Tag Archives: Logon Triggers in Sql Server

Logon Triggers in Sql Server

What is Logon Trigger?

Logon Triggers are special kind of Stored Procedure or an operation that gets executed automatically in response to a LOGON event. They get executed only after the successful authentication but before the user session is established. If authentication fails the logon triggers will not be fired.

Caution! : Logon Triggers are very useful feature, but a small mistake in the Logon Trigger may cause database server un-accessible to any user including SA user. For example in a Logon trigger you are referring to a non existent table or database will allow you to create it. But once it is created then no one will be able to connect to the server as Logon trigger errors out. So it is best advised to check whether you are able to establish a Dedicated Administrator Connection (DAC) with SQL Server Management Studio. Because in case you have created a wrong trigger and not able to to connect, then DAC connection comes for your rescue. As the DAC connection will not trigger the LOGON trigger execution and you will be able to connect to Sql Server and after connecting disable the incorrect trigger.

Uses of Logon Triggers

Below are the some of the usecase scenarios where LOGON triggers will be usefull:

  • To audit and control server sessions
  • Restricting logins to Sql Server
  • Restricting the number of sessions for a specific login
  • Restricting user from logging-in outside permitted hours

Understanding Logon Triggers with extensive list of examples

Create a login TestUser by executing the following script:

-- Create a login 
CREATE LOGIN TestUser WITH PASSWORD = 'TestPass1'

[ALSO READ] Data Manipulation Language (DML) Triggers

EXAMPLE 1: This example Logon trigger blocks the user TestUser from connecting to Sql Server after office hours.

Execute the following script to create a Logon trigger which blocks the TestUser user from connecting to Sql Server after office hours

CREATE TRIGGER LimitConnectionAfterOfficeHours
ON ALL SERVER FOR LOGON 
AS
BEGIN
 IF ORIGINAL_LOGIN() = 'TestUser' AND
  (DATEPART(HOUR, GETDATE()) < 9 OR 
                  DATEPART (HOUR, GETDATE()) > 18)
 BEGIN
  PRINT 'You are not authorized to login after office hours'
  ROLLBACK
 END
END

Now try to connect to Sql Server using the TestUser user after office hours

LogonTriggerExampleAfterHours

From the above result we can see that the Logon Trigger LimitConnectionAfterOfficeHours is blocking the TestUser from connecting to Sql Server after office hours

In case of Logon Triggers the PRINT statement result in the trigger will be logged to the Sql Server Error Log. Let us login as different user and check whether PRINT message in the Logon trigger is logged into the Error Log during the above failure attempt:

LogonTriggerErrorLog

Drop the above Logon Trigger by executing the following statement:

DROP TRIGGER LimitConnectionAfterOfficeHours ON ALL SERVER

[ALSO READ] Data Definition Language (DDL) Triggers

EXAMPLE 2: This example Logon Trigger blocks a user from establishing more than two user sessions at any given point of time

Execute the following script to create a Logon Trigger which blocks the TestUser from establishing more than two user sessions at any given point of time

CREATE TRIGGER LimitMultipleConcurrentConnection
ON ALL SERVER WITH EXECUTE AS 'sa' 
FOR LOGON
AS
BEGIN
 IF ORIGINAL_LOGIN() = 'TestUser' AND
  (SELECT COUNT(*) FROM   sys.dm_exec_sessions
   WHERE  Is_User_Process = 1 
    AND Original_Login_Name = 'TestUser') > 2
 BEGIN
  PRINT 'You are not authorized to login, as you already have two active user sessions'
  ROLLBACK
 END
END

Now try to establish more than two concurrent sessions for the TestUser:

LogonTriggerBlockMultipleConcurrentSessions

From the above image we can see that the TestUser was able to have two concurrent new query sessions, but the attempt to open the third session is blocked by the trigger.

Below is the error logged in the Sql Server Error Log:

LogonTriggerErrorLogMultipleSessions

In the above example trigger you can observe that, during trigger creation I have added the clause EXECUTE AS ‘sa’. The reason for this is only the users with VIEW SERVER STATE permission on the server can see all the executing session on the instance of Sql Server. And the users who don’t have this permission can see only the current session. Because of this I am executing the above trigger as ‘sa’. An alternative option for this is grant TestUser the VIEW SERVER STATE permission using GRANT VIEW SERVER STATE TO TestUser statement.

Drop the above Logon Trigger by executing the following statement:

DROP TRIGGER LimitMultipleConcurrentConnection ON ALL SERVER

[ALSO READ]
Introduction to Triggers
Data Manipulation Language (DML) Triggers
Data Definition Language (DDL) Triggers
INSERTED and DELETED Logical Tables