2005.

    at last got the solution:

    for your database in any particular directory use the below code:

    Dim con As New SqlConnection("Data Source=.SQLEXPRESS;AttachDbFilename=C:UsersM K SinghDesktopBook StoreBookStore.mdf;Integrated Security=True;Connect Timeout=30;User Instance=True")

    In any other directory:






  24. luc says:

    Thanks k2ace for your solution, it worked for me!

  25. somebody says:

    My resolution of this problem was:

    open regedit

    – go to path: HKLMSystemCurrentControlSetControlLSA

    – add DWORD „DisableLoopbackCheck”

    – set value to 1

  26. Sandhya says:

    I have installed sql server 2005 in mixed mode authentication with domain as user account as administrator of the domain as instance. so everything is fine on server

    Now i am trying to connect the client pc to sql server thru odbc connection. i am using dsn so while creating dsn i have selected the server as sql server instance and with sql server authentication using login id and password entered by user . then i have clicked the checkbox connect to…there i have given the username as sa and given the password but it is giving me error as user sa is not associated with a trusted sql connection.

    Then i have tried with user as client user and his domain password still it is giving me the same error

    can you help me out?

  27. anticant says:

    I received this error message because the web server was not resolving the sql server's server name to an FQDN.  Modified the host file to do so and it fixed the problem.

  28. Kartik says:

    I am also facing the issue.

    I want to log performance monitor data to sql server.

    I am running perfmon on windows server 2008 and trying to connect sql server 2005 (windows 2003) using dsn.

    On start perfmon counter i m getting error

    Log Name:      Application

    Source:        Microsoft-Windows-PDH

    Date:          1/27/2011 11:17:46 AM

    Event ID:      3041

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      localhost


    Call to SQLAllocConnect failed with [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user ''. The user is not associated with a trusted SQL Server connection..

    Event Xml:

    <Event xmlns="schemas.microsoft.com/…/event">


       <Provider Name="Microsoft-Windows-PDH" Guid="{04D66358-C4A1-419B-8023-23B73902DE2C}" EventSourceName="PDH" />

       <EventID Qualifiers="49152">3041</EventID>






       <TimeCreated SystemTime="2011-01-27T05:47:46.000000000Z" />


       <Correlation />

       <Execution ProcessID="0" ThreadID="0" />



       <Security />



       <Data>[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user ''. The user is not associated with a trusted SQL Server connection.</Data>




    Please help.

  29. Fred Fredburger says:

    Spot on, k2ace.  I had changed my AD password on another computer, but never locked my local computer (that I was trying to connect from) for the credentials to take effect.  Thanks much!

  30. Kevin says:

    I'm getting this error from my local SQL Express only when connected to my corporate VPN.  If I disconnect from the VPN it connects and it connects fine from the office.  Any ideas?

  31. Kevin says:

    Also, this problem didn't occur with the same code running under the .NET Framework 3.5 but started hyappening under .NET Framework 4.

  32. Markie_2230 says:

    I have resolved this God-accursed error.  

    1) I downloaded the DB Connection String Test and tested my existing connection strings.


    2) Changed Server Properties from Windows Authentication Mode to SQL Server and Windows Authentication Mode.

    3)  Created a UserId/Password

    4) Tried the ConnectionString with the UserID/Password and that worked.

  33. Nebojsa Gojnic says:

    One more possible reason for this:

    if you assign client server alias based on computer IP instead on its (net) name,

    therefore do not use IP(s) for client aliases, just type acccessable net name.

  34. JayB says:

    Step 1>Install MS SQL server 2008

    Step2>During Istallation Always Select MIXED User connection;

    Step3>after successful installation of data base Login as Local User.and create Database..then in side Database select security

    and then right click on login and create new Login.

    Step4>give new User name and Select SQL Authentication..and give password then deselect USE MUST CHANGE PASSWORD AT NEXT LOGIN

    Step5>Go to USER MAPPING on that form and select database wihich u want to assign to that User.and below that assign

    read,write,backup permission.and then Click "ok" to finish.

    Step6>NOW open SQL Server Configuration Manager->SQL Server Network Configuration->Protocols for <Instance Name>->Enable Shared

    Memory & TCP/IP and Double Click on TCP/IP then got to IPaddress TAB->in here ScrollDown and look "IP ALL"there give TCP Port

    "1433" then "ok".

    Step7>Now Go to SQL NATIVE Client xx.x Configuration->Client Protocols->Enable Shared memmory and TCP/IP->Double click on Client

    Protocols and Default Port =1433

    Step8 Optional Client side>Go to Aliases and create new Alias.eg-Alias name=xyz,)port no=1433,Protocol=TCP/IP,Server=Ip Add

    ( or DomainNameInstanceName(JOI-MIMSSQLSERVER)

    Step9>do Step 6 & 7 in client Side.

    Note:-Remember Do all settings of SQL Server Configuration Manager in 32-bit version.ull see don't worry.

    Use this Connection string ->

    cnn = New SqlConnection("Data Source=<Alias name/ipaddress,port>;Network Library=DBMSSOCN;Initial Catalog=DATAbaseNAME;User


  35. stephen says:

    I am trying to connect to a database from my C# application on another machine.  It is not part of the same workgroup. how do I change my SQL 2008 R2 instance or my connection string in the C# app to fix this error?

  36. Manoharan says:

    Please try to give the username and password while getting the connection.

    For Example :

    Connection conn = DriverManager.getConnection("jdbc:odbc:student_dsn","testadmin","admin");



  37. Pontus says:


    we receive "SSPI handshake failed with error code 0x80090304 while establishing a connection with integrated security; the connection has been closed" after our domain controllers was restarted due to WSUS updates (not all DC:s at once). We are running SQL 2008 SP1. Is this a default design in SQL not using other DC for authentication if one is down? This mean that our BizTalk servers is "loosing" the SQL and all hosts is going down.  Could you config SQL to use multiple DC?



  38. bakhtyari says:


    we have this problem with following web.config. Please help us:

    <?xml version="1.0"?>


       Note: As an alternative to hand editing this file you can use the

       web admin tool to configure settings for your application. Use

       the Website->Asp.Net Configuration option in Visual Studio.

       A full list of settings and comments can be found in

       machine.config.comments usually located in





       <add name="agriebankConnectionString" connectionString="Data Source=;Initial Catalog=agriebank;User ID=agriebank ;Password=9155174557;Integrated Security=false" providerName="System.Data.SqlClient"/>





               Set compilation debug="true" to insert debugging

               symbols into the compiled page. Because this

               affects performance, set this value to true only

               during development.


           <customErrors mode="on"/>

       <compilation debug="true">


           <add assembly="System.Core, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

           <add assembly="System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

           <add assembly="System.Data.DataSetExtensions, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

           <add assembly="System.Xml.Linq, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

           <add assembly="System.Data.Linq, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

           <add assembly="System.Data.Entity, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

           <add assembly="System.Windows.Forms, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>




               The <authentication> section enables configuration

               of the security authentication mode used by

               ASP.NET to identify an incoming user.



               The <customErrors> section enables configuration

               of what to do if/when an unhandled error occurs

               during the execution of a request. Specifically,

               it enables developers to configure html error pages

               to be displayed in place of a error stack trace.

           <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">

               <error statusCode="403" redirect="NoAccess.htm" />

               <error statusCode="404" redirect="FileNotFound.htm" />





    <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

    <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>




    <remove verb="*" path="*.asmx"/>

    <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

    <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

    <add verb="GET,HEAD" path="ScriptResource.axd" validate="false" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>



    <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>





    <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">

    <providerOption name="CompilerVersion" value="v3.5"/>

    <providerOption name="WarnAsError" value="false"/>


    <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">

    <providerOption name="CompilerVersion" value="v3.5"/>

    <providerOption name="OptionInfer" value="true"/>

    <providerOption name="WarnAsError" value="false"/>





       <directoryBrowse enabled="false" />



           <clear />

           <add value="Default.htm" />

           <add value="Default.html" />

           <add value="Default.asp" />

           <add value="Default.aspx" />

           <add value="Default.php" />

           <add value="Default.pl" />

           <add value="Default.cgi" />

           <add value="index.htm" />

           <add value="index.html" />

           <add value="index.asp" />

           <add value="index.aspx" />

           <add value="index.php" />

           <add value="index.pl" />

           <add value="index.cgi" />

           <add value="_holding.html" />




    <remove name="ScriptModule"/>

    <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>



    <remove name="WebServiceHandlerFactory-Integrated"/>

    <remove name="ScriptHandlerFactory"/>

    <remove name="ScriptHandlerFactoryAppServices"/>

    <remove name="ScriptResource"/>

    <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

    <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

    <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>




    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">


    <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>

    <bindingRedirect oldVersion="" newVersion=""/>



    <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>

    <bindingRedirect oldVersion="" newVersion=""/>





  39. Ripan says:

    I have also getting same prob

    "Login failed for user"

  40. Manoj says:

    My server has 2 names, Changing the name of server solved it.

  41. Księgowość Warszawa says:

    Very useful information. We took advantage of the suggestions. http://interlex.com.pl/. Thank you for help.

  42. graeme@black-alvarez.com says:

    This problem can also happen if the user's password has expired, but they are still logged in.  It is resolved when they change their password.

  43. yerry says:

    Stuck on this "Login failed for user'' for couple month. This error occurs when i try to load windows form that contains tableadapter object. If i'm using sql query to load data on datagridview, i dont get that error. Pls help..thanks !! Note: This error pop up on client PC which is different machine where the sql server installed.

  44. skillquotient says:

    I was really satisfy by your information. It's well-written, to the point, and relative to what I need. thank you for providing information on .

    <a href="http://www.skillquotient.net/"><b>Qlikview Training</b></a> | <a href="http://www.skillquotient.net/"><b>Microsoft Dynamics CRM Training</b></a>

  45. Tommy says:

    "This can be caused either by a misconfiguration of DNS, or by a machine having multiple names. "

    It means have multiple NetBios  or DNS name ?