April 25, 2005 at 10:14 am
Hi Guys,
I've noticed this morning that we suddenly have failed login attempts being recorded in the SQL Errorlog for our cluster, all of them being made (or not seeing as they failed) with a 'null' username and trusted security.
Fortunately we're in a closed system with no outside access for the environment where it's happening so I'm wondering how I would go about identifying where the logins are comming from (I'm guessing it's an authentication issue as we switched nodes recently).
I've had a look through the network with netmon and have narrowed it down to 5 possible servers but am at a loss as to where to look next. I've downloaded sysinternals process explorer and have started going through the individual processes looking at TCP and threads, but as you can imagine that's taking forever.
Does anyone have any ideas on how I can pinpoint the cause? Third party tool or otherwise.
April 26, 2005 at 5:19 am
Did you look at the eventlog - security. If security is logged, you should see the attempted logins...
karl
Best regards
karl
April 26, 2005 at 5:27 am
Yep, quite a lot but none saying which server they're comming from, they're using kerberos authentication and I have tracked down a couple of system event logs saying
'The kerberos client received a KRB_AP_ERR_MODIFIED error'
Which is where i'm looking now , I've also noticed today that for some reason I cant connect to the cluster using profiler from a different box with trusted security (get a connection failure box, cannot generate SSPI context) but i can using the standard sql login.
April 26, 2005 at 5:35 am
Hmm, did you find NETLOGON errors in system log? We've had trouble like that when our servers somehow lost connection to the domain servers...
Best regards
karl
April 26, 2005 at 6:08 am
Hi Karl,
No I haven't found any NETLOGON errors yet but will have a better look to see if there are any other warning messages
April 27, 2005 at 4:18 am
My 2p...
1p) Have you given the SQL service account the 'Impersonate client after authentication' right. The need for this is not in BOL, but is in a KB article.
2p) We have had many similar problems from web-based applications. You may need to look at your IIS configuration (take along an IIS expert!) if you think the problem is restricted to web applications.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
April 28, 2005 at 8:24 am
Just to clue you in a little on my ongoing saga...
After a couple of days looking I've finally managed to track down the app that is causing all of the login failures on the SQL cluster, it turns out that it's PKM, which is effectively the Microsoft Search service.
I've now started trawling through the web looking for other instances of the same (or similar) error but they're very thin on the ground; from the looks of it we've been getting intermittent populations of our full text catalog but not everything that should have been done has been done (since our last failover).
Any suggestions/links on where I should be looking would be much appreciated, I've covered as much as I can so far and would prefer not to call MS till I rule out all of the stupid possibilities.
Just to muddy the waters slightly the cluster is built on Itanium 2's running 2003 Enterprise server and SQL 2000 Enterprise (both 64-bit versions).
April 28, 2005 at 2:29 pm
Could this be related to your problem with Microsoft Search :
http://www.sqlservercentral.com/forums/shwmessage.aspx?forumid=5&messageid=176250#bm176507
* Noel
April 29, 2005 at 2:18 am
I wish it was , I left the builtin/admins group there because it's a secure system so this doesn't really apply.
I'm thinking that it's some sort of authentication issue for the cluster, my thinking is that the mssearch is trying to resolve the name of the clustered server but is unable to get it back correctly (it worked fine on the other node and is only broken since I last failed over).
Does anyone have any suggestions on whether I should be enabling the SQL group for kerberos authentication as I have seen a few errors in the log files that seem to be about this. Are there any pitfalls that I'd need to be aware of if I do enable it?
Thanks in advance
April 29, 2005 at 7:49 am
I think that I've managed to narrow it down to just 2 possible things that can be wrong (well 3 if neither of these works and I end up having to remove and resinstall MS Search)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;277549
http://www.sqlservercentral.com/columnists/cmiller/cannotgeneratesspicontext.asp
I'll give them both a try and see if I get a resolution
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply