We’ve been migrating a client to new AX servers and we hit an error that I’ve seen a few times now where AX attempts to create a table in the tempdb database and is denied permissions.
Object Server 01: The database reported (session 14 (user)): [Microsoft][SQL Server Native Client 10.0][SQL Server]CREATE TABLE permission denied in database ‘tempdb’.
This error is due to AX’s method of using persistent ‘temp’ tables in the tempdb database(The same design decision that makes high availability for AX such a chore), and is not difficult to resolve.
To understand the problem you need to know a little about the way TempDB works. It’s designed as a container for temporary objects and overflow operations, and to ensure it is tidied up it is recreated each time a SQL Server is started. This means that as well as all tables in the database being removed, that all user permissions granted on the table are also wiped. AX uses this database in a slightly non-standard way, creating a group of tables on connection and persisting them until reboot. If these tables are removed(for instance by a FCI or AOAG failover) a number of errors of the ‘table not found’ variety will occur resulting in an AOS reboot being required. Additionally, when SQL Server restarts(or fails over) the rights on tempdb need to be reapplied so when the AOS reconnects it can recreate all it’s temporary tables. So having that background:
Solution Number One – Stored Procedure in Master Database
First identify the account which requires the permissions to tempdb in the first place. This should be the service account running the AOS. Then create a stored procedure in the master database such as the below:
CREATE procedure [dbo].[CREATETEMPDBPERMISSIONS_tempdb] as
begin
exec (‘USE tempdb; declare @dbaccesscount int; exec sp_grantlogin ”mydomain\myAOSserviceaccount”; select @dbaccesscount = COUNT(*) from master..syslogins where name = ”mydomain\myAOSserviceaccount”; if (@dbaccesscount <> 0) exec sp_grantdbaccess ”mydomain\myAOSserviceaccount”; ALTER USER [mydomain\myAOSserviceaccount] WITH DEFAULT_SCHEMA=dbo; exec sp_addrolemember ”db_ddladmin”, ”mydomain\myAOSserviceaccount”; exec sp_addrolemember ”db_datareader”, ”mydomain\myAOSserviceaccount”; exec sp_addrolemember ”db_datawriter”, ”mydomain\myAOSserviceaccount”;’)
end
EXEC sp_procoption N'[dbo].[CREATETEMPDBPERMISSIONS_tempdb]’, ‘startup’, ‘1’
This will fire whenever SQL Server starts and create the user and assign the permissions required. Obviously replace mydomain\myAOSserviceaccount with the account used to run your AOS.
Solution Two – The Sledgehammer
There’s various reasons where the above won’t be ideal. Multiple AOS service accounts, policy disallowing user stored procedures in system databases etc. You can achieve the same result by granting the login(s) that require access to the model database. This should then pass through to the tempdb database when the server is restarted.
Solution Three – The Non-DBA approach
I’m a database guy and not an AX guy, so I tend to look for database resolutions to problems. I believe – but have not had confirmed, that a full database sync will also resolve this issue. I haven’t seen this sorted from the application side but have read it in a few places now. And if it’s on the internet it must be true.