Search sqlserver-dba.com

Follow sqlserver-dba.com

*Use the Comments section for questions

SQLServer-DBA.com Links

Troubleshooting ImpersonateSecurityContext in RING_BUFFER_SECURITY_ERROR

05 January,2016 by Tom Collins

Question: In the RING_BUFFER_SECURITY_ERROR recordset , I see a recurring message , with CallingAPIName = NLShimImpersonate

APIName = ImpersonateSecurityContext,

ErrorCode = 0x139F

Is this an error?

Answer: Firstly, one of the main reasons for the RING_BUFFER_SECURITY_ERROR is to assist in finding information about login failures and other similar errors. Not all information found in this ring buffer indicates errors, some of them are informational.

What does the 0x139F error code mean? To obtain a useable value you have to convert these error code into decimal value, which will be 0x139F = 5023.

The error message 5023 details are:

“The group or resource is not in the correct state to perform the requested operation”

According to Microsoft documentation “The ImpersonateSecurityContext function allows a server to impersonate a client by using a token previously obtained by a call to AcceptSecurityContext (General) or QuerySecurityContextToken. This function allows the application server to act as the client, and thus all necessary access controls are enforced.”

Basically this function is called when impersonation is required. To do so, there must already be a valid context handle.

Analyse error logs to identify Login failures and report on the state number.

Some reasons I've spotted are:

1) A service (set as Local System) on a server attempting to log on to SQL Server and not having access

2) IP registered on the DNS server with the same FQDN

Read More on Ring Buffer methods

Troubleshoot SQL Security Error Ring Buffer Recorded -

SQL Server – Troubleshoot connectivity issues with Connectivity Ring Buffer

Author: Tom Collins (http://www.sqlserver-dba.com)

Share:

Posted by Tom Collins at 7:51 AM in Security Management | Permalink | Comments (3)

thx for the info.
in my case it was due to an old disabled login that still had authorization on the hadr endpoint.

Posted by: hiram | Aug 9, 2018 6:11:40 PM

Hi,

First of all, very nice article but I'm having a question.
I'm seeing a lot of RING_BUFFER_SECURITY_ERRORs with error code 5023 in my sys.dm_os_ring_buffers but no error are appearing in the error logs.
Apparently the clients are trying to do some kind of impersonation but what is the root cause of this type of errors?
Or are this no errors and are they only informational?

Posted by: Frederik Vanderhaegen | Nov 6, 2019 6:55:42 AM

Hi Frederik - Typically - the date times of the buffer entries line up with entries in the Error log. But you're not seeing anything in the error logs. This link will give you some techniques to troubleshoot these situations - particularly if you cannot see error log entries - https://www.sqlserver-dba.com/2015/05/troubleshoot-sql-security-error-ring-buffer-recorded-system-health-.html

Posted by: Jack Vamvas | Nov 7, 2019 1:54:47 AM

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.