SQL Server Error Code 18456 on Cloud SQL when creating Linked Servers

Google Cloud Database
1

Hello Everyone,

Kindly asking for solution on my Cloud SQL using SQL Server environment. Currently I have two environment:

  1. Testing Environment using Cloud with SQL Server 2019 Express
  2. Production Environment using Cloud with SQL Server 2019 Standard

From the GCP Documentation (https://cloud.google.com/sql/docs/sqlserver/manage-linked-servers),,) we try to create Linked Server with this query using SSMS (connecting from a Compute Engine’s VM - Window Server 2019 - that already been setup using associate VPC Network):

USE MASTER
GO
EXEC sp_addlinkedserver @server = N'loopback',@srvproduct = N' ',@provider =
N'SQLNCLI', @datasrc=@@SERVERNAME
GO
EXEC sp_serveroption loopback,N'remote proc transaction promotion','FALSE'
EXEC sp_serveroption loopback,N'RPC OUT','TRUE' -- Enable RPC to the givenserver.
GO

The query result seems to be okay. The in testing environment (SQL Server 2019 Express) seems to be okay when checking Server Objects > Linked Servers. But in production environment (SQL Server 2019 Standard), it seems to create an empty Linked Server Object with name “default” like picture below.

Production Environment (SQL Server 2019 Standard) :

tonypurba_2-1702030483624.png
tonypurba_2-1702030483624.png1855×795 227 KB

In testing environment (SQL Server 2019 Express), it correctly displayed a database name.

Testing Environment (SQL Server 2019 Express) :

tonypurba_3-1702030557176.png
tonypurba_3-1702030557176.png1326×702 154 KB

Furthermore, checking on the SQL Server Logs, we found SQL Server Error Code 18456:
12/08/2023 10:04:37,Logon,Unknown,Error: 18456 Severity: 14 State: 148.,
12/08/2023 10:04:37,Logon,Unknown,Login failed for user ‘9f8b9c7c800c751\9f8b9c7c800c751$’. Reason: Token-based server access validation failed with an infrastructure error. Login lacks connect endpoint permission. [CLIENT: 127.0.0.1],

So currently I can not use properly Linked Server for my production environment (SQL Server 2019 Standard), and wonder why got an error in this environment while not in the testing environment (SQL Server 2019 Express). Do you guys know a solution for this?

Additional:
I also try something by checking sys.endpoints (select * from sys.endpoints).
It seems there is differences status for “TSQL Default TCP” endpoint , when creating Cloud SQL with SQL Server. In SQL Server Express the state will be running but in the SQL Server Standard the state will be stopped.
Furthermore I try checking the endpoint permission using query:

SELECT * FROM sys.server_permissions AS sp2 

    JOIN sys.server_principals AS sp

        ON sp2.grantee_principal_id = sp.principal_id

    LEFT OUTER JOIN sys.endpoints AS e

        on sp2.major_id = e.endpoint_id

WHERE sp2.permission_name = 'CONNECT' 

AND sp2.class_desc = 'ENDPOINT'

In production environment (SQL Server 2019 Standard), the state of “TSQL Default TCP” endpoint is “D” / Deny: (But in Testing environment or SQL Server 2019 Express it is “G” for “Grante”)

tonypurba_4-1702031320051.png
tonypurba_4-1702031320051.png1396×654 216 KB

I try to find solution and found two forums:

Suggesting me to grant CONNECT permission on my Cloud SQL Endpoint (TSQL Default TCP) to public.

GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] TO public;

But when I execute it I also got error that maybe related to permission of Cloud SQL default user:
Msg 15151, Level 16, State 1, Line 25
Cannot find the endpoint ‘TSQL Default TCP’, because it does not exist or you do not have permission.

What i know in Cloud SQL for SQL Server the default user created “sqlserver” is part of the CustomerDbRootRole role. But I don’t know why can not execute the Grant query above.

Kindly any advise or comment will be welcomed, thank you.

2 Likes
2

I also have the same problem, I still haven’t fixed it. Please tag me if you have a solution! thankyou

2 Likes
3

Based on your description, you’re facing challenges in setting up a linked server on your SQL Server 2019 Standard instance within Google Cloud Compute Engine. While you’ve successfully established a linked server on your SQL Server 2019 Express instance, the Standard instance is encountering errors. Let’s delve into the specifics:

Symptoms:

  1. Error Code 18456: This indicates a login failure due to insufficient permissions, specifically a lack of connect endpoint permission.
  2. Linked Server Object Issue: In the Standard instance, the linked server object appears empty, contrasting with the Express instance where it correctly displays a database name.
  3. Endpoint State Discrepancy: The “TSQL Default TCP” endpoint is stopped in the Standard instance but is running in the Express instance.
  4. Permission Error on Granting Connect: Attempts to grant connect permission on the “TSQL Default TCP” endpoint result in a permission error.

Potential Causes:

  1. Endpoint Configuration: The differing states of the “TSQL Default TCP” endpoint between your environments seem to be a significant factor. In the Standard instance, its inactive state and restricted access could be causing the linked server setup to fail.
  2. User Permissions: The default user, despite being part of the CustomerDbRootRole role, may not have adequate permissions to modify endpoint access, a potential limitation within Cloud SQL.

Suggested Solutions:

  1. Activate the Endpoint: Attempt to start the “TSQL Default TCP” endpoint in the SQL Server 2019 Standard instance. This might require adjusting settings in the Cloud SQL console or executing specific SQL Server commands.
  2. Endpoint Access Permissions: After ensuring the endpoint is active, retry granting the connect permission. If the default user still encounters permission issues, explore the requirements for endpoint management in Cloud SQL for SQL Server, potentially using a higher-privileged account.
  3. Consider Alternative Authentication Methods: If direct permission granting continues to be problematic, refer to Google Cloud’s guidance on using Active Directory authentication for linked servers, which might circumvent the endpoint permission hurdle.

Additional Resources:

Recommendations:

  • Carefully review the Cloud SQL documentation for specific guidelines on managing endpoint permissions and activating the “TSQL Default TCP” endpoint.
  • If challenges persist, consider contacting Google Cloud support for specialized assistance with Cloud SQL configurations and limitations related to SQL Server.
1 Like
4

Thank you very much for your suggested Solutions,

I will try finding how to do that through the link of the additional resources that you’ve shared.

1 Like
5

Thanks before for your suggested solutions but i still could not find way or how to achieve all the points because of:

Suggested Solutions:

  1. Activate the Endpoint: Attempt to start the “TSQL Default TCP” endpoint in the SQL Server 2019 Standard instance. This might require adjusting settings in the Cloud SQL console or executing specific SQL Server commands.

Comments: The only way to achieve this if using SQL Server Standard installed on Windows Server through “SQL Server Configuration Manager”. As mentioned in some forum as well such as: https://help.dugeo.com/m/Insight/l/438913-troubleshooting-enabling-tcp-ip-in-the-sql-server . But the problem is I can not find any documentation about “Enable TCP/IP” in the SQL Server" for Cloud SQL for SQL Server. Is there ways to Enable TCP/IP in the SQL Server (Cloud SQL) with similar way using “SQL Server Configuration Manager”?

image4
image4793×263 23 KB

  1. Endpoint Access Permissions: After ensuring the endpoint is active, retry granting the connect permission. If the default user still encounters permission issues, explore the requirements for endpoint management in Cloud SQL for SQL Server, potentially using a higher-privileged account.

Comments: For permission issues, based from the GCP documentation (https://cloud.google.com/sql/docs/sqlserver/users), the higher-priveleged account in Cloud SQL for SQL Server is CustomerDBRootRole. Cloud SQL for SQL Server doesn’t support the sysadmin and dbcreator roles. So it also does not work even if i create new user, i can not give those roles. So I can not retry granting connect permission to the endpoint.

  1. Consider Alternative Authentication Methods: If direct permission granting continues to be problematic, refer to Google Cloud’s guidance on using Active Directory authentication for linked servers, which might circumvent the endpoint permission hurdle.

Comments: Sorry beside that this solution is not possible to me right now. I also check from the documentation that Azure Active Directory authentication feature is unavailable for Cloud SQL as in : https://cloud.google.com/sql/docs/sqlserver/features#sqlserver-unavailable

Thank you very much for your answer, but I become to suspect that by default, after setting up/provisioning in Cloud SQL for SQL Server, the TCP/IP connection will be in disabled state. I can confirm this by creating several version of SQL Server Standard 2022, 2019, and 2017. (But for each Express Edition 2022, 2019, and 2017 the state is enabled).

So for your recommendation to contact Google Cloud support for specialized assistance with Cloud SQL configurations and limitations related to SQL Server. Do you know where to contact? once again thanks in advance

1 Like
6

It seems you’ve encountered a complex situation with Cloud SQL for SQL Server on Google Cloud Platform, particularly regarding TCP/IP configuration and permissions. Given the constraints and the specific nature of Cloud SQL, here are some updated suggestions and guidance on how to proceed:

  1. TCP/IP Configuration in Cloud SQL for SQL Server:

    • Unfortunately, Cloud SQL instances do not provide the same level of access as a traditional SQL Server installation on a Windows Server, where you could use SQL Server Configuration Manager to enable TCP/IP. Cloud SQL is a managed service, and many underlying configurations, including network settings, are managed by Google and not exposed to users.
    • Since you’ve observed that TCP/IP is disabled by default in Cloud SQL for SQL Server Standard editions, this might be a configuration that Google Cloud has set for its managed instances.

  2. Permissions and Role Limitations:

    • As you’ve noted, Cloud SQL for SQL Server does not support the sysadmin and dbcreator roles, and the highest level of privilege available is the CustomerDbRootRole. This limitation can restrict your ability to perform certain administrative tasks, including granting connect permission on endpoints.

  3. Alternative Authentication Methods:

    • Since Azure Active Directory authentication is not available for Cloud SQL, this option is off the table. It’s important to work within the constraints of the features provided by Cloud SQL.

  4. Contacting Google Cloud Support:

    • For specialized assistance, you should contact Google Cloud support. They can provide insights into the specific configurations and limitations of Cloud SQL for SQL Server. Here’s how you can reach out to them:
      • Google Cloud Support Page: Visit the Google Cloud Support page.
      • Google Cloud Console: If you have a Google Cloud account, you can access support directly through the Google Cloud Console.

Given the managed nature of Cloud SQL, some configurations and troubleshooting steps that are possible in a traditional SQL Server environment may not be directly applicable. Reaching out to Google Cloud support is likely your best course of action for resolving these specific issues.

1 Like
7

@tonypurba @pandusetwn

Try using IP address (private or public) of the SQL Server instance instead of 127.0.0.1/localhost/@SERVERNAME.

1 Like
8

@tesh42 offered a solution recently that might be helpful!