BUG: Xp_cmdshell Run by Non-SA Causes Error 1326

 Last reviewed: December 18, 1997
Article ID: Q159221
The information in this article applies to:
  • Microsoft SQL Server, version 6.5
BUG #: 16244 (6.5)

SYMPTOMS

If a non-system administrator (SA) login runs the extended stored procedure xp_cmdshell on a domain controller when the option "xp_cmdshell - Use SQLExecutiveCmdExec Account for Non SAs" is enabled in SQL Enterprise Manager or SQL Server Setup under Set Server Options, the following error will occur: 

   xpsql.c: Error 1326 from LogonUser on line 359

WORKAROUND

To work around this problem, do one of the following:

  • Disable the "xp_cmdshell - Use SQLExecutiveCmdExec Account for Non SAs" option in SQL Enterprise Manager or in SQL Server Setup under Set Server Options.
  • Rename the machine name of the domain controller to match the domain name. Note that this solution will only work for one SQL Server on a domain.
  • Reinstall Windows NT Server as a server in the domain, instead of as a domain controller.

STATUS

Microsoft has confirmed this to be a problem in SQL Server version 6.5. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION

Microsoft SQL Server 6.5 is not recommended for installation on a primary domain controller (PDC) or a backup domain controller (BDC), because those computers perform the resource-intensive tasks of maintaining and replicating the domain's security accounts database and performing network logon authentications.

If you enable security auditing for logon and logoff failures, you will see event 529, indicating a logon failure, for the SQLExecutiveCmdExec account, as in the following example: 

   Logon Failure:
   Reason: Unknown user name or bad password
   User Name: SQLExecutiveCmdExec
   Domain: NTServerName
   Logon Type: 4
   Logon Process: Advapi
   Authentication Package:
   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
   Workstation Name: NTServerName
Additionally, a similar error occurs with CmdExec tasks created by non-SA logins. For more information please see the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q159792
   TITLE     : BUG: Non-SA CmdExec Task Run on Domain Controller Causes
               Error

Additional query words: CmdExec Task SQLExecutive privilege
Keywords : kbbug6.50 SSrvAdmin SSrvGen kbusage kbbug6.50
Version : 6.5
Platform : WINDOWS
Issue type : kbbug
Solution Type : kbfix

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: December 18, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.