SQL DBA Blog

Creating SQL Logins in an Always On Availability Group (AG) Environment

Written by

Peter Whyte

in

In an Always On Availability Group (AG) environment, SQL logins must be configured with consistent Security Identifiers (SIDs) across all replicas to avoid issues like orphaned users and ensure seamless authentication during failovers.

In this blog post we’ll demo creating a SQL login, replicating it to secondary replica with the same SID, and assigning the necessary permissions.

Step 1: Create the SQL Login on the Primary Replica

1. Connect to the Primary Replica
Use SQL Server Management Studio (SSMS) to connect to the primary replica of your AG environment.

2. Create the Login
Run the following T-SQL to create the login:

CREATE LOGIN [YourLoginName] WITH PASSWORD = 'YourStrongPassword';

3. Retrieve the Login SID
Retrieve the SID of the newly created login using one of these methods:

-- Using SUSER_SID function
SELECT SUSER_SID('YourLoginName') AS LoginSID; 

-- Alternatively, retrieve it from sys.server_principals 
SELECT sid AS LoginSID 
FROM sys.server_principals 
WHERE name = 'YourLoginName';

Save this SID for creating the login on the secondary replicas.

    Step 2: Create the SQL Login on the Secondary Replica

    1. Connect to the Secondary Replica
    Use SSMS to connect to the secondary replica.

    2. Create the Login with the Same SID
    Use the SID retrieved from the primary replica to create the login on the secondary:

    CREATE LOGIN [YourLoginName] WITH PASSWORD = 'YourStrongPassword', SID = 0xYourSIDValue;

    Replace 0xYourSIDValue with the exact SID retrieved from the primary replica.

    3. Verify the Login SID
    Confirm the SID matches by running: 

    SELECT SUSER_SID('YourLoginName') AS LoginSID;

      Step 3: Assign Permissions to the Login

      1. Grant Database Access
      Map the login to a database user in the relevant databases:

      USE [YourDatabaseName]; 
CREATE USER [YourLoginName] FOR LOGIN [YourLoginName];

      2. Assign Roles
      Grant the necessary database roles to the user. For example:

      USE [YourDatabaseName]; 
ALTER ROLE db_datareader ADD MEMBER [YourLoginName]; 
ALTER ROLE db_datawriter ADD MEMBER [YourLoginName];

      3. Grant Additional Permissions
      For server-level permissions, such as VIEW SERVER STATE, explicitly grant them on both the primary and secondary replicas:

      GRANT VIEW SERVER STATE TO [YourLoginName];

        Testing and Best Practices

        To test the login, simply connect to the AG listener in SSMS using the credentials for the login. This verifies that the login was created correctly and resolves any potential orphaned user issues.

        Tip: When connecting to AG environments, include the MultiSubnetFailover=True parameter in your connection string. This ensures optimal failover performance in multi-subnet deployments.

        While you wouldn’t typically perform a failover just to test logins, regular failover testing as part of a disaster recovery plan can help confirm that logins remain functional and avoid orphaned SQL login issues during actual failovers.

        Comments

        Leave a Reply

        Your email address will not be published. Required fields are marked *

        Recent Posts

        Categories

        Tags

        Always On Availability Groups (AAG) Certificates & Encryption Change Data Capture (CDC) Database Admin Database Backups & Recovery Database Mirroring Deleting Data Error Messages Git Commands Importing & Exporting Data Linked Servers Linux Admin Logging & Monitoring Measuring Databases PowerShell on Linux PowerShell Scripts SQL Server Agent SQL Server Database Files SQL Server Data Types SQL Server Management Studio (SSMS) SQL Server on Linux SQL Server Performance SQL Server Processes SQL Server Scripts SQL Server Versions Sysinternals Windows Admin Windows Authentication Windows Automation Windows Events Windows Firewall Windows Subsystem for Linux (WSL)

        More posts