Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 


 
     
Recent Posts
   
Popular Topics
Home   
Search
    Members    Calendar    Who's On

Home » SQL Server 2005 » Administering » Login failed for user 'NT AUTHORITY\SYSTEM',...
Add to briefcase
15 posts, Page 1 of 2
12»»

Login failed for user 'NT AUTHORITY\SYSTEM', Very straing Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
stupid.brain
Posted Saturday, March 10, 2012 12:56 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, May 27, 2012 12:19 PM
Points: 2, Visits: 79
I get hundreds of these messages in my SQL Server logs every day (Exactly every 15 minutes).
The messages have a sev 14 and a state 16, I have been searching the web for answers, but have drawn a blank thus far.

One suggestion was to run a SQL Profiler trace.
I did this and found that the ApplicationName is 'Microsoft Windows Script Host', but when I checked the Task Manager on the server, the ClientProcessID specified in the Profiler trace does not appear in the list of PIDs.

I have also checked my Logins, and NT AUTHORITY\SYSTEM is present and enabled, and it has a server role of 'sysadmin', so I cannot see why the login would not be able to access any of the databases.

Also, I have checked all Jobs to check any blank DB name (As a suggested solution) But I found nothing.

Any help in tracking this down would be greatly appreciated.
Post #1264782
Rechana Rajan
Posted Sunday, March 11, 2012 9:28 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, April 16, 2012 5:49 AM
Points: 115, Visits: 198
Some application must be using that login with a wrong password.

When you started to get these errors?
Have to changed the password for that login in recent times?
Post #1264867
stupid.brain
Posted Monday, March 12, 2012 1:01 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, May 27, 2012 12:19 PM
Points: 2, Visits: 79
It seems like a very old error more than 3 months, the strange thing that it execute every 15 minutes exactly all 24 hours, thats why I don't think it is an application.

Also, I don't remember touching 'NT AUTHORITY\SYSTEM', it does not have a password when I checked it.

I am really stuck here and I don't know what to do, here is one line from the trace file

Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: "OUR SERVER IP"] NULL 1 NULL NULL SYSTEM NT AUTHORITY SQL-SERVER2 5796 Microsoft (r) Windows Script Host NT AUTHORITY\SYSTEM 226 NULL 2012-03-11 12:48:42.133 NULL NULL NULL NULL NULL NULL 1 NULL 0 NULL NULL SQL-SERVER2 20 NULL NULL NULL 18456 NULL NULL NULL master NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 0 NULL 4021253 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NT AUTHORITY\SYSTEM NULL

Thanks for helping
Post #1264989
anthony.green
Posted Monday, March 12, 2012 2:07 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, April 12, 2013 3:51 AM
Points: 5,075, Visits: 4,831
run a profile trace on the server/instance in question

select the blank template from the templates section on the first screen, then select all the events for the audit login failure event under security audit.

then you should be able to get the host and program which is trying to login unsuccessfully so you can trace it back.

also is the environment hosted by a 3rd party and is it a managed service from the 3rd party? just run into an issue with our production cluster which is hosted in the US by a 3rd party getting this error all the time.

to follow on from this, state 16 means that the login cannot access the database, you say it has sysadmin access which will either mean that the database its trying to connect to has been dropped or is in an offline state and is not accessable


Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger
Post #1265005
andersson_par
Posted Friday, February 08, 2013 5:33 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 7:38 AM
Points: 5, Visits: 19
Have exactly the same problem... every 15 minutes 24/7.
Filling the log with this:
Error: 18456, Severity: 14, State: 38.
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'DATABASE_NAME'. [CLIENT: xxx.xx.xx.xx]

for every database in the server... Which is drowning the log, making it hard to find the useful messages...

Looks like it started after patching the server...

This is the current version:
Microsoft SQL Server 2012 - 11.0.2383.0 (X64)
Oct 5 2012 19:35:54
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)



What internal function in SQL Server has this behavior?


/Par
Post #1417627
anthony.green
Posted Friday, February 08, 2013 5:37 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, April 12, 2013 3:51 AM
Points: 5,075, Visits: 4,831
Anything which tries to login as NT AUTHORITY\SYSTEM.

Have you tracked the source of the connection and tried to see what is logging in as the account?


Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger
Post #1417629
andersson_par
Posted Friday, February 08, 2013 6:38 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 7:38 AM
Points: 5, Visits: 19
The call is coming from the same server as the SQL server and the application is "Microsoft ® Windows Script Host".



Example from the trace:
eventclass:Audit Login Failed
textdata:Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'PR_STAGE'. [CLIENT: 999.99.999.17]
hostname:SERVER17
ntusername:SYSTEM
ntdomainname:NT AUTHORITY
clientprocessid:7192
application:Microsoft ® Windows Script Host
loginname:NT AUTHORITY\SYSTEM
spid:69
starttime:2013-02-05 00:05:10.257
error:18456
Post #1417665
anthony.green
Posted Friday, February 08, 2013 6:42 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, April 12, 2013 3:51 AM
Points: 5,075, Visits: 4,831
check what can spawn the service on the local machine and what it is actually trying to do.


Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger
Post #1417669
andersson_par
Posted Friday, February 08, 2013 7:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 7:38 AM
Points: 5, Visits: 19
So, what you mean is that I should find the cause, correct it and by doing so solve the problem?
I was thinking along those lines myself.
Post #1417694
Sean Pearce
Posted Wednesday, February 13, 2013 3:02 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 4:43 AM
Points: 348, Visits: 1,330 
SELECT
	SUSER_SNAME(owner_sid),
	*
FROM
	msdb..sysjobs
WHERE
	SUSER_SNAME(owner_sid) = 'NT AUTHORITY\SYSTEM'

http://thesqlguy.blogspot.com/
Post #1419364
« Prev Topic | Next Topic »

Add to briefcase
15 posts, Page 1 of 2
12»»

Permissions Expand / Collapse

 
 
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.