Answer by John K. N. for Login lacks connect endpoint permission in SQL Server - Error 18456, State: 149

Analysis

If you have a search for the Error 18456 you will eventually find the following blog post from Aaron Bertrand:

• Troubleshooting Error 18456 (SQL Blog / Aaron)

Which lists the following for states 146...149:

These states replace states 11 and 12 above, but only in SQL Server 2016 or better. The goal was to make the actual underlying issue easier for the sysadmin to diagnose between SQL auth and Windows auth logins, and between connect and endpoint permissions (all without giving any further info to the user trying to log in). For more details, see the latter part of this post.

The this post link in the above quote references the article "Why do I get the infrastructure error for login failures?" over on CSS SQL Server Engineers blog/site.

The article cites these two possible reasons as the cause for the "Login-based server access validation failed with an infrastructure error":

1. Does the login have the SERVER class permission named CONNECT SQL for this server instance?

2. Does the login have the ENDPOINT class permission named CONNECT for the specific endpoint on which the client application established the connection?

Because SQL Server 2016+ has new error messages for Level 146...149 errors, you have been presented with the specific error message Login lacks connect endpoint permission. (Level 149), which leads you to the second option from above.

Have a look at your current enpoint permissions with the following script:

SELECT * FROM sys.server_permissions AS sp2     JOIN sys.server_principals AS sp        ON sp2.grantee_principal_id = sp.principal_id    LEFT OUTER JOIN sys.endpoints AS e        on sp2.major_id = e.endpoint_idWHERE sp2.permission_name = 'CONNECT'AND sp2.class_desc = 'ENDPOINT'

You should have at least one entry for the combination of GRANT, public and TSQL Default TCP

Solution

Check the CONNECT permissions on the ENDPOINT for the SQL Server Login for TCP or simply grant the permission to the account:

GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] TO public;

(replace public with your <SQL Server Login> if you only want to assign that permission to a specific account)

To see a list of endpoints run:

select * from sys.endpoints

Further Reading / Reference List

• Troubleshooting Error 18456 (SQL Blog / Aaron)
• Why do I get the infrastructure error for login failures? (CSS SQL Server Engineers)
• Endpoints Catalog Views (Transact-SQL) (Microsoft Docs)
• GRANT Endpoint Permissions (Transact-SQL) (Microsoft Docs)