February 8, 2012 at 11:32 am
I have recently taken some databases offline on testing server. They are mainly sharepoint databases some one created years ago for testing.
But now I get SQL alert: Insufficient Permission 14
in the log we got Message
Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]
I know this may be related with the offline databases. Since they are no longer accessible,
is there a way that I can find out what the databases it tries to connect, and from what application or server it calls from?
Thanks
February 8, 2012 at 11:42 am
your best bet is to fire a Profiler trace and select only the event Audit Login Failed event, choose all columns and run the trace..
Blog -- LearnSQLWithBru
Join on Facebook Page Facebook.comLearnSQLWithBru
Twitter -- BruMedishetty
February 8, 2012 at 11:42 am
Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]
You can find from the ipaddress which server is the call comming from. Just do ping -a ipaddress. You will know the server name.
February 8, 2012 at 11:46 am
I tried profile, but I didn't see the login name for this user show up.
But this message was generated every one 1 minute.
I don't know the IPAddress which this user comes from, where I can check?
THanks
February 8, 2012 at 11:46 am
SQLback (2/8/2012)
You can find from the ipaddress which server is the call comming from. Just do ping -a ipaddress. You will know the server name.
I have seen on multiple occasions myself, where there is no information about the IP Address.. Yes if the IP Address is available in the SQL Server Error log, then nslookup that ipaddress would give more information about that host/server from which the login is being tried..
Blog -- LearnSQLWithBru
Join on Facebook Page Facebook.comLearnSQLWithBru
Twitter -- BruMedishetty
February 8, 2012 at 11:50 am
Thanks, I found the IP address, it should be right after the client.
I found the server name, will check into it.
Thanks,
Also is there a way that I can find out what database it tried to login to?
February 8, 2012 at 11:53 am
I don't know the IPAddress which this user comes from, where I can check?
The ip address is there in the error message.
Login failed for user 'mydomain\user'. [CLIENT: 10.50.11.44]
It look like this is not a public ip address. Go to the command prompt and type
ping -a 10.50.11.44. You will see the server name . If this doesnt work try what bru suggested which is nslookup 10.50.11.44
February 8, 2012 at 11:54 am
You should have a column in Profiler trace that can help you with the application name, database and many additional columns...
Blog -- LearnSQLWithBru
Join on Facebook Page Facebook.comLearnSQLWithBru
Twitter -- BruMedishetty
February 8, 2012 at 11:58 am
I run profile and add those columns, but in the login column, in the trace I cannot see the user name for this particular user.
February 8, 2012 at 12:03 pm
Is there a way to stop this alert and error?
Thanks
February 8, 2012 at 12:03 pm
Not sure why that is missing, does it not give info regd the application or hostname, may be that can help track a bit more..
Blog -- LearnSQLWithBru
Join on Facebook Page Facebook.comLearnSQLWithBru
Twitter -- BruMedishetty
February 8, 2012 at 12:05 pm
I will check the calling server, and see if I can find something, and will post back
Thanks for the help
February 8, 2012 at 12:06 pm
sqlfriends (2/8/2012)
Is there a way to stop this alert and error?Thanks
Yes you can, but it is not suggested to do it, making it not possible to know if there is any failures from Authorized users AND / OR if there are any malicious users trying to connect with a bad intent..
To disable this logging, on your Server name right click and choose properties, select Security, under Login Auditing choose None..
Blog -- LearnSQLWithBru
Join on Facebook Page Facebook.comLearnSQLWithBru
Twitter -- BruMedishetty
February 8, 2012 at 12:11 pm
Is there a way to stop this alert and error?
Stop the application on the source server from making these calls.
February 8, 2012 at 6:16 pm
I login to the application server, I cannot find what application is trying to connect to this sql server.
and I see in this SQl server windows event viewer, security, there is no failured logins. it seems this user login to the network successfully.
So is there any other way to stop this?
Viewing 15 posts - 1 through 15 (of 19 total)
You must be logged in to reply to this topic. Login to reply