Login failed for user 'NT AUTHORITY\SYSTEM', Very straing
-
I get hundreds of these messages in my SQL Server logs every day (Exactly every 15 minutes).
The messages have a sev 14 and a state 16, I have been searching the web for answers, but have drawn a blank thus far.
One suggestion was to run a SQL Profiler trace.
I did this and found that the ApplicationName is 'Microsoft Windows Script Host', but when I checked the Task Manager on the server, the ClientProcessID specified in the Profiler trace does not appear in the list of PIDs.
I have also checked my Logins, and NT AUTHORITY\SYSTEM is present and enabled, and it has a server role of 'sysadmin', so I cannot see why the login would not be able to access any of the databases.
Also, I have checked all Jobs to check any blank DB name (As a suggested solution) But I found nothing.
Any help in tracking this down would be greatly appreciated.
-
Some application must be using that login with a wrong password.
When you started to get these errors?
Have to changed the password for that login in recent times?
-
It seems like a very old error more than 3 months, the strange thing that it execute every 15 minutes exactly all 24 hours, thats why I don't think it is an application.
Also, I don't remember touching 'NT AUTHORITY\SYSTEM', it does not have a password when I checked it.
I am really stuck here and I don't know what to do, here is one line from the trace file
Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: "OUR SERVER IP"]NULL1NULLNULLSYSTEMNT AUTHORITYSQL-SERVER25796Microsoft (r) Windows Script HostNT AUTHORITY\SYSTEM226NULL2012-03-11 12:48:42.133NULLNULLNULLNULLNULLNULL1NULL0NULLNULLSQL-SERVER220NULLNULLNULL18456NULLNULLNULLmasterNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULL0NULL4021253NULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNT AUTHORITY\SYSTEMNULL
Thanks for helping
-
run a profile trace on the server/instance in question
select the blank template from the templates section on the first screen, then select all the events for the audit login failure event under security audit.
then you should be able to get the host and program which is trying to login unsuccessfully so you can trace it back.
also is the environment hosted by a 3rd party and is it a managed service from the 3rd party? just run into an issue with our production cluster which is hosted in the US by a 3rd party getting this error all the time.
to follow on from this, state 16 means that the login cannot access the database, you say it has sysadmin access which will either mean that the database its trying to connect to has been dropped or is in an offline state and is not accessable
-
Have exactly the same problem... every 15 minutes 24/7.
Filling the log with this:
Error: 18456, Severity: 14, State: 38.
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'DATABASE_NAME'. [CLIENT: xxx.xx.xx.xx]
for every database in the server... Which is drowning the log, making it hard to find the useful messages...
Looks like it started after patching the server...
This is the current version:
Microsoft SQL Server 2012 - 11.0.2383.0 (X64)
Oct 5 2012 19:35:54
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
What internal function in SQL Server has this behavior?
/Par
-
Anything which tries to login as NT AUTHORITY\SYSTEM.
Have you tracked the source of the connection and tried to see what is logging in as the account?
-
The call is coming from the same server as the SQL server and the application is "Microsoft ® Windows Script Host".
Example from the trace:
eventclass:Audit Login Failed
textdata:Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'PR_STAGE'. [CLIENT: 999.99.999.17]
hostname:SERVER17
ntusername:SYSTEM
ntdomainname:NT AUTHORITY
clientprocessid:7192
application:Microsoft ® Windows Script Host
loginname:NT AUTHORITY\SYSTEM
spid:69
starttime:2013-02-05 00:05:10.257
error:18456
-
check what can spawn the service on the local machine and what it is actually trying to do.
-
So, what you mean is that I should find the cause, correct it and by doing so solve the problem?
I was thinking along those lines myself. 😉
-
Thanks, but no jobs owned by 'NT AUTHORITY\SYSTEM' just 'NT SERVICE\SQLSERVERAGENT' owned ones.
I did a SQL Profiler trace (Audit) and see a lot of these kind of queries, issued by NT AUTHORITY\SYSTEM via the Windows script Host, going on at the time of the login failures:
SELECT
d.name
, d.database_id
, CASE WHEN d.replica_id IS NULL THEN 0 ELSE 1 END AS is_replica
, ar.secondary_role_allow_connections
FROM sys.databases d
JOIN sys.availability_replicas ar on d.replica_id = ar.replica_id
JOIN sys.servers s ON s.name = ar.replica_server_name AND s.server_id = 0 /*local server*/
WHERE d.database_id = 18
What is this?
High Availability? We got it disabled...
Replication? We got it disabled...
Hmm.
-
I have faced similar issue, all i did is modified 'connection string' Configuration. Instead of '.....;user id=sa;...', try replacing it with '.....;uid=sa;...'.For The reason part ...i dont know why!?it may work
Let me know if it works!
-
Well I have had the same issue. And log is generated every 15min saying that database could not connect to sql server database.
Granting sysadmin access to ntauthority\system should in fact solve the issue. But its stupid to do so with out actually knowing what application or script(in my case the call is coming from cscript.exe - which can be any automated vb or java script) is actually trying to access the server data.
For now I have no further information - I'm still investigating on the issue. If you find any clue let me know
-
I was seeing this on one of our servers, I looked at the Services running and ran profiler and came up with the same things like: generic queries where NT AUTHORITY\SYSTEM was trying to run things like:
SELECT size / 128.0 as fileSize,
FILEPROPERTY(name, 'SpaceUsed') / 128.0 as fileUsed,
CASE WHEN max_size = -1 OR max_size = 268435456 THEN -1 ELSE max_size / 128 END as fileMaxSize,
CASE WHEN growth = 0 THEN 0 ELSE 1 END as IsAutoGrow,
is_percent_growth as isPercentGrowth,
growth as fileGrowth,
physical_name
FROM sys.master_files WITH (NOLOCK)
WHERE type = 0 AND is_read_only = 0 AND data_space_id = 1
AND database_id = 4
Turns out System Center Operations Manager Agent was running HealthService.exe as Local System.
MCSA SQL 2014
-
SCOM it is!
To make this work use a service account to run the scom agent service with this:
Member of "Performance Monitor Users" local group
Member of "Event Log Readers" local group if OS is Windows 2008 or Windows 2008 R2
Member of "Distributed COM Users" local group if SQL Server is running in a clustered configuration
Full access to Cluster if SQL Server is running in a clustered configuration
Permission to Log On Locally
SQL permission to VIEW ANY DEFINITION
SQL permission to VIEW SERVER STATE
SQL permission to login in each database including system databases
Member of "SQLAgentReaderRole" in msdb database
Viewing 15 posts - 1 through 15 (of 25 total)
You must be logged in to reply to this topic. Login to reply