Insufficient Permission 14

Question

Insufficient Permission 14

sqlfriend

SSC Guru

Points: 52781
More actions
February 8, 2012 at 11:32 am

#391514

I have recently taken some databases offline on testing server. They are mainly sharepoint databases some one created years ago for testing.
But now I get SQL alert: Insufficient Permission 14
in the log we got Message
Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]
I know this may be related with the offline databases. Since they are no longer accessible,
is there a way that I can find out what the databases it tries to connect, and from what application or server it calls from?
Thanks

Viewing 15 posts - 1 through 15 (of 19 total)

You must be logged in to reply to this topic. Login to reply

Bru Medishetty SSC-Insane Points: 23606 More actions · Answer 1

your best bet is to fire a Profiler trace and select only the event Audit Login Failed event, choose all columns and run the trace..

Bru Medishetty

Blog -- LearnSQLWithBru

Join on Facebook Page Facebook.comLearnSQLWithBru

Twitter -- BruMedishetty

SQLback SSCrazy Points: 2897 More actions · Answer 2

Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]

You can find from the ipaddress which server is the call comming from. Just do ping -a ipaddress. You will know the server name.

sqlfriend SSC Guru Points: 52781 More actions · Answer 3

I tried profile, but I didn't see the login name for this user show up.

But this message was generated every one 1 minute.

I don't know the IPAddress which this user comes from, where I can check?

THanks

Bru Medishetty SSC-Insane Points: 23606 More actions · Answer 4

SQLback (2/8/2012)
You can find from the ipaddress which server is the call comming from. Just do ping -a ipaddress. You will know the server name.

I have seen on multiple occasions myself, where there is no information about the IP Address.. Yes if the IP Address is available in the SQL Server Error log, then nslookup that ipaddress would give more information about that host/server from which the login is being tried..

Bru Medishetty

Blog -- LearnSQLWithBru

Join on Facebook Page Facebook.comLearnSQLWithBru

Twitter -- BruMedishetty

sqlfriend SSC Guru Points: 52781 More actions · Answer 5

Thanks, I found the IP address, it should be right after the client.

I found the server name, will check into it.

Thanks,

Also is there a way that I can find out what database it tried to login to?

SQLback SSCrazy Points: 2897 More actions · Answer 6

I don't know the IPAddress which this user comes from, where I can check?

The ip address is there in the error message.

Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]

It look like this is not a public ip address. Go to the command prompt and type

ping -a 10.50.11.44. You will see the server name . If this doesnt work try what bru suggested which is nslookup 10.50.11.44

Bru Medishetty SSC-Insane Points: 23606 More actions · Answer 7

You should have a column in Profiler trace that can help you with the application name, database and many additional columns...

Bru Medishetty

Blog -- LearnSQLWithBru

Join on Facebook Page Facebook.comLearnSQLWithBru

Twitter -- BruMedishetty

sqlfriend SSC Guru Points: 52781 More actions · Answer 8

I run profile and add those columns, but in the login column, in the trace I cannot see the user name for this particular user.

sqlfriend SSC Guru Points: 52781 More actions · Answer 9

sqlfriend

SSC Guru

Points: 52781

February 8, 2012 at 12:03 pm

#1444703

Is there a way to stop this alert and error?

Thanks

Bru Medishetty SSC-Insane Points: 23606 More actions · Answer 10

Not sure why that is missing, does it not give info regd the application or hostname, may be that can help track a bit more..

Bru Medishetty

Blog -- LearnSQLWithBru

Join on Facebook Page Facebook.comLearnSQLWithBru

Twitter -- BruMedishetty

sqlfriend SSC Guru Points: 52781 More actions · Answer 11

I will check the calling server, and see if I can find something, and will post back

Thanks for the help

Bru Medishetty SSC-Insane Points: 23606 More actions · Answer 12

sqlfriends (2/8/2012)
Is there a way to stop this alert and error?
Thanks

Yes you can, but it is not suggested to do it, making it not possible to know if there is any failures from Authorized users AND / OR if there are any malicious users trying to connect with a bad intent..

To disable this logging, on your Server name right click and choose properties, select Security, under Login Auditing choose None..

Bru Medishetty

Blog -- LearnSQLWithBru

Join on Facebook Page Facebook.comLearnSQLWithBru

Twitter -- BruMedishetty

SQLback SSCrazy Points: 2897 More actions · Answer 13

Is there a way to stop this alert and error?

Stop the application on the source server from making these calls.

sqlfriend SSC Guru Points: 52781 More actions · Answer 14

I login to the application server, I cannot find what application is trying to connect to this sql server.

and I see in this SQl server windows event viewer, security, there is no failured logins. it seems this user login to the network successfully.

So is there any other way to stop this?