Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Login failed for user 'NT AUTHORITY\SYSTEM', Very straing Expand / Collapse
Author
Message
Posted Saturday, March 10, 2012 12:56 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, May 27, 2012 12:19 PM
Points: 2, Visits: 79
I get hundreds of these messages in my SQL Server logs every day (Exactly every 15 minutes).
The messages have a sev 14 and a state 16, I have been searching the web for answers, but have drawn a blank thus far.

One suggestion was to run a SQL Profiler trace.
I did this and found that the ApplicationName is 'Microsoft Windows Script Host', but when I checked the Task Manager on the server, the ClientProcessID specified in the Profiler trace does not appear in the list of PIDs.

I have also checked my Logins, and NT AUTHORITY\SYSTEM is present and enabled, and it has a server role of 'sysadmin', so I cannot see why the login would not be able to access any of the databases.

Also, I have checked all Jobs to check any blank DB name (As a suggested solution) But I found nothing.

Any help in tracking this down would be greatly appreciated.
Post #1264782
Posted Sunday, March 11, 2012 9:28 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 6:12 AM
Points: 117, Visits: 203
Some application must be using that login with a wrong password.

When you started to get these errors?
Have to changed the password for that login in recent times?
Post #1264867
Posted Monday, March 12, 2012 1:01 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, May 27, 2012 12:19 PM
Points: 2, Visits: 79
It seems like a very old error more than 3 months, the strange thing that it execute every 15 minutes exactly all 24 hours, thats why I don't think it is an application.

Also, I don't remember touching 'NT AUTHORITY\SYSTEM', it does not have a password when I checked it.

I am really stuck here and I don't know what to do, here is one line from the trace file

Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: "OUR SERVER IP"] NULL 1 NULL NULL SYSTEM NT AUTHORITY SQL-SERVER2 5796 Microsoft (r) Windows Script Host NT AUTHORITY\SYSTEM 226 NULL 2012-03-11 12:48:42.133 NULL NULL NULL NULL NULL NULL 1 NULL 0 NULL NULL SQL-SERVER2 20 NULL NULL NULL 18456 NULL NULL NULL master NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 0 NULL 4021253 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NT AUTHORITY\SYSTEM NULL

Thanks for helping
Post #1264989
Posted Monday, March 12, 2012 2:07 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, September 16, 2014 2:20 AM
Points: 5,216, Visits: 5,106
run a profile trace on the server/instance in question

select the blank template from the templates section on the first screen, then select all the events for the audit login failure event under security audit.

then you should be able to get the host and program which is trying to login unsuccessfully so you can trace it back.

also is the environment hosted by a 3rd party and is it a managed service from the 3rd party? just run into an issue with our production cluster which is hosted in the US by a 3rd party getting this error all the time.

to follow on from this, state 16 means that the login cannot access the database, you say it has sysadmin access which will either mean that the database its trying to connect to has been dropped or is in an offline state and is not accessable




Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger

Post #1265005
Posted Friday, February 8, 2013 5:33 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, December 6, 2013 7:16 AM
Points: 5, Visits: 24
Have exactly the same problem... every 15 minutes 24/7.
Filling the log with this:
Error: 18456, Severity: 14, State: 38.
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'DATABASE_NAME'. [CLIENT: xxx.xx.xx.xx]

for every database in the server... Which is drowning the log, making it hard to find the useful messages...

Looks like it started after patching the server...

This is the current version:
Microsoft SQL Server 2012 - 11.0.2383.0 (X64)
Oct 5 2012 19:35:54
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)



What internal function in SQL Server has this behavior?


/Par
Post #1417627
Posted Friday, February 8, 2013 5:37 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, September 16, 2014 2:20 AM
Points: 5,216, Visits: 5,106
Anything which tries to login as NT AUTHORITY\SYSTEM.

Have you tracked the source of the connection and tried to see what is logging in as the account?




Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger

Post #1417629
Posted Friday, February 8, 2013 6:38 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, December 6, 2013 7:16 AM
Points: 5, Visits: 24
The call is coming from the same server as the SQL server and the application is "Microsoft ® Windows Script Host".



Example from the trace:
eventclass:Audit Login Failed
textdata:Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'PR_STAGE'. [CLIENT: 999.99.999.17]
hostname:SERVER17
ntusername:SYSTEM
ntdomainname:NT AUTHORITY
clientprocessid:7192
application:Microsoft ® Windows Script Host
loginname:NT AUTHORITY\SYSTEM
spid:69
starttime:2013-02-05 00:05:10.257
error:18456
Post #1417665
Posted Friday, February 8, 2013 6:42 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, September 16, 2014 2:20 AM
Points: 5,216, Visits: 5,106
check what can spawn the service on the local machine and what it is actually trying to do.



Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger

Post #1417669
Posted Friday, February 8, 2013 7:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, December 6, 2013 7:16 AM
Points: 5, Visits: 24
So, what you mean is that I should find the cause, correct it and by doing so solve the problem?
I was thinking along those lines myself.
Post #1417694
Posted Wednesday, February 13, 2013 3:02 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 6:57 AM
Points: 906, Visits: 2,868
SELECT
SUSER_SNAME(owner_sid),
*
FROM
msdb..sysjobs
WHERE
SUSER_SNAME(owner_sid) = 'NT AUTHORITY\SYSTEM'





The SQL Guy @ blogspot

@SeanPearceSQL

About Me
Post #1419364
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse