Oct 5, 2009

Windows NT user or group 'Domain\User' not found. Check the name again. (Microsoft SQL Server, Error: 15401)

When you add new Domain Login to SQL Server, you may see error  Windows NT user or group 'Domain\User' not found. Check the name again. (Microsoft SQL Server, Error: 15401).

This error message is very general and it does not explain any specific problem or reason itself. Microsoft has a very good article to fix this issue at http://support.microsoft.com/kb/324321/en-us.

However, there is another scenario which is not covered in above article (at the time when writing this article) or may be I am the first person who faced this issue.

This scenario can be reproduced on Windows 2008 Server with SQL 2008 Server where the Domain Controller is Windows 2000 server. On Windows 2008 server, 2 new policies have been enabled by default that encrypts the secure channel data when new LOGIN request is sent to Domain Controller by Domain member(Also SQL Server). In this scenario, Domain Controller is Windows 2000, thus it does not understand the encrypted request thus refuses the LOGINrequest. All you need to do is to fix this behavior in Windows 2008 (SQL Server) to not to send encrypted secure channel data to Domain Controller. To do this follow the steps below and it should fix the issue.
  1. From the SQL Server running Windows 2008 R2, Click Start-> Run and type the command GPEDIT.MSC. This will open the Policy Editor.
  2. From Policy Editor Expand “Computer configuration” - > Windows Settings -> Security Setttings -> Local Policies -> Security Options.
  3. You will see all security policies on right hand side window. Make changes into the following two policies.
    • Domain member: Digitally encrypt secure channel data (when possible) – Disable this policy
    • Domain member: Digitally sign secure channel data (when possible) – Disable this policy
After making these changes, close the policy editor and reboot the box. (Not SQL Server, but restart entire system).

In case your local policy does not allow you to make changes, you may have to make changes using Group Policy Management Console. Instructions to install GPMC are located at http://blogs.technet.com/askds/archive/2008/07/07/installing-gpmc-on-windows-server-2008-and-windows-vista-service-pack-1.aspx.

  • Run gpmc.msc (Group Policy Management)
  • Expand your Domain
  • Go to and select and then follow steps 2 and 3 from above.

7 comments:

  1. I have tried everything possible and even this article and my problem has not been solved. I do the exact same steps on another Windows Server 2008 with the same SQL Server edition and on the same domain and it works perfectly. There is something about Windows Server 2008 R2 that is causing this problem, and I just can't seem to find it. I'm downgrading to Server 2008

    ReplyDelete
  2. I am sorry to know that, if you have not already downgraded, could you please provide more information about this error. It could be different issue.

    ReplyDelete
  3. I had the same issue in Windows Server 2008 R2 with SQL 2000 SP4 (32 bits) and SQL 2005 SP3 (64 bits) with a Windows 2000 domain in Mixed mode. I made these 2 changes also disabling:
    Domain member: Digitally encrypt or sign secure channel data

    and the problem was solved. Thank you very much

    ReplyDelete
  4. Hi, I had this issue only with SQL Server Express 2005 running on a 64bit Windows 7 development machine.
    The changes in the article did not fix my problems but as with the above poster, changing the below setting do disabled did:
    Domain member: Digitally encrypt or sign secure channel data

    Thanks for the help

    ReplyDelete
  5. When changing these values is it only the Management Studio PC that needs a reboot or the Windows server that the SQL Server resides on?

    ReplyDelete
  6. It would be Windowss on which SQL Server is installed needs to be rebooted.

    ReplyDelete
  7. Thanks a lot, this did solve my problem.

    Frank Kipfmüller

    ReplyDelete

Optimizing Indexes with Execution Plans

Contact Me

Name

Email *

Message *