SQL Server Blog

SQL Server Case of the Week: Login Complexity When Using Contained Availability Groups in SQL Server 2022

SQL Server case study of the week
by Evan Corbett
on
in Case of the Week

Summary of the Login Issue

After building a contained availability group in SQL Server, a customer was experiencing intermittent issues connecting to their primary database. Our investigation revealed that the SQL Authentication login being used had been created both within the context of the contained AG as well as directly on the primary node but had different SIDs in each location.  

Context

For those unfamiliar with contained availability groups, they are an enhanced type of Always On Availability Group, introduced in SQL Server 2022, that includes some instance-level objects as part of the availability group itself, which allows the AG to function as a more complete, portable unit, removing the need to synchronize logins and jobs across replicas to maintain functionality if failover to a secondary node occurs.  

The Problem

Managing the objects within the contained AG requires being connected to the listener name, and changes made outside of the contained AG, even if you are connected to the instance acting as the primary node, are not necessarily reflected within the AG itself. In this case, the customer was unfamiliar with the difference between these contexts, and had created logins both in the context of the contained AG and outside of it, resulting in inconsistent behavior for users depending on what name was being used in their connection string.

The Investigation

When the issue was reported to us, because a specific user was experiencing the issue, we quickly zeroed in on that user’s login, and by querying their database user in the sys.database_principals table both in the context of the contained AG and outside of it, we identified the mismatch in SIDs and were able to piece together what had been done. We determined that when the user connected using the listener name, they were successful, but when they connected using the instance name of the primary node, they were denied.  

The Fix: Synchronizing the SIDs

While the user should have been using the listener name for all connections, in order to prevent continued failures, we use the Copy-DbaLogin command from dbatools, with the “-Force” parameter, to synchronize the user’s login using the AG listener name as the source and the instance name of the primary node as the destination. This aligned the user’s SIDs in both locations and they have been connecting successfully since.  

The Lesson

Complexity for complexity’s sake is not the answer. We ultimately moved this customer away from the contained AG to a more standard configuration, and it is a much better solution for their use-case. The feature itself is not the enemy, but the extra complexity in their case was too much to manage, and ultimately didn’t benefit them. 

availability, availability groups, case of the week, database administration, dbatools, failover, HADR, security, Troubleshooting
Article by Evan Corbett

Evan originally joined Straight Path in 2019 and worked in the support team until mid-2021. In 2021, he decided he wanted to take a stab at the world of technology sales and left for a short time to work in that industry. He quickly realized, however, that he had missed the intentional relationships Straight Path builds with its customers and the camaraderie within the team, so he returned in late 2021. He enjoys solving problems and making the load lighter in any way he can for anyone he works with, whether that is a customer or a member of the Straight Path team. He enjoys working to improve internal processes, making things run more smoothly than the day before. When Evan isn’t working, he’s spending time either working out, riding his motorcycle, or relaxing on the water somewhere.

Subscribe for Updates

Name

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This